Severity scale:  
  (94/100)

Fedasot ransomware. How to remove? (Uninstall guide)

removal by Olivia Morelli - - | Type: Ransomware

Fedasot ransomware is crypto malware that initiates a variety of system changes to encrypt personal user files

Fedasot ransomware
Fedasot ransomware is a file locking malware that belongs to STOP (Djvu) virus family

Fedasot is a file locking threat that was discovered when victims reported the infection in early May 2019. Belonging to the STOP/Djvu virus family, this ransomware[1] focuses on money extortion and demands $980 or $490 payment in Bitcoin or any other cryptocurrency.

As soon as Fedasot ransomware enters the machine, it performs a variety of system changes, contacts C2 server, and then begins the file encryption process that is performed with the help of AES[2] or another algorithm. During this process, the malware displays a fake Windows update pop-up that is developed to mislead the victims and prevent the interruption of the process.

Once the process is over, each of the personal files like pictures, music, databases, documents, and others are marked with a .fedasot appendix. Unfortunately, from this time victims are unable to open any of the data affected by the virus. Instead, they can access a ransom note _readme.txt that explains to users what happened to their machines and what to do next.

Just as in previous STOP variants, crooks behind the threat ask users to contact them via the @datarestore Telegram account or vengisto@firemail.cc/gorentos@bitmessage.ch email addresses. If you are infected with the virus, you should immediately remove Fedasot ransomware with the help of the instructions that can be found in the bottom section of this article.

Name Fedasot
Type Ransomware
Virus family STOP/Djvu
Similar variants HofosHrosasKiratos, Grovat, etc.
Ransom note _readme.txt
Contact vengisto@firemail.cc, gorentos@bitmessage.ch or @datarestore (Telegram)
Ransom size $980 or $490
Decryption If the encryption was performed offline, there is a chance of decrypting data with the help of STOPDecrypter [download link]. Alternatively, please follow the guide below
Virus removal Use anti-malware application
Recovery To restore infected system files, use Reimage

There are a variety of ways one can get infected with Fedasot virus. The most common infection methods used by hackers are:

  • Spam emails;
  • Exploit kits;[3]
  • Cracks or keygens;
  • Pirated software installers;
  • Web injects;
  • Fake updates, etc.

Once inside the system, Fedasot ransomware performs a variety of changes to the Windows operating system. For example, it modifies Windows registry to gain persistence and deletes Shadow Volume Copies to prevent file recovery after Fedasot ransomware removal.

These modifications to the system help the malware to perform file encryption without interruptions. Unfortunately, users then find out that are unable to view documents, pictures or any other data located on their machine. Instead, they can open the _readme.txt ransom note which reads:

ATTENTION!

Don't worry my friend, you can return all your files!
All your files like photos, databases, documents and other important are encrypted
with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-1aTCryfzhK
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don't get answer more than 6 hours.

To get this software you need write on our e-mail:
vengisto@firemail.cc

Reserve e-mail address to contact us:
gorentos@bitmessage.ch

Our Telegram account:
@datarestore

Depending on where you live, $980 or $490 might be a large or small sum. Regardless of the price, you should ignore the message from cybercriminals and never contact them, as chances of being scammed remains. Besides, paying threat actors will only prompt them to infect more victims and create new versions of Fedasot ransomware.

Thus, use anti-malware software to terminate the Fedasot virus, scan your computer with Reimage to repair the infected system files and only then attempt file recovery. You can connect your backup device or retrieve data from virtual storage.

If you did not have backups, restoring files might be almost impossible, unless the encryption process took place when your machine was not connected to the internet. Nevertheless, we suggest you try using third-party software as it might be able to recover at least some of your files.

Take care of your online safety to avoid ransomware infections

While avoiding computer viruses 100% might be impossible, there are several precautionary measures that you could make use of – it would reduce the chance of the infection to a minimum. Nevertheless, installing anti-malware software and updating it on time is not enough, especially if being careless online.

Anti-malware software is a great tool to protect yourself from already known viruses, although most paid programs use machine learning technology, which can recognize suspicious patterns of completely new malware. Nevertheless, hackers are intelligent people, and they are always looking for new ways to trick security software.

Therefore, besides using the anti-virus application, you should also:

  • Keep your Windows updated, along with all the installed programs;
  • Use caution when handling spam emails, especially those with attachments or hyperlinks (be aware that some phishing emails manage to bypass the built-in scanners and end up in your Inbox);
  • Use ad-blocker when visiting high-risk sites (torrents, adult-oriented, third-party downloads, etc.);
  • Enable Firewall;
  • Do not download and install pirated software or its cracks;
  • Disable Adobe Flash plugin or set it to click to run;
  • Use strong passwords for all your accounts and enable two-factor authentication.

Avoid paying ransom and instead remove Fedasot ransomware from your PC

To remove Fedasot ransomware, you will have to install a reputable anti-malware tool. There are plenty on the market available, although be aware that the same AV engine might not detect each of the ransomware versions. Therefore, you might have to try another software before you succeed. Additionally, you should access Safe Mode before you perform Fedasot ransomware removal, as the safe environment would temporarily disable malware's operation.

As soon as you delete Fedasot virus, you can then attempt file recovery. As we previously mentioned, the STOPDecrypter might be useful if the encryption process was performed when offline. If that does not work, you can try out third-party recovery software, download links of you can find below.

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove Fedasot virus, follow these steps:

Remove Fedasot using Safe Mode with Networking

If Fedasot ransomware is tampering with your anti-virus software, you should enter Safe Mode with Networking by using these instructions:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Fedasot

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Fedasot removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Fedasot using System Restore

Terminate the malware with the help of System Restore:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Fedasot. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Fedasot removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Fedasot from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Fedasot, you can use several methods to restore them:

Data Recovery Pro might help you retrieve your files

This tool might be able to help you and retrieve at least some of your locked data.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Fedasot ransomware;
  • Restore them.

Make use of Windows Previous Versions Feature

This option is only viable if your had System Restore enabled before the Fedasot virus encrypted your data.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Shadow Explorer might retrieve all your files under a condition

If the malware failed to remove Shadow Volume Copies, you have a high chance of recovering all your data with ShadowExplorer.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Make use of STOPDecrypter

Try using STOPDecrypter by security expert Michael Gillespie, it is continually updated and might work for you.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Fedasot and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References


Your opinion regarding Fedasot ransomware