Liquid ransomware (virus) - Free Instructions

Liquid virus Removal Guide

What is Liquid ransomware?

Liquid ransomware prevents victims from accessing their files

Liquid ransomwareLiquid ransomware developers demand Bitcoin to decrypt victims' files

Ransomware is a type of malware that prevents users from accessing their system or personal files and demands payment in order to regain access. The earliest variants of ransomware were developed in the late 1980s, and payment was to be sent via snail mail. In this age, ransomware authors order the payment to be sent in cryptocurrency. Attackers target individuals, businesses, and organizations of all kinds.

In most cases, the malware first gains access to the device. Depending on the type of ransomware, either the entire operating system or individual files are encrypted. Liquid ransomware seems to encrypt only personal files like photos, videos, documents, databases, and others so that the victims could still use the device to make the payment.

After infiltrating the machine, the virus starts the process by encrypting the files and appending them with the .Liquid extension. The victims' ID and attackers' email address is also added. For example, if a file was previously named picture.jpg, now it would look like this – id[victimID].[unknownteam@criptext.com].picture.jpg.Liquid.

This is the moment where users notice that something strange is happening to their device, as the file icons also change to white pages. Shortly after the encryption process is over, a ransom note named Liquid.hta is generated and shown to the victim. There, people are informed that they need to send the hackers Bitcoin in order to get their files back.

We strongly suggest against contacting the cybercriminals or paying the ransom as many victims of ransomware attacks report that after paying the money they never heard back and not only lost their files but their money too. If you do not have backups, we are sorry to disappoint, but it is possible that you lost your data forever. In this guide, we will show you how to remove the malware and what recovery options are available.

NAME Liquid
TYPE Ransomware, cryptovirus, data locking malware
DISTRIBUTION Email attachments, peer-to-peer file sharing platforms, malicious ads
FILE EXTENSION .Liquid
RANSOM NOTE Liquid.hta
FILE RECOVERY It is almost impossible to recover the files if you do not have backups
MALWARE REMOVAL Scan your machine with anti-malware software SpyHunter 5Combo Cleaner or Malwarebytes to eliminate the malicious files. This will not recover your files.
SYSTEM FIX Windows reinstallation can be avoided with ReimageIntego maintenance tool, which can fix damaged files

How does ransomware spread?

There are several different ways that ransomware can infect your computer. One of the most common methods is through malspam, which is an unsolicited email that is used to deliver malware. The email might include attachments, such as PDFs or Word documents. It might also contain links to malicious websites.

Cybercriminals use social engineering tactics in order to trick people into opening attachments or clicking on links by appearing as legitimate whether that’s by seeming to be from a trusted institution or a friend. Installing “cracked” software[1] is also a huge threat as the sites that distribute them disguise malicious programs as legitimate or hide malware between the files.

Another popular infection method is malvertising.[2] Malicious advertising is the use of online advertising to distribute malware. While browsing the web, users can be redirected to criminal servers without ever clicking on an ad. These servers catalog details about victim computers and their locations and then select the malware best suited to deliver.

Liquid virusThe malware makes all the personal files impossible to open

The full Liquid.hta ransom note

all data in your machine turned to useless binary code
your databses and Documents have been downloaded and will be published after 12days if not paid
to return files and prevent publishing email us at : unknownteam@criptext.com , fixbyfinch@Tutanota.com (send copy to both, your id as subject)
your id : –
tips:
no one else can help you ,don't waste your business time
if not paid after a while Google your Campany Name and you wil see your private and custorres data in there ,all your customers and (this is done only if determine your data leakage does more damage than payment you should make)
anyone/any company offering help will contact us and intermediate, even if they claim otherwise, math prooves no one can decrypt without our private keys ,even some of them with good fame get test file from us and scam you (get your money, don't pay us, tell you some bullshit, and leave you with your encrypted data) the other half get only some extra fees from you (someone them they pick large amounts of your payment for themselves), there's nothing you can't do yourself
you can buy bitcoins easily , just google : how to buy bitcoins in xxx (your country)
Whats's guarantee? 1- you send a few Sample files for test before payment 2-if we don't recover our reputation will go bad and no one will pay us
we won;t be available for long
dont play with encrypted files that will corrupt them and make unrecoverable.
for proper decryption don't delete files at c:\Liquid hidden folder , even on machines with no important data , or get backup of them
question : i read at some website that some people pay the ransome and don't get their files answer: yes that happens with some ransomewares, affiliates scam you to to pay percentage to devs , to avoid it never pay anyone without testfile (us or any dealer),never ever pay outside of this 2 emails,ONLY PAY TO THE WALLET ADDRESS YOU RECEIVE WITH DECRYPTED SAMPLE FILE ,scam can't happen if this tips are followed , guaranteed .
use google translate (if you don't know english)

From the ransom note, it is easy to tell that the creators' native language is not English as it is full of grammar and spelling mistakes. The authors use scare tactics to rush victims into paying the ransom and not trying alternative methods. They want people to act based on fear and emotions.

The developers of Liquid ransomware also threaten to release the victims' files on the internet if they do not pay. As we said before, hackers should not be trusted. They cannot guarantee that they will keep their promise. Your information might already be posted somewhere on the internet or they do not plan on doing that at all.

It is clear that these cybercriminals are trying to use every method possible to make you send cryptocurrency to their address. Keep in mind, that after you send a payment in crypto, you cannot cancel it, or report that you did not receive the promised services – they are gone forever.

Disconnect the device from the local network

As the creators of this malicious program seem to be targeting businesses, you need to isolate the affected machine so the virus would not infect the entire network. As soon as one of the machines is infected, malware can spread via network and encrypt files everywhere else, including Network Attached Storage (NAS) devices.[3] If your computer is connected to a network, it is important to isolate it to prevent re-infection after ransomware removal is complete.

The easiest way to disconnect a PC from everything is simply to plug out the ethernet cable. However, in the corporate environment, this might be extremely difficult to do (also would take a long time). The method below will disconnect from all the networks, including local and the internet, isolating each of the machines involved.

  • Type in Control Panel in Windows search and press Enter
  • Go to Network and InternetNetwork and internet
  • Click Network and Sharing CenterNetwork and internet 2
  • On the left, pick Change adapter settingsNetwork and internet 3
  • Right-click on your connection (for example, Ethernet), and select DisableNetwork and internet 4
  • Confirm with Yes.

If you are using some type of cloud storage you are connected to, you should disconnect from it immediately. It is also advisable to disconnect all the external devices, such as USB flash sticks, external HDDs, etc. Once the malware elimination process is finished, you can connect your computers to the network and internet, as explained above, but by pressing Enable instead.

Remove the intruder from your machine

If you try to recover your data first, it can result in permanent loss. It can also encrypt your files the second time. It will not stop until you remove the malicious files causing it first. You should not attempt removing the malicious program yourself. Use anti-malware tools like SpyHunter 5Combo Cleaner or Malwarebytes to scan your system. This security software should find all the related files and entries and remove them automatically for you. Automatic removal is the best option because there is less risk of leaving some of the traces behind.

If the virus is preventing you from using security software, first you need to access Safe Mode.[4] If you do not know how to do it, look for instructions at the bottom of the post.

Try recovering your personal data using third-party software

Only hackers hold the decryption key, which can unlock your files, so if you did not back them up previously, you possibly lost your files forever. You can try using data recovery software, but third-party programs cannot always decrypt the files. We suggest at least trying this method. Before proceeding, you have to copy the corrupted files and place them in a USB flash drive or another storage. And remember – only do this if you have already removed Liquid ransomware.

  1. Download Data Recovery Pro.
  2. Double-click the installer to launch it.
  3. Follow on-screen instructions to install the software.
  4. As soon as you press Finish, you can use the app.
  5. Select Everything or pick individual folders where you want the files to be recovered from.Select what to recover
  6. Press Next.
  7. At the bottom, enable Deep scan and pick which Disks you want to be scanned.Select Deep scan
  8. Press Scan and wait till it is complete.Scan
  9. You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
  10. Press Recover to retrieve your files.Recover files

Fix the damaged operating system

Performance, stability, and usability issues, to the point where a full Windows reinstall is required, are expected after malware infection. These types of infections can alter the Windows registry database, damage vital bootup and other sections, delete or corrupt DLL files, etc. Once a system file is damaged by malware, antivirus software is not able to repair it.

This is why ReimageIntego was developed. It can fix a lot of the damage caused by an infection like this. Blue Screen errors, freezes, registry errors, damaged DLLs, etc., can make your computer completely unusable. By using this maintenance tool, you could avoid Windows reinstallation.

  • Download the application by clicking on the link above
  • Click on the ReimageRepair.exe
  • If User Account Control (UAC) shows up, select Yes
  • Press Install and wait till the program finishes the installation process
  • The analysis of your machine will begin immediatelyReimage scan
  • Once complete, check the results – they will be listed in the Summary
  • You can now click on each of the issues and fix them manually
  • If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.Reimage results

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Liquid virus. Follow these steps

Manual removal using Safe Mode

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
    Settings
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
    Reboot
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.
    Startup

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Downloads
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

    %AppData%
    %LocalAppData%
    %ProgramData%
    %WinDir%

After you are finished, reboot the PC in normal mode.

Report the incident to your local authorities

Ransomware is a huge business that is highly illegal, and authorities are very involved in catching malware operators. To have increased chances of identifying the culprits, the agencies need information. Therefore, by reporting the crime, you could help with stopping the cybercriminal activities and catching the threat actors. Make sure you include all the possible details, including how did you notice the attack, when it happened, etc. Additionally, providing documents such as ransom notes, examples of encrypted files, or malware executables would also be beneficial.

Law enforcement agencies typically deal with online fraud and cybercrime, although it depends on where you live. Here is the list of local authority groups that handle incidents like ransomware attacks, sorted by country:

Internet Crime Complaint Center IC3

If your country is not listed above, you should contact the local police department or communications center.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Liquid and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.

 

Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 

 

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References