Cyber SpLiTTer Vbs ransomware / virus (Decryption Steps Included) - Feb 2017 update

Cyber SpLiTTer Vbs virus Removal Guide

What is Cyber SpLiTTer Vbs ransomware virus?

The latest news about Cyber SpLiTTer Vbs virus

Cyber SpLiTTer Vbs virus appeared in September 2016, but it did not succeed. Malware does not behave like an ordinary ransomware[1] virus. It does not encrypt files on the attacked computer and only delivers a lock screen. However, it seems that the first failure was a motivation for the hackers to learn from the mistakes and updated the virus. A few months later, malware researchers spotted CyberSplitter 2.0 ransomware that can actually encrypt files using strong encryption algorithm. However, it is not the only one attempt to update Cyber SpLiTTer Vbs ransomware. On February 2017, malware researchers have noticed two new variants of the virus. The one version pretends to be from the FBI and delivers a fake message that victim’s computer has been locked. Another variant is known under Blue Eagle name and informs people that their computer has been hacked. It seems that hackers try their best to finally create a powerful cyber threat and swindle as much money as possible[2] from the computer users. However, we highly recommend not paying the ransom and concentrating on Cyber SpLiTTer Vbs removal. It doesn’t matter which variant has attacked your machine, install reputable antivirus program or malware removal tool and run a full system scan. If you need advice, choose FortectIntego for ransomware removal.

The picture of Cyber SpLiTTer Vbs virusCyber SpLiTTer Vbs virus has several variants that encrypts files on the targeted computer and demands paying the ransom.

As we mentioned at the beginning, SpLiTTer Vbs virus does not behave as typical ransomware. It does not encrypt targeted files; it only delivers a lock screen. What is interesting that Cyber SpLiTTer Vbs ransomware tries to copy the techniques of infamous Cerber virus[3]. For example, after the attack, the virus plays an audio message saying “your pictures, videos, and databases have been encrypted.” Apart from hearing the scary message, victims also see the lock screen message informing about encrypted files and demanding 1 Bitcoin for data decryption:

Your files have been encrypted
Send $ 1 BTC amount of the account is decrypted your files
“Cyber SpLiTTer Vbs”
Send to Account Bitcoin ->

As you can see, crooks are not very educated, and the information on the ransomware lock screen is full of mistakes. However, the virus is not precisely developed, and it seems that its authors are low-level programmers who haven’t mastered software development skills well enough to create a code that could corrupt victim’s files. Obviously, you should not pay the ransom because your data is free – you just need to remove Cyber SpLiTTer Vbs ransomware from the system.

Variants of Cyber SpLiTTer Vbs ransomware

CyberSplitter 2.0 ransomware. Developers updated the virus, and now it can actually encrypt targeted files. After infiltration, malware encrypts files using AES and RSA encryption algorithms and appends .cyber splitter vbs file extension. Following data encryption malware also leaves a ransom note called Read_Me.txt which includes all necessary information about date decryption. Developers of the ransomware also demand 1 Bitcoins for data recovery. What is more, the second version of the Cyber SpLiTTer Vbs virus also plays the same audio file scare and convince victims to pay the ransom.

Your Computer Has Been Locked. On February 2017 malware researchers noticed a new version of the virus that pretends to be from FBI. Malware delivers a lock screen that informs that attacked computer was suspended because its owner visited pornographic websites, violate the intellectual property right, published malware or commit other crimes. The lock screen also includes what punishment victim can expect if he or she won’t pay the ransom of 0,5 Bitcoin.

Blue Eagle Ransomware. On February 2017, another variant of Cyber SpLiTTer Vbs ransomware has been noticed attacking home computer users and informing that their files have been Crypted by Saher Blue Eagle. Malware appends the .blueeagle file extension to the targeted data and demands to pay 0,5 Bitcoins for the decryption.

How does ransomware spread?

Ransomware is a computer pest that is mainly distributed using Trojan horse[4] technique. It means that cyber criminals create a file that looks entirely safe and inject malicious codes into it. Such file can be a document, PDF file, archive, or a different type of file as well. The most popular way to deceive victims is to send a phony email message[5] to them, stating that relevant files have been attached to the letter, and the victim must open them to see the information they provide. Of course, once the victim opens such malicious attachments, malware roots into the system and wreaks havoc there. Be careful because criminals can pretend that they are sending invoices, speeding tickets, health test results, and the like. It is highly recommended to delete emails that come from unknown senders; besides, it is also advisable to keep all your software up-to-date and protect the system with anti-malware software because there are numerous other malware distribution techniques that crooks use.

The safe way to Cyber SpLiTTer Vbs virus from the computer

If you have been attacked by Cyber SpLiTTer Vbs virus, you will need to clean the computer using anti-malware software such FortectIntego or SpyHunter 5Combo Cleaner. Firstly, you will have to reboot the PC into Safe Mode and download anti-malware tool (if you do not have one yet). If you have never attempted to start your PC in such mode, please follow Cyber SpLiTTer Vbs removal instructions provided below this post. When you remove Cyber SpLiTTer Vbs ransomware, do not forget to take security measurements and protect your data in advance – back up most important files and move them to a safe removable storage drive so that you can use it in the future. It is the most efficient way to protect your important files because typically when a really powerful ransomware attacks the computer, data cannot be restored in any way.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Cyber SpLiTTer Vbs virus. Follow these steps

Manual removal using Safe Mode

Ransomware might be resistant and prevent you from installing or accessing malware removal software. To solve this issue, you have to reboot your PC to the Safe Mode.

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Cyber SpLiTTer Vbs using System Restore

Some ransomware viruses might be a challenge to remove automatically. If you cannot run a full system scan, follow these steps to reboot your computer and try again.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Cyber SpLiTTer Vbs. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Cyber SpLiTTer Vbs removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Cyber SpLiTTer Vbs from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Cyber SpLiTTer Vbs, you can use several methods to restore them:

Recover files encrypted by Cyber SpLiTTer Vbs virus with a help of Data Recovery Pro

Data Recovery Pro is a professional tool that helps to recover damaged, deleted and some of the encrypted files. Bear in mind that it’s not a Cyber SpLiTTer Vbs decrypter.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Cyber SpLiTTer Vbs ransomware;
  • Restore them.

Recover files encrypted by Cyber SpLiTTer Vbs ransomware with a help of Windows Previous Versions feature

This method allows restoring individual files if System Restore function has been enabled before ransomware attack. Otherwise, this method does not work for you.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Recover files encrypted by Cyber SpLiTTer Vbs malware with a help of ShadowExplorer

If Cyber SpLiTTer Vbs virus failed to delete Shadow Volume Copies of the targeted files, you could consider yourself lucky. ShadowExplorer can help you to recover encrypted files.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Cyber SpLiTTer Vbs and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.


Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 


About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions