Fedasot ransomware (Virus Removal Instructions) - Bonus: Decryption Steps

by Olivia Morelli - - | Type: Ransomware

Fedasot virus Removal Guide

What is Fedasot ransomware?

Fedasot ransomware is crypto malware that initiates a variety of system changes to encrypt personal user files

Fedasot ransomwareFedasot ransomware is a file locking malware that belongs to STOP (Djvu) virus family

Fedasot is a file locking threat that was discovered when victims reported the infection in early May 2019. Belonging to the STOP/Djvu virus family, this ransomware[1] focuses on money extortion and demands $980 or $490 payment in Bitcoin or any other cryptocurrency.

As soon as Fedasot ransomware enters the machine, it performs a variety of system changes, contacts C2 server, and then begins the file encryption process that is performed with the help of AES[2] or another algorithm. During this process, the malware displays a fake Windows update pop-up that is developed to mislead the victims and prevent the interruption of the process.

Once the process is over, each of the personal files like pictures, music, databases, documents, and others are marked with a .fedasot appendix. Unfortunately, from this time victims are unable to open any of the data affected by the virus. Instead, they can access a ransom note _readme.txt that explains to users what happened to their machines and what to do next.

Just as in previous STOP variants, crooks behind the threat ask users to contact them via the @datarestore Telegram account or vengisto@firemail.cc/gorentos@bitmessage.ch email addresses. If you are infected with the virus, you should immediately remove Fedasot ransomware with the help of the instructions that can be found in the bottom section of this article.

Name Fedasot
Type Ransomware
Virus family STOP/Djvu
Similar variants Hofos, Hrosas, Kiratos, Grovat, etc.
Ransom note _readme.txt
Contact vengisto@firemail.cc, gorentos@bitmessage.ch or @datarestore (Telegram)
Ransom size $980 or $490
Decryption If the encryption was performed offline, there is a chance of decrypting data with the help of STOPDecrypter [download link]. Alternatively, please follow the guide below
Virus removal Use anti-malware application
Recovery To restore infected system files, use FortectIntego

There are a variety of ways one can get infected with Fedasot virus. The most common infection methods used by hackers are:

  • Spam emails;
  • Exploit kits;[3]
  • Cracks or keygens;
  • Pirated software installers;
  • Web injects;
  • Fake updates, etc.

Once inside the system, Fedasot ransomware performs a variety of changes to the Windows operating system. For example, it modifies Windows registry to gain persistence and deletes Shadow Volume Copies to prevent file recovery after Fedasot ransomware removal.

These modifications to the system help the malware to perform file encryption without interruptions. Unfortunately, users then find out that are unable to view documents, pictures or any other data located on their machine. Instead, they can open the _readme.txt ransom note which reads:

ATTENTION!

Don't worry my friend, you can return all your files!
All your files like photos, databases, documents and other important are encrypted
with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-1aTCryfzhK
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don't get answer more than 6 hours.

To get this software you need write on our e-mail:
vengisto@firemail.cc

Reserve e-mail address to contact us:
gorentos@bitmessage.ch

Our Telegram account:
@datarestore

Depending on where you live, $980 or $490 might be a large or small sum. Regardless of the price, you should ignore the message from cybercriminals and never contact them, as chances of being scammed remains. Besides, paying threat actors will only prompt them to infect more victims and create new versions of Fedasot ransomware.

Thus, use anti-malware software to terminate the Fedasot virus, scan your computer with FortectIntego to repair the infected system files and only then attempt file recovery. You can connect your backup device or retrieve data from virtual storage.

If you did not have backups, restoring files might be almost impossible, unless the encryption process took place when your machine was not connected to the internet. Nevertheless, we suggest you try using third-party software as it might be able to recover at least some of your files.

Fedasot ransomware virusFedasot ransomware is a type of malware that locks up users' files and demands ransom of $980/$490 to be paid for the decryption tool

Take care of your online safety to avoid ransomware infections

While avoiding computer viruses 100% might be impossible, there are several precautionary measures that you could make use of – it would reduce the chance of the infection to a minimum. Nevertheless, installing anti-malware software and updating it on time is not enough, especially if being careless online.

Anti-malware software is a great tool to protect yourself from already known viruses, although most paid programs use machine learning technology, which can recognize suspicious patterns of completely new malware. Nevertheless, hackers are intelligent people, and they are always looking for new ways to trick security software.

Therefore, besides using the anti-virus application, you should also:

  • Keep your Windows updated, along with all the installed programs;
  • Use caution when handling spam emails, especially those with attachments or hyperlinks (be aware that some phishing emails manage to bypass the built-in scanners and end up in your Inbox);
  • Use ad-blocker when visiting high-risk sites (torrents, adult-oriented, third-party downloads, etc.);
  • Enable Firewall;
  • Do not download and install pirated software or its cracks;
  • Disable Adobe Flash plugin or set it to click to run;
  • Use strong passwords for all your accounts and enable two-factor authentication.

Avoid paying ransom and instead remove Fedasot ransomware from your PC

To remove Fedasot ransomware, you will have to install a reputable anti-malware tool. There are plenty on the market available, although be aware that the same AV engine might not detect each of the ransomware versions. Therefore, you might have to try another software before you succeed. Additionally, you should access Safe Mode before you perform Fedasot ransomware removal, as the safe environment would temporarily disable malware's operation.

As soon as you delete Fedasot virus, you can then attempt file recovery. As we previously mentioned, the STOPDecrypter might be useful if the encryption process was performed when offline. If that does not work, you can try out third-party recovery software, download links of you can find below.

Offer
do it now!
Download
Fortect Happiness
Guarantee Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Fortect review | Terms of Use | Privacy policy | Refund Policy | Uninstall guide
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Download SpyHunter 5 Review »
Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions
Malwarebytes
Download | Review | Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.
Download Combo Cleaner Review »
Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions

Getting rid of Fedasot virus. Follow these steps

Manual removal using Safe Mode

If Fedasot ransomware is tampering with your anti-virus software, you should enter Safe Mode with Networking by using these instructions:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
    Settings
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
    Reboot
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.
    Startup

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Downloads
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

    %AppData%
    %LocalAppData%
    %ProgramData%
    %WinDir%

After you are finished, reboot the PC in normal mode.

Remove Fedasot using System Restore

Terminate the malware with the help of System Restore:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Fedasot. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Fedasot removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Fedasot from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Fedasot, you can use several methods to restore them:

Recover your data
Recover your data

Data Recovery Pro might help you retrieve your files

This tool might be able to help you and retrieve at least some of your locked data.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Fedasot ransomware;
  • Restore them.

Make use of Windows Previous Versions Feature

This option is only viable if your had System Restore enabled before the Fedasot virus encrypted your data.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Shadow Explorer might retrieve all your files under a condition

If the malware failed to remove Shadow Volume Copies, you have a high chance of recovering all your data with ShadowExplorer.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Make use of STOPDecrypter

Try using STOPDecrypter by security expert Michael Gillespie, it is continually updated and might work for you.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Fedasot and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Stream videos without limitations, no matter where you are

There are multiple parties that could find out almost anything about you by checking your online activity. While this is highly unlikely, advertisers and tech companies are constantly tracking you online. The first step to privacy should be a secure browser that focuses on tracker reduction to a minimum.

Even if you employ a secure browser, you will not be able to access websites that are restricted due to local government laws or other reasons. In other words, you may not be able to stream Disney+ or US-based Netflix in some countries. To bypass these restrictions, you can employ a powerful Private Internet Access VPN, which provides dedicated servers for torrenting and streaming, not slowing you down in the process.

Data backups are important – recover your lost files

Ransomware is one of the biggest threats to personal data. Once it is executed on a machine, it launches a sophisticated encryption algorithm that locks all your files, although it does not destroy them. The most common misconception is that anti-malware software can return files to their previous states. This is not true, however, and data remains locked after the malicious payload is deleted.

While regular data backups are the only secure method to recover your files after a ransomware attack, tools such as Data Recovery Pro can also be effective and restore at least some of your lost data.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References