Fedasot ransomware (Virus Removal Instructions) - Bonus: Decryption Steps
Fedasot virus Removal Guide
What is Fedasot ransomware?
Fedasot ransomware is crypto malware that initiates a variety of system changes to encrypt personal user files
Fedasot ransomware is a file locking malware that belongs to STOP (Djvu) virus family
Fedasot is a file locking threat that was discovered when victims reported the infection in early May 2019. Belonging to the STOP/Djvu virus family, this ransomware[1] focuses on money extortion and demands $980 or $490 payment in Bitcoin or any other cryptocurrency.
As soon as Fedasot ransomware enters the machine, it performs a variety of system changes, contacts C2 server, and then begins the file encryption process that is performed with the help of AES[2] or another algorithm. During this process, the malware displays a fake Windows update pop-up that is developed to mislead the victims and prevent the interruption of the process.
Once the process is over, each of the personal files like pictures, music, databases, documents, and others are marked with a .fedasot appendix. Unfortunately, from this time victims are unable to open any of the data affected by the virus. Instead, they can access a ransom note _readme.txt that explains to users what happened to their machines and what to do next.
Just as in previous STOP variants, crooks behind the threat ask users to contact them via the @datarestore Telegram account or vengisto@firemail.cc/gorentos@bitmessage.ch email addresses. If you are infected with the virus, you should immediately remove Fedasot ransomware with the help of the instructions that can be found in the bottom section of this article.
Name | Fedasot |
Type | Ransomware |
Virus family | STOP/Djvu |
Similar variants | Hofos, Hrosas, Kiratos, Grovat, etc. |
Ransom note | _readme.txt |
Contact | vengisto@firemail.cc, gorentos@bitmessage.ch or @datarestore (Telegram) |
Ransom size | $980 or $490 |
Decryption | If the encryption was performed offline, there is a chance of decrypting data with the help of STOPDecrypter [download link]. Alternatively, please follow the guide below |
Virus removal | Use anti-malware application |
Recovery | To restore infected system files, use FortectIntego |
There are a variety of ways one can get infected with Fedasot virus. The most common infection methods used by hackers are:
- Spam emails;
- Exploit kits;[3]
- Cracks or keygens;
- Pirated software installers;
- Web injects;
- Fake updates, etc.
Once inside the system, Fedasot ransomware performs a variety of changes to the Windows operating system. For example, it modifies Windows registry to gain persistence and deletes Shadow Volume Copies to prevent file recovery after Fedasot ransomware removal.
These modifications to the system help the malware to perform file encryption without interruptions. Unfortunately, users then find out that are unable to view documents, pictures or any other data located on their machine. Instead, they can open the _readme.txt ransom note which reads:
ATTENTION!
Don't worry my friend, you can return all your files!
All your files like photos, databases, documents and other important are encrypted
with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-1aTCryfzhK
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:
vengisto@firemail.ccReserve e-mail address to contact us:
gorentos@bitmessage.chOur Telegram account:
@datarestore
Depending on where you live, $980 or $490 might be a large or small sum. Regardless of the price, you should ignore the message from cybercriminals and never contact them, as chances of being scammed remains. Besides, paying threat actors will only prompt them to infect more victims and create new versions of Fedasot ransomware.
Thus, use anti-malware software to terminate the Fedasot virus, scan your computer with FortectIntego to repair the infected system files and only then attempt file recovery. You can connect your backup device or retrieve data from virtual storage.
If you did not have backups, restoring files might be almost impossible, unless the encryption process took place when your machine was not connected to the internet. Nevertheless, we suggest you try using third-party software as it might be able to recover at least some of your files.
Fedasot ransomware is a type of malware that locks up users' files and demands ransom of $980/$490 to be paid for the decryption tool
Take care of your online safety to avoid ransomware infections
While avoiding computer viruses 100% might be impossible, there are several precautionary measures that you could make use of – it would reduce the chance of the infection to a minimum. Nevertheless, installing anti-malware software and updating it on time is not enough, especially if being careless online.
Anti-malware software is a great tool to protect yourself from already known viruses, although most paid programs use machine learning technology, which can recognize suspicious patterns of completely new malware. Nevertheless, hackers are intelligent people, and they are always looking for new ways to trick security software.
Therefore, besides using the anti-virus application, you should also:
- Keep your Windows updated, along with all the installed programs;
- Use caution when handling spam emails, especially those with attachments or hyperlinks (be aware that some phishing emails manage to bypass the built-in scanners and end up in your Inbox);
- Use ad-blocker when visiting high-risk sites (torrents, adult-oriented, third-party downloads, etc.);
- Enable Firewall;
- Do not download and install pirated software or its cracks;
- Disable Adobe Flash plugin or set it to click to run;
- Use strong passwords for all your accounts and enable two-factor authentication.
Avoid paying ransom and instead remove Fedasot ransomware from your PC
To remove Fedasot ransomware, you will have to install a reputable anti-malware tool. There are plenty on the market available, although be aware that the same AV engine might not detect each of the ransomware versions. Therefore, you might have to try another software before you succeed. Additionally, you should access Safe Mode before you perform Fedasot ransomware removal, as the safe environment would temporarily disable malware's operation.
As soon as you delete Fedasot virus, you can then attempt file recovery. As we previously mentioned, the STOPDecrypter might be useful if the encryption process was performed when offline. If that does not work, you can try out third-party recovery software, download links of you can find below.
Getting rid of Fedasot virus. Follow these steps
Manual removal using Safe Mode
If Fedasot ransomware is tampering with your anti-virus software, you should enter Safe Mode with Networking by using these instructions:
Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
Downloads
Recycle Bin
Temporary files - Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
After you are finished, reboot the PC in normal mode.
Remove Fedasot using System Restore
Terminate the malware with the help of System Restore:
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of Fedasot. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove Fedasot from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.If your files are encrypted by Fedasot, you can use several methods to restore them:
Data Recovery Pro might help you retrieve your files
This tool might be able to help you and retrieve at least some of your locked data.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by Fedasot ransomware;
- Restore them.
Make use of Windows Previous Versions Feature
This option is only viable if your had System Restore enabled before the Fedasot virus encrypted your data.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
Shadow Explorer might retrieve all your files under a condition
If the malware failed to remove Shadow Volume Copies, you have a high chance of recovering all your data with ShadowExplorer.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Make use of STOPDecrypter
Try using STOPDecrypter by security expert Michael Gillespie, it is continually updated and might work for you.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Fedasot and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Stream videos without limitations, no matter where you are
There are multiple parties that could find out almost anything about you by checking your online activity. While this is highly unlikely, advertisers and tech companies are constantly tracking you online. The first step to privacy should be a secure browser that focuses on tracker reduction to a minimum.
Even if you employ a secure browser, you will not be able to access websites that are restricted due to local government laws or other reasons. In other words, you may not be able to stream Disney+ or US-based Netflix in some countries. To bypass these restrictions, you can employ a powerful Private Internet Access VPN, which provides dedicated servers for torrenting and streaming, not slowing you down in the process.
Data backups are important – recover your lost files
Ransomware is one of the biggest threats to personal data. Once it is executed on a machine, it launches a sophisticated encryption algorithm that locks all your files, although it does not destroy them. The most common misconception is that anti-malware software can return files to their previous states. This is not true, however, and data remains locked after the malicious payload is deleted.
While regular data backups are the only secure method to recover your files after a ransomware attack, tools such as Data Recovery Pro can also be effective and restore at least some of your lost data.
- ^ Jake Doevan. How to remove ransomware. 2-spyware. Cybersecurity news and articles.
- ^ Josh Lake. What is AES encryption and how does it work?. CompariTech. Tech researched, compared and rated.
- ^ Exploit kit. Wikipedia. The free encyclopedia.