Apocalypse ransomware / virus (Bonus: Decryption Steps) - updated Jan 2017
Apocalypse virus Removal Guide
What is Apocalypse ransomware virus?
Apocalypse virus continues to attack computer users: aggressive and active in 2017
Apocalypse virus seems to be a poorly programmed ransomware[1] that has already been decrypted by a well known virus researcher Fabian Wosar[2]. If you are dealing with ApocalypseVM or Fabiansomware, which are two different versions of this file-encrypting malware, you should know that they both have been defeated and you can use free decrypters to recover your files. However, don’t forget that cyber criminals are stubborn people so have been trying to earn as much money as possible, so they can easily add new updates to each of their viruses. Besides, no matter if there is a free decrypt tool available on the Internet or not, you still need to remove Apocalypse ransomware from your computer. For that you can use FortectIntego.
The first version of Apocalypse ransomware encrypted files by appending .encrypted file extensions to them. However, the latest its version comes with changes and uses more complicated file extension which consists of such details as victim’s country code, victim’s ID, etc. The extension which is used by the latest version of Apocalypse looks like that:[the name of the file].id-*[8characters]+countrycode[cryptservice@inbox.ru].[random7characters]. Besides, this ransomware variant creates an individual copy of the ransom note for each file, named like [Filename].encrypted.How_to_Decrypt.txt. The ransom note is usually named as [md5].txt. As soon as this virus finishes its encryption procedure, it also deletes Volume Shadow Copies to prevent the user from recovering them. The virus also installs a malicious version of file named windowsupdate.exe which is usually used Microsoft or Apple[3]. This file is assigned to Startup programs and is used to display the lock screen that provides the following information:
IF YOU ARE READING THIS MESSAGE, ALL THE FILES IN THIS COMPUTER HAVE BEEN CRYPTED!!
documents , pictures, videos, audio, backups, etcIF YOU WANT TO RECOVER YOUR DATA, CONTACT THE EMAIL BELOW.
EMAIL:
WE WILL PROVIDE DECRYPTION SOFTWARE TO RECOVER YOUR FILES
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
IF YOU DONT CONTACT BEFORE 72 HOURS, ALL DATA WILL BE LOST FOREVER
Different versions of Apocalypse malware provide different contact emails, such as decryptdata@inbox.ru, ransomware.attack@list.ru, decrptionservice@mail.ru, getdataback@bk.ru, datarecovery@bk.ru or fabianwosar@mail.ru. The most recent version of Apocalypse reportedly uses crypt32@mail.ru email address (this version was spotted on January 22, 2017). No other modifications were discovered, so we assume that previous email accounts were probably closed for security reasons. Speaking about Apocalypse/Al-Namrood ransomware, we cannot provide any information regarding the ransom price since these viruses do not provide any information on what amount of money do the cyber criminals want in exchange for the data. Either way, it is not advisable to pay up as it only benefits the crooks[4], whereas you may be left without your money as well as your data. Besides, you can try decrypting your files with decryption tools that have been released by malware researchers. You can find informative guide on how to remove Apocalypse as well as data recovery instructions in the tutorial provided below the article.
Apocalypse ransomware leaves ransom notes similar to the one in this picture. The only difference is the email address (it depends on what version of Apocalypse attacks the victim).
Can you keep your computer safe from ransomware viruses?
As long as your computer is not infected with any virus, your main priority should be protecting your device with a triple-layer protection. First of all, you should use the best antivirus technology, second, you should use it alongside anti-malware or anti-spyware software, and finally, you should create data backups. It is also recommended always to keep your operating system updated to its latest version, to eliminate any vulnerabilities[5]. On top of that, you should keep watch for the virus yourself. Pay attention to your Inbox because ransomware viruses like Apocalypse usually spread through malicious emails. Do not open suspicious emails or download added attachments. This should help to keep the virus away. However, viruses are unpredictable and can use a variety of different techniques to get into your computer. So if you have already been infected, you should start thinking about Apocalypse removal without wasting time.
Apocalypse removal help
If you are planning Apocalypse removal, you should seriously weigh your capabilities. Do you have the proper skills to do it? Is your computer equipped with powerful antivirus software? If you answered “YES” to both of these questions, you are ready for the virus removal. You will have to use a reputable antivirus scanner to detect and remove Apocalypse virus and its related files from your device. However, some computer knowledge will be needed if any problems occur in the process. If your antivirus is having difficulties removing the virus, you will have to follow special instructions to block some of the viruses most aggressive processes. You will find these instructions below.
Getting rid of Apocalypse virus. Follow these steps
Manual removal using Safe Mode
Before you start Apocalypse removal, restart your computer using instructions provided here. This will help to protect the system from unexpected virus’ behavior and help to create a safe environment for your antivirus software. Sometimes viruses try to block antivirus programs, but when computer is booted in a Safe Mode with Networking, viruses no longer can do that.
Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
Downloads
Recycle Bin
Temporary files - Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
After you are finished, reboot the PC in normal mode.
Remove Apocalypse using System Restore
In case the previous method didn’t work, rely on these instructions.
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of Apocalypse. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove Apocalypse from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.Please do not even think about paying the ransom and do not follow instructions cybercriminals provide. Experienced malware researchers managed to find flaws in Apocalypse’s code that allowed them to create free decryption tools. Before using them, remove Apocalypse ransomware from the system first. You can find the link to download the Apocalypse decryption tool in the instructions provided below.
If your files are encrypted by Apocalypse, you can use several methods to restore them:
Recover some files with Data Recovery Pro
Data Recovery Pro is for sure a reliable tool that can help you to restore encrypted data quickly. Although it might not successfully restore all data, this tool is definitely worth a try. However, we suggest using Data Recovery Pro only if the Apocalypse decryption methods explained below fail to help you with data recovery.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by Apocalypse ransomware;
- Restore them.
Recover your files using these decryption tools
There are several decryption tools that can recover files encrypted by Apocalypse. Download the proper one to restore your files. You will need one healthy file sample and one encrypted file sample to decrypt the rest of the data:
1. Apocalypse decryption tool. This tool works for victims who find these file extensions appended to original filenames: .encrypted, .Encryptedfile, .FuckYourData, or .SecureCrypted.
2. ApocalypseVM decryption tool. This tool can decrypt files encrypted by a different version of Apocalypse, which appends either .encrypted or .locked file extensions to encrypted data. Your malware removal tool should help you determine which version of this ransomware has attacked your PC.
3. Fabiansomware decrypter. This decryptor restores files that have .encrypted file extensions appended to them. Works for victims who were asked to contact these emails: fwosar@mail.ru or fabianwosar@mail.ru.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Apocalypse and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Access your website securely from any location
When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.
If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.
Recover files after data-affecting malware attacks
While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.
Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection.
- ^ What is ransomware and how to remove it. 2spyware. Virus removal guides, news and descriptions.
- ^ Fabian Wosar. Follow him on Twitter. Twitter. It's what's happening.
- ^ What is WindowsUpdate.exe?. File.net. The largest online forum that provides an objective analysis of each file.
- ^ GRAHAM CLULEY. FBI: No, you shouldn’t pay ransomware extortionists. Welivesecurity. News, views, and insight from the ESET security community.
- ^ Willy Jimenez , Amel Mammar, Ana Cavalli. Software Vulnerabilities, Prevention and Detection Methods. Telecom SudParis.