Exotic ransomware / virus (Nov 2016 update) - Improved Instructions
Exotic virus Removal Guide
What is Exotic ransomware virus?
Exotic ransomware wants $50 from you
Exotic virus, which is developed by German coder EvilTwin, is actually a ransomware-type computer infection that encrypts files and demands payment in exchange for the decryption software. Its authors have released even three different versions of this ransomware. Once installed, it terminates cmd, taskmgr, procexp, procexp64, regedit, msconfig, and CCleaner64 processes, and then checks Desktop, My Music, My Videos, Personal, Contacts, Downloads, My Pictures folders, which are located in %USERPROFILE%. The virus then encrypts all files, including .exe files, with an undefeatable encryption (it uses AES-128 cipher), and adds .exotic file extension to every file it touches. It is worth noting that malware double-checks these folders for new files, and encrypts them as well. Then it displays a pop-up message called “Crypto,” which says:
Windows are infected, by the EXOTIC virus!
Try to Kill or Delete me I will kill your PC!
Have a nice day =)
The pop-up message provides the OK button, and once the victim clicks on it, the ransom note appears on the screen. It seems that authors of this filthy ransomware really do not watch their mouths because they include many vulgar words in this note. The ransom note launches in a new window which is called “You got fu*ked by EXOTIC SQUAD!,” and displays the following information:
All your files have been encrypted!
Hello, all your Computer files have been encrypted. But, don’t worry! I haven’t deleted them all. So you have 7 2 hours to pay 50 USD in Bitcoins to my Bitcoin Address to get your files back! Every 5 hours files will be deleted. After 72 hours all that are left will be deleted! We will format your hard-drive when you restart your computer! The Timer starts now! Don’t fu*k with EXOTIC SQUAD!
As you can see, the ransomware virus demands 50 USD within 72 hours, otherwise, the decryption key needed for data restoration will be deleted. Besides, just like the infamous JigSaw ransomware, Exotic Squad virus promises to remove some files every 5 hours of non-payment, and in case the victim does not pay the ransom within 72 hours, the rest of the encrypted data gets erased all at once. When the counter reaches 0, the ransomware reboots the computer automatically, but here’s where the ransomware author failed. Ransomware copies itself to Startup directory to start itself automatically as soon as the computer prepares itself to function, but “unfortunately” this virus is designed to encrypt .exe files, so it encrypts the ransomware’s executive file as well and it becomes useless.
If you have been infected with this nasty ransomware, we recommend you to remove Exotic virus with the anti-malware tool like FortectIntego, and not pay the ransom for the criminals. Speaking from experience, we can say that viruses which look scary and display frightening messages usually are not that dangerous, because their authors typically lack professional coding skills, because it is much easier to write some text in a pop-up window than to code a program that can strongly encrypt files. This virus looks like one of those who are likely to be cracked soon, so we suggest you backup the encrypted data and be patient. For Exotic removal, use instructions presented below. Delete the virus as soon as you can to prevent it from deleting your files.
The developer of this ransomware attempts to reach out to malware researchers
This case of ransomware is rather interesting because while typical ransomware authors tend to stay as anonymous as possible, the developer of this one, known as EvilTwin, wants to communicate with malware researchers and has even provided them with an example of Exotic 2.0 ransomware virus and possibly with Exotic 3.0 ransomware virus. The e-mail of the author is exotic.eviltwin@yandex.com. According to the EvilTwin, malware researchers got his “test ransomware” and his final is a “bada*s.” This is clearly a threat, and it is likely that another example of this virus is going to show up shortly. Therefore, we advise computer users to stay alerted and protect their computers from ransomware by installing an anti-malware program and creating a data backup.
Exotic versions released by EvilTwin
So far two different versions have been discovered, although there might be more shortly. At the moment, known Exotic malware versions are these:
Exotic 2.0 ransomware. The second version of this ransomware project asks for $50 as a ransom and is based on traditional pay-the-ransom-get-files-back strategy. It encrypts files with a tricky algorithm, supplements them with .exotic file extensions, leaves How-to-restore.txt ransom note on the desktop, and launches a program entitled “You got fu*cked by EVILTWIN!,” which types the ransom note on the screen and showcases a countdown clock. It threatens the victim to delete some files every 5 hours of non-payment and finally erase the rest of them after 72 hours. The ransomware should be erased with anti-malware tool since it has no uninstaller. Inexperienced computer users should not attempt to remove the virus manually because in order to entirely delete the virus, victims should delete numerous files that are entitled with trustworthy filenames and also alter Windows Registry, which is a difficult thing to do.
Exotic 3.0 ransomware. The third version no longer threatens the victim to erase the files, but demands for the same $50 ransom, which should be paid in Bitcoins to the same Bitcoin address. Exotic 3.0 virus appends .exotic extensions to encrypted files to make them recognizable, and sadly it seems that encryption that this virus applies to target files is nearly impossible to crack. It means that files cannot be decrypted without a special decryption key, but we do not recommend you to pass your money to victims because according to recent researchers, even 20% of victims who paid the ransom never got the decryption software. We believe that it is a reasonable basis not to pay the ransom.
Distribution techniques
Malware can infect your PC using various techniques. Probably the most popular ways are these:
- Sending malicious email attachments to victims or including infectious links in email messages;
- Using exploit kits placed on harmful websites;
- Pushing fake software updates;
- Malvertising.
Although ransomware authors try to apply new methods of malware distribution, the most efficient one remains the same. Victims still open malicious emails without even inspecting who the sender is. Criminals are so advanced that they can insert a malicious script into a safe-looking Word or JS file, while in the past the only way to infect computers was to make the victim open a .exe file.
Remove Exotic virus entirely
Please do not listen what this malicious Exotic virus says. It attempts to frighten you and make you believe that restarting the computer will “kill it.” You have to start your computer in a Safe Mode with Networking, so please carefully read the instructions presented below or ask someone else to start your PC in a Safe Mode with Networking if you do not know how to do it. Then, you will be able to install an anti-malware tool and complete Exotic removal then. We highly recommend you to employ an automatic virus removal software and not to remove Exotic virus manually as this can result in failure, and then the virus might actually delete all files by formatting the hard drive. Be careful!
Getting rid of Exotic virus. Follow these steps
Manual removal using Safe Mode
Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
Downloads
Recycle Bin
Temporary files - Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
After you are finished, reboot the PC in normal mode.
Remove Exotic using System Restore
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of Exotic. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove Exotic from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.If your files are encrypted by Exotic, you can use several methods to restore them:
Recover .exotic files with Data Recovery Pro
Although this is not the official decryption tool, you can try to run Data Recovery Pro and give it a chance to fix your files. We strongly recommend you to create a data backup before applying this technique.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by Exotic ransomware;
- Restore them.
Explore Volume Shadow Copies with ShadowExplorer
If Exotic Squad virus authors were not attentive enough, they could miss one important step when creating this ransomware. Sometimes, ransomware authors forget to insert a function that deletes Volume Shadow Copies, which can be used to restore encrypted data.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Exotic and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Protect your privacy – employ a VPN
There are several ways how to make your online time more private – you can access an incognito tab. However, there is no secret that even in this mode, you are tracked for advertising purposes. There is a way to add an extra layer of protection and create a completely anonymous web browsing practice with the help of Private Internet Access VPN. This software reroutes traffic through different servers, thus leaving your IP address and geolocation in disguise. Besides, it is based on a strict no-log policy, meaning that no data will be recorded, leaked, and available for both first and third parties. The combination of a secure web browser and Private Internet Access VPN will let you browse the Internet without a feeling of being spied or targeted by criminals.
No backups? No problem. Use a data recovery tool
If you wonder how data loss can occur, you should not look any further for answers – human errors, malware attacks, hardware failures, power cuts, natural disasters, or even simple negligence. In some cases, lost files are extremely important, and many straight out panic when such an unfortunate course of events happen. Due to this, you should always ensure that you prepare proper data backups on a regular basis.
If you were caught by surprise and did not have any backups to restore your files from, not everything is lost. Data Recovery Pro is one of the leading file recovery solutions you can find on the market – it is likely to restore even lost emails or data located on an external device.