Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Sep 2021

How to remove Liquid ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Olivia Morelli · Ransomware analyst

Liquid ransomware prevents victims from accessing their files

Liquid ransomware

Ransomware is a type of malware that prevents users from accessing their system or personal files and demands payment in order to regain access. The earliest variants of ransomware were developed in the late 1980s, and payment was to be sent via snail mail. In this age, ransomware authors order the payment to be sent in cryptocurrency. Attackers target individuals, businesses, and organizations of all kinds.

In most cases, the malware first gains access to the device. Depending on the type of ransomware, either the entire operating system or individual files are encrypted. Liquid ransomware seems to encrypt only personal files like photos, videos, documents, databases, and others so that the victims could still use the device to make the payment.

After infiltrating the machine, the virus starts the process by encrypting the files and appending them with the .Liquid extension. The victims' ID and attackers' email address is also added. For example, if a file was previously named picture.jpg, now it would look like this – id[victimID].[unknownteam@criptext.com].picture.jpg.Liquid.

This is the moment where users notice that something strange is happening to their device, as the file icons also change to white pages. Shortly after the encryption process is over, a ransom note named Liquid.hta is generated and shown to the victim. There, people are informed that they need to send the hackers Bitcoin in order to get their files back.

We strongly suggest against contacting the cybercriminals or paying the ransom as many victims of ransomware attacks report that after paying the money they never heard back and not only lost their files but their money too. If you do not have backups, we are sorry to disappoint, but it is possible that you lost your data forever. In this guide, we will show you how to remove the malware and what recovery options are available. 

NAME Liquid
TYPE Ransomware, cryptovirus, data locking malware
DISTRIBUTION Email attachments, peer-to-peer file sharing platforms, malicious ads
FILE EXTENSION .Liquid
RANSOM NOTE Liquid.hta
FILE RECOVERY It is almost impossible to recover the files if you do not have backups
MALWARE REMOVAL Scan your machine with anti-malware software SpyHunterCombo Cleaner or MalwarebytesMalwarebytes to eliminate the malicious files. This will not recover your files.
SYSTEM FIX Windows reinstallation can be avoided with FortectIntego maintenance tool, which can fix damaged files

How does ransomware spread?

There are several different ways that ransomware can infect your computer. One of the most common methods is through malspam, which is an unsolicited email that is used to deliver malware. The email might include attachments, such as PDFs or Word documents. It might also contain links to malicious websites.

Cybercriminals use social engineering tactics in order to trick people into opening attachments or clicking on links by appearing as legitimate whether that’s by seeming to be from a trusted institution or a friend. Installing “cracked” software[1] is also a huge threat as the sites that distribute them disguise malicious programs as legitimate or hide malware between the files.

Another popular infection method is malvertising.[2] Malicious advertising is the use of online advertising to distribute malware. While browsing the web, users can be redirected to criminal servers without ever clicking on an ad. These servers catalog details about victim computers and their locations and then select the malware best suited to deliver.

Liquid virus

The full Liquid.hta ransom note

all data in your machine turned to useless binary code
your databses and Documents have been downloaded and will be published after 12days if not paid
to return files and prevent publishing email us at : unknownteam@criptext.com , fixbyfinch@Tutanota.com (send copy to both, your id as subject)
your id : –
tips:
no one else can help you ,don't waste your business time
if not paid after a while Google your Campany Name and you wil see your private and custorres data in there ,all your customers and (this is done only if determine your data leakage does more damage than payment you should make)
anyone/any company offering help will contact us and intermediate, even if they claim otherwise, math prooves no one can decrypt without our private keys ,even some of them with good fame get test file from us and scam you (get your money, don't pay us, tell you some bullshit, and leave you with your encrypted data) the other half get only some extra fees from you (someone them they pick large amounts of your payment for themselves), there's nothing you can't do yourself
you can buy bitcoins easily , just google : how to buy bitcoins in xxx (your country)
Whats's guarantee? 1- you send a few Sample files for test before payment 2-if we don't recover our reputation will go bad and no one will pay us
we won;t be available for long
dont play with encrypted files that will corrupt them and make unrecoverable.
for proper decryption don't delete files at c:\Liquid hidden folder , even on machines with no important data , or get backup of them
question : i read at some website that some people pay the ransome and don't get their files answer: yes that happens with some ransomewares, affiliates scam you to to pay percentage to devs , to avoid it never pay anyone without testfile (us or any dealer),never ever pay outside of this 2 emails,ONLY PAY TO THE WALLET ADDRESS YOU RECEIVE WITH DECRYPTED SAMPLE FILE ,scam can't happen if this tips are followed , guaranteed .
use google translate (if you don't know english)

From the ransom note, it is easy to tell that the creators' native language is not English as it is full of grammar and spelling mistakes. The authors use scare tactics to rush victims into paying the ransom and not trying alternative methods. They want people to act based on fear and emotions. 

The developers of Liquid ransomware also threaten to release the victims' files on the internet if they do not pay. As we said before, hackers should not be trusted. They cannot guarantee that they will keep their promise. Your information might already be posted somewhere on the internet or they do not plan on doing that at all.

It is clear that these cybercriminals are trying to use every method possible to make you send cryptocurrency to their address. Keep in mind, that after you send a payment in crypto, you cannot cancel it, or report that you did not receive the promised services – they are gone forever.

Disconnect the device from the local network

As the creators of this malicious program seem to be targeting businesses, you need to isolate the affected machine so the virus would not infect the entire network. As soon as one of the machines is infected, malware can spread via network and encrypt files everywhere else, including Network Attached Storage (NAS) devices.[3] If your computer is connected to a network, it is important to isolate it to prevent re-infection after ransomware removal is complete.

The easiest way to disconnect a PC from everything is simply to plug out the ethernet cable. However, in the corporate environment, this might be extremely difficult to do (also would take a long time). The method below will disconnect from all the networks, including local and the internet, isolating each of the machines involved.

  • Type in Control Panel in Windows search and press Enter
  • Go to Network and InternetNetwork and internet
  • Click Network and Sharing CenterNetwork and internet 2
  • On the left, pick Change adapter settingsNetwork and internet 3
  • Right-click on your connection (for example, Ethernet), and select DisableNetwork and internet 4
  • Confirm with Yes.

If you are using some type of cloud storage you are connected to, you should disconnect from it immediately. It is also advisable to disconnect all the external devices, such as USB flash sticks, external HDDs, etc. Once the malware elimination process is finished, you can connect your computers to the network and internet, as explained above, but by pressing Enable instead.

Remove the intruder from your machine

If you try to recover your data first, it can result in permanent loss. It can also encrypt your files the second time. It will not stop until you remove the malicious files causing it first. You should not attempt removing the malicious program yourself. Use anti-malware tools like SpyHunterCombo Cleaner or MalwarebytesMalwarebytes to scan your system. This security software should find all the related files and entries and remove them automatically for you. Automatic removal is the best option because there is less risk of leaving some of the traces behind.

If the virus is preventing you from using security software, first you need to access Safe Mode.[4] If you do not know how to do it, look for instructions at the bottom of the post.

Try recovering your personal data using third-party software

Only hackers hold the decryption key, which can unlock your files, so if you did not back them up previously, you possibly lost your files forever. You can try using data recovery software, but third-party programs cannot always decrypt the files. We suggest at least trying this method. Before proceeding, you have to copy the corrupted files and place them in a USB flash drive or another storage. And remember – only do this if you have already removed Liquid ransomware.

  1. Download Data Recovery Pro.
  2. Double-click the installer to launch it.
  3. Follow on-screen instructions to install the software.
  4. As soon as you press Finish, you can use the app.
  5. Select Everything or pick individual folders where you want the files to be recovered from.Select what to recover
  6. Press Next.
  7. At the bottom, enable Deep scan and pick which Disks you want to be scanned.Select Deep scan
  8. Press Scan and wait till it is complete.Scan
  9. You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
  10. Press Recover to retrieve your files.Recover files

Fix the damaged operating system

Performance, stability, and usability issues, to the point where a full Windows reinstall is required, are expected after malware infection. These types of infections can alter the Windows registry database, damage vital bootup and other sections, delete or corrupt DLL files, etc. Once a system file is damaged by malware, antivirus software is not able to repair it. 

This is why FortectIntego was developed. It can fix a lot of the damage caused by an infection like this. Blue Screen errors, freezes, registry errors, damaged DLLs, etc., can make your computer completely unusable. By using this maintenance tool, you could avoid Windows reinstallation.

  • Download the application by clicking on the link above
  • Click on the ReimageRepair.exe
  • If User Account Control (UAC) shows up, select Yes
  • Press Install and wait till the program finishes the installation process
  • The analysis of your machine will begin immediatelyReimage scan
  • Once complete, check the results – they will be listed in the Summary
  • You can now click on each of the issues and fix them manually
  • If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.Reimage results

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.