Avest ransomware (Virus Removal Guide) - Recovery Instructions Included

Avest virus Removal Guide

What is Avest ransomware?

Avest ransomware is a decryptable crypto-malware that appends .Pack14 marking after file locking process

Avest ransomwareAvest ransomware is a type of malware that focuses on encrypting all personal files on the machine and then asking for ransom to be paid for their release

Avest ransomware (also known as Pack14 ransomware) is a computer virus that sneaks into the machine via spam email attachments, software cracks, unprotected Remote Desktop connection, software vulnerabilities,[1] fake updates, and other deceptive methods. Once inside, the malware uses a taskkill.exe command to shut down MS Office, Notepad and other files that might be running on the system, and then begins the encryption process. In this way, picture, document, database, image, PDF, and other commonly used files can no longer be accessed, and also receive an extension .pack14 at the end.

Besides triggering the encryption process, Avest ransomware also contacts a remote server to send the key that is required for file retrieval process and drops a ransom note !!!Readme!!!Help!!!.txt which asks users to contact hackers via data1992@protonmail.com and send the provided ID.

While it is unknown what sum of money Avest virus developers ask for, paying them would be an enormous waste of money, as the security team at Emsisoft released a working free decryption tool that can recover all the encrypted data for free. However, be sure to remove Avest ransomware before proceeding with the recovery process – we explain how at the bottom of this post.

Name Avest ransomware
Type Cryptovirus – malware based on money extortion
Also known as This virus family is often called Pack14 ransomware due to the extension it appends to the hijacked data
File extension Avest ransomware appends .pack14 file extension at the very end, although the full appendix looks as follows: .ckey(random_ID).email(data1992@protonmail.com).pack.14
Related files The executable used by malware to start the infection process of the computer is usually called installer.exe, antimalware.exe, office64.exe or avst.exe, although a random name can be used as well
Ransom note Malware drops !!!Readme!!!Help!!!.txt into each of the folders where the encrypted files are located
Contact To recover the all the locked personal files, users are asked to email crooks via data1992@protonmail.com
Peculiarities The name of the ransomware is identical to the one that a Belorussian IT company goes by – ZAO Avest
AV detections[2]
  • TR/Ransom.qqmqn
  • Trojan.MSIL.Encoder.j!c
  • Trojan.GenericKD.41643801 (B)
  • Ransom.FileCryptor
  • W32.Trojan.MSIL.Encoder
  • HEUR:Trojan-Ransom.MSIL.Encoder.gen
  • Mal/Generic-S, etc.
Removal While removing ransomware manually is possible, you should rely on automatic tools for the process. We suggest using FortectIntego, SpyHunter 5Combo Cleaner, Malwarebytes or another reputable anti-malware software that can detect and delete all the malicious components from the machine
Data recovery There is no point paying cybercriminals, as there is a working free decryptor offered by Emsisoft. If it does not work for some reason, try alternative methods for data recovery we provide in our recovery section below

The activity of Avest ransomware was first spotted in early September 2019. While this malware does not seem to have any similarities or connections to other ransomware strains, it tries to imitate the name of Belorussian IT company ZAO Avest which specializes in cryptographic software development. Nevertheless, it is highly unlikely that Pack14 ransomware developers have anything to do with the mentioned corporation.

It is not the first time, however, when ransomware developers used reputable names of companies or high-profile figures as the name of heir malicious software; for example, Spyhunter ransomware, CSGO ransomware, Donald Trump ransomware, and many others. In most of the cases, hackers most likely want to mock the person/company they are trying impersonate, or deliberately confuse victims – the latter is the most likely cause for the Avest ransomware name.

Pack14 ransomwareAvest ransomware is virus that is also known as Pack14 ransomware due to the extension it appends to encrypted files

Once inside the system, Avest ransomware performs a variety of system changes and deletes Shadow Volume Copies to complicate the recovery process. After that, the virus scans the machine for files to encrypt, and it targets the most common ones, such as .pdf, .docx, .html, .jpg, .mp4, and many others. Thus, it turns a picture.jpg into a picture.jpg.ckey(ubjjnsty).email(data1992@protonmail.com).pack14, and it can no longer be opened.

After the encryption, Pack14 ransomware drops a ransom note which is a brief message from hackers:

Problems with your data? Contact us: data1992@protonmail.com
key: ubjjnsty

As we previously mentioned, there is no need to contact cybercriminals behind Avest virus, as a free decryption tool exists. Besides, paying criminals would only fund their activities and prove to them that their illegal business model works.

Thus, check out a full guide on how to decrypt files in our recovery section below. However, make sure you initiate a full Avest ransomware removal first, otherwise, the decoding process will be useless. For that, you should employ anti-malware software and scan your system thoroughly. For the job, we suggest using FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes.

Avest ransomware encrypted filesOnce the files are locked by Avest ransomware, they can no longer be opened

Most common ransomware distribution methods in the wild

In most of the cases, hackers employ multiple distribution tactics in order to infect as many victims as possible, as it increases the chances of payment in Bitcoin or another cryptocurrency. While some methods might be more sophisticated then the others, the main vector when it comes to computer infection is human – careless online behavior and inadequate protection measures can easily result in ransomware or other malware infection.

Because this ransomware version is decryptable, you can recover from it relatively easily. However, most of the other infected users are not so lucky, as crypto viruses rarely receive free decryption tools. Thus, if you get infected again with a treat such as .nesa, .nemty, .karl or similar, file recovery will most likely be impossible.

To prevent ransomware infections in the future, make sure you follow these simple tips provided by experts in the security field:[3]

  • Install comprehensive anti-malware software and keep it up to date;
  • Patch your operating system and all the installed programs with latest security updates immediately after they are released;
  • Do not open email spam – attachments that ask for a macro function to be enabled are the ones to stay away from;
  • Do not download cracks and pirated software, as the installers can be often ridden with malware;
  • Enable ad-block (although do not forget to add exceptions for sites you want to support);
  • When using Remote Desktop, protect it with a secure password and avoid the default port 3389;
  • Use strong passwords and for all your accounts and enable two-factor authentication where possible;
  • Do not ignore your anti-virus software warnings;
  • Backup your files to mitigate the damage done by ransomware.

Get rid of Pack14 ransomware using anti-malware software: access Safe Mode if required

As we previously mentioned, Pack14 ransomware removal is indeed possible to achieve manually. However, this action requires an extensive computer and IT knowledge, as malware makes significant changes to the infected systems. Therefore, you should rather employ professional anti-malware software and perform a full system scan – it should detect Avest ransomware and take care of its termination.

Avest ransomware mimics a company nameAvest ransomware is known to mimic the name of an IT company from Belarus

However, in some cases, Pack14 file virus might interfere with the correct operation of security software. In such a case, you should enter Safe Mode with Networking – please check step-by-step instructions below. After you remove Avest ransomware from your machine, download the decryption tool and recover all your files for free.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Avest virus. Follow these steps

Manual removal using Safe Mode

Safe Mode with Networking is a secure environment where malware termination is a much easier task. Thus, if Avest virus is causing you troubles, enter this environment by using the following guide:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Avest using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Avest. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Avest removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Avest from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Avest, you can use several methods to restore them:

Make use of Data Recovery Pro

In some cases, Data Recovery Pro might be able to recover data from your hard drive if particular parts of it were not overwritten with new information.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Avest ransomware;
  • Restore them.

Windows Previous Versions might be useful when dealing with Pack14 infection

If you had System Restore enabled, go ahead and try Windows Previous Versions feature.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might be the answer to your problem

If Shadow Copy removal process failed, ShadowExplorer is one of the best tools to use for file recovery.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Use a a free decryption tool from Emsisoft

Luckily, a free decryptor from security researchers at Emsisoft is available – download it from here.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Avest and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Protect your privacy – employ a VPN

There are several ways how to make your online time more private – you can access an incognito tab. However, there is no secret that even in this mode, you are tracked for advertising purposes. There is a way to add an extra layer of protection and create a completely anonymous web browsing practice with the help of Private Internet Access VPN. This software reroutes traffic through different servers, thus leaving your IP address and geolocation in disguise. Besides, it is based on a strict no-log policy, meaning that no data will be recorded, leaked, and available for both first and third parties. The combination of a secure web browser and Private Internet Access VPN will let you browse the Internet without a feeling of being spied or targeted by criminals. 

No backups? No problem. Use a data recovery tool

If you wonder how data loss can occur, you should not look any further for answers – human errors, malware attacks, hardware failures, power cuts, natural disasters, or even simple negligence. In some cases, lost files are extremely important, and many straight out panic when such an unfortunate course of events happen. Due to this, you should always ensure that you prepare proper data backups on a regular basis.

If you were caught by surprise and did not have any backups to restore your files from, not everything is lost. Data Recovery Pro is one of the leading file recovery solutions you can find on the market – it is likely to restore even lost emails or data located on an external device.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions