Severity scale:  

Everbe ransomware. How to remove? (Uninstall guide)

removal by Gabriel E. Hall - - | Type: Ransomware

Everbe is a ransomware virus that is now decryptable

Everbe ransomware delivers ransom note
Everbe ransomware is a virus that locks up personal files and is now decryptable.

Everbe is ransomware that first appeared in March 2018. The virus appeared again in May same year, coming back as Embrace ransomware and PainLocker virus. The malware encrypts all personal files using AES or DES encryption algorithm and adds file extension the following way: [composite extension].[virus name]. For example, the original variant added [].everbe appendix to each of the infected files. Each version of the virus drops a ransom note !=How_recovery_files=!.txt. txt, which explains victims that they need to contact hackers in order to restore their encrypted data. Nevertheless, it seems like evil deeds of malware can now be stopped by a newly created decryptor for Embrace, which works for all virus versions.

Name Everbe
Type Ransomware
Danger level High. Makes system changes and encrypts files
Targeted operating system Windows
Appended file extension .[].everbe,  [].embrace, 
Contact email addresses,,,
Data recovery Using Emrace decryptor (InsaneCrypt Decryptor)
To uninstall Everbe, install Reimage and run a full system scan

When the name is changed data immediately becomes compromised and unusable due to a sophisticated encryption algorithm. Everbe virus then generates a ransom note and spreads copies in all of the existing folders:

Hi !
If you want to restore your files write on email –
In the subject write – [redacted victim ID number]

As you can see from the quote above, this short message encourages users to contact developers via [ email, if they want to restore encrypted data. The ransom note also provides unique victim’s ID which is asked to enter in the subject line of the email.

However, we do not recommend contacting creators of Everbe ransomware and following their instructions. There’s no doubt that they will ask Bitcoins or another cryptocurrency in exchange for unique decryption key created for each victim. But once cyber criminals receive the payment, they might disappear and leave you with a bigger loss.

No matter how much you need to get back your files, you should remember that there are no guarantees that crooks keep their promise and help with data recovery.[1] Additionally, paying the ransom gives no results in Everbe removal. Hence, your computer remains vulnerable and sluggish. Besides, there is a free decryptor available,[2] so there is definately no need to pay hackers.

As soon as you realize about ransomware attack, you should obtain a proper security program and clean your machine. We recommend using Reimage for the proper system scan and virus elimination.

Keep in mind that you need to remove Everbe first before you can proceed with data recovery. However, if you do not have backups, you can try using additional tools that we have presented at the end of the article. If they do not help, you should remain patient and wait for malware researchers to create a free decryptor.

Two new variants came out in May 2018

The good news is that Everbe decryptor unlocks files for both variants of mawlare – Embrace and Painlocker. Nevertheless, hackers are known to modify code of ransomware so that decryptor would not work. So far, there are no new versions that cannot be decrypted created, although it does not mean that it will not happen in the future. Two latest versions came out quickly one after another, differing very slightly, although each having a new name altogether.

Embrace ransomware

Embrace ransomware made a comeback as the first continuation of Everbe malware. It spread through unprotected RDP, using malicious attachments in spam emails or was injected into malicious websites. It used same encryption algorithm (AES or DES) to lock up files and added [].embrace. For example, a file called picture.jpg would be turned into picture.jpg.[] .embrace. 

The ransom note !=How_recovery_files=!.txt slightly differs from the first variant and urges users to contact hackers via Victims are also warned that in case the payment will not be made within seven days, the price of ransom will double. It is unknown how much money crooks ask for; however, prices usually range between $500 and $1500, and payments are executed in Bitcoin or another cryptocurrency.

As usual, we recommend users to ignore ransomware authors and remove Embrace virus from the machine ASAP.

PainLocker ransomware

PainLocker is the latest addition to Everbe crypto-malware family. It adds [].pain appendix to each of the files and generates ransom note of the same name – !=How_recovery_files=!.txt., which states the following:

########## PAIN LOCKER ##########
Hello, dear friend!
All your files have been ENCRYPTED
Do you really want to restore files?
Write to our email – or and tell us your unique ID

Painlocker wants users' money. Thus, these hackers are not your friends (as they self-proclaimed)! Even though the decryptor works for this version of the virus as well, in rare cases it may not work for you. Therefore, it is vital to keep regular backups and employ reputable security software which could detect malicious threats and eliminate them before they can enter. If you found your files encoded, hurry up and remove PainLocker using an anti-malware tool.

Embrace & PainLocker ransomware
Embrace & PainLocker - the newest versions of Everbe malware

Third-party software download sources help to spread ransomware

The main way how ransomware is being spread on the web and installed on computers is spam emails.[3] They often include malicious attachments that execute download and installation of malware to your computer. Letters can be called like they are from real and big companies like PayPal, DHL, LinkedIn, and others.

Additionally, infected email attachments usually look safe to open. Creators of malware often inject malicious code into Word or PDF documents. In some cases, ransomware might arrive in the ZIP archive. So, you should be extremely careful with received emails.

Security specialists from[4] also warn that authors of malware might use other methods to spread the file-encrypting virus, such as:

  • Unofficial software download sources or peer-to-peer networks that promote and offer to install suspicious programs;
  • Fake updaters might include malware instead of updating any software;
  • Security pop-ups might ask to install fake security programs that are actually malware;
  • Malicious ads placed on both legit and high-risk websites.

To avoid infiltration of such cyber threat, you should be not only careful with emails and learn how to identify tricky messages sent by hackers, but also follow major security tips, such as avoiding visiting potentially dangerous sites, downloading programs from ads or unauthorized download sites. Additionally, data backups and installation of antivirus program helps to minimize the risk of ransomware attack.

Everbe removal procedure has to be completed immediately

Everbe removal needs to be done using the anti-malware program. We recommend using Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus, and also Malwarebytes Anti Malware for cleaning your computer. However, feel free to use your beloved antivirus, but do not forget to update it first! Additionally, ransomware virus can block access to the security program or its installation process. So you might need to do other steps that are mentioned in a removal guide below.

Everbe decryptor
Everbe and all its versions can now be decrypted.

Once you remove Everbe from the machine, you can begin data recovery procedure. You should first try to gain access to your files back by using Embrace Decryptor. In case it does not work for you, below you can see other options for restoring your data.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Everbe ransomware you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Everbe ransomware. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

To remove Everbe virus, follow these steps:

Remove Everbe using Safe Mode with Networking

If you cannot run automatic Everbe removal, follow these steps:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Everbe

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Everbe removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Everbe using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Everbe. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Everbe removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Everbe from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Everbe, you can use several methods to restore them:

Try Data Recovery Pro to restore missing files

It's not an official Everbe decryptor, but it can help to recover some of the encrypted files.

Take advantage of Windows Previous Versions feature

If System Restore was enabled before ransomware attack, you can copy individual files by following these steps:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Try Shadow Explorer to restore files encrypted by Everbe ransomware virus

If malware did not delete Shadow Volume Copies, this tool might be useful:

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Use Embrace Decryptor

Security researchers Michael Gillespie and Maxime Meignan recently created a decryptor which can be used to recover your files affected by Everbe for free. You can download the tool here.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Everbe and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions


Removal guides in other languages