Live ransomware (Bonus: Decryption Steps) - Virus Removal Instructions

Live virus Removal Guide

What is Live ransomware?

Live ransomware – a new Dharma variant that automatically boots every time the computer power is turned on

Live ransomware virusLive ransomware is a file-locking cyber threat that travels through email spam, vulnerable RDP configuration, cracked software, malvertising ads, infectious links, etc.

Live ransomware, also known as CryptLive ransomware, is one of the newest Dharma variants that have reached the surface at the end of January 2020. The malware operates as a typical ransom-demanding and file-encrypting[1] cyber threat but that does not make it less dangerous than others of its kind. The malicious module is designed to encrypt files by appending the .LIVE extension to each file name.

Afterward, Live virus pastes a copy of the info.hta and FILES ENCRYPTED.txt ransom note into every folder that holds locked data. The first message encourages users to reach out to the cybercriminals via cryptlive@aol.com email address while the second one provides a payment offering of $1299 that needs to be transferred in Bitcoin. The crooks promise to give those who show signs of communication via 24 hours a 15% discount and offer users to send them 1 file not exceeding the size of 10 MB for free decryption as the demonstration of the truly-existing decryption software.

Name Live ransomware/CryptLive ransomware
Category Ransomware/malware
Family This cyber threat belongs to the Dharma ransomware family
Appendix Once all the files and documents are found and locked with a unique encryption cipher, the ransomware virus appends the .LIVE extension to each affected component
Ransom note The malware delivers two ransom notes one from which is written in the info.hta format and the other one opens in a notepad window and is named FILES ENCRYPTED.txt
Ransom price The criminals urge for a quite big price – $1299 in Bitcoin. However, these people promise to make a 15% discount for those victims who aim to contact the developers within 24 hours of time
Crook's contacts The crooks provide the cryptlive@aol.com email address as a way to make contact and send them one small file for receiving evidence of the decryption tool's existence
Spreading Ransomware infections are often delivered through email spam when the crooks pretend to be reliable firms and organizations. Also, the malware can appear through a hacked RDP, software cracks, fake software updates, malicious advertisements, and infectious hyperlinks
Termination If you have spotted this ransomware virus on your computer system, you have to get rid of it as soon as possible before it has brought any other additional infections. Besides, you can try restoring your locked data only after terminating the malware. For this process, download reliable antimalware software
Repair tool If the ransomware virus has damaged some of your Windows computer's areas, you can try fixing them with a repair tool such as FortectIntego

Live ransomware is a tricky cyber threat that fills the Registry and Task Manager with malicious files and operations. Whenever these components are executed, the virus is provided with various functional abilities. For example, some commands allow the ransomware to boot up every time the computer is started. Also, do not be surprised if the malware is mimicking the process of some type of flash player, downloader, or another piece of software as this way the ransomware virus is capable of blending into your system and staying unknown for a while.

Continuously, [cryptlive@aol.com].LIVE ransomware might also be scheduled to run background processes such as the deletion of Shadow Volume Copies.[2] This type of activity hardens the data recovery process for the cybercriminals. If the virtual parasite starts initiating multiple tasks at a time, you can also spot that your CPU and GPU power levels have been rising up more than usual.

In fact, Live ransomware uses some threats in its ransom message regarding the data recovery fact. The criminals make sure that the victims are aware that trying to restore files by themselves can bring only more harm and files loss:

YOUR FILES ARE ENCRYPTED
Don't worry,you can return all your files!

If you want to restore them, follow this link:email cryptlive@aol.com YOUR ID 1E857D00
If you have not been answered via the link within 12 hours, write to us by e-mail:cryptlive@aol.com
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam

However, Live ransomware is trying to trick you into purchasing the decryption tool from the cybercriminals. Even though these people might truly own this type of software, there are no guarantees that they will not just run off with your money.

Due to the risk of getting scammed, you should remove Live ransomware from your Windows computer system and use alternative software for the data recovery process. There is no official decrypter released at the time of writing but you still can benefit from third-party restoring software. We have provided some solutions at the end of this page.

Live ransomwareLive ransomware is a dangerous malware form that comes from the Dharma ransomware family

Other functions of Live ransomware might include permanently damaging the hosts files on your Windows device. This way the malware prevents you from visiting security-based pages and receiving valuable information on the virus's termination. So, once you are deleting the ransomware virus, do not forget to delete the Windows hosts file too, otherwise, the access to your liked websites might still remain blocked.

Another reason for you to speed up Live ransomware removal is the possibility that you will end up with additional malware on your computer system. Ransomware infections are capable of bringing not only potentially unwanted programs such as adware or browser hijackers to the computer system but also serious malware such as trojans, spyware, worms, cryptocurrency miners, etc.

If you have been looking for ways to uninstall Live ransomware properly, you should only do that by employing reliable software as the manual technique might not work very well due to the risk of missing crucial components. Besides, if you have discovered some damage on your computer system, you can try fixing the infected areas with the help of FortectIntego.

If in some cases, your antivirus program cannot find Live ransomware on your Windows machine, the malware might be evading antimalware detection. For this purpose, you should boot your computer via Safe Mode with Networking or System Restore. However, according to VirusTotal data,[3] this malicious string has been detected by 58 antivirus tools out of the total 70.

Live malwareLive malware is a ransomware virus that might delete Shadow Volume Copies to harden the decryption process for the victims

Ransomware delivery is never expected but not quite surprising

Dangerous malware forms such as ransomware appear on those computer systems who have the weakest or a very weak level of protection. This means, even though you have not opted for the ransomware installation intentionally, the cyber threat did not really escape without your help and we are going to explain how this happens.

The main way of delivering ransomware-related payload to victims' computers is by using spam messages. A lot of criminals write official-looking notes and pretend to be from financial companies, shipping firms, healthcare systems, etc. Afterward, the victim is encouraged to open the attached file that often appears to be the infectious payload.

DO NOT fall for believing in any messages that you were not expecting to receive as you can get in big trouble. Even more important, DO NOT open or download any attached files without scanning them with antivirus software first.

Additionally, ransomware infections are likely to get delivered through other sources such as weak RDP configuration. This happens when the RDP does not include a password or includes an easy-guessable one such as “12345”. Furthermore, these types of viruses can be downloaded from software cracks that are placed on peer-to-peer networks such as The Pirate Bay, BitTorrent, and eMule. Also, you can receive these types of threats while opening fake flash player updates, entering malvertising-based ads, clicking on infected hyperlinks, etc.

Advanced removal solutions for Live ransomware

If you have spotted .LIVE files on your desktop, the FILES ENCRYPTED.txt ransom note, and malicious processes running in your Task Manager, you have to get rid of Live ransomware ASAP. The longer you keep this cyber threat on your computer system, the bigger the damage might be. You can even receive other malware very soon.

So, to decrease the risk of additional virus infections and have a chance to unlock at least some of your files, you should remove Live ransomware from your Windows operating system. The only method that works properly in this case is the automatical one and it includes purchasing and downloading proper antimalware software.

Once Live ransomware removal is performed, you can try recovering some of your encrypted files. At the end of this article, we have prepared three possible recovery solutions that might be helpful if completed properly.

According to experts from Virusai.lt,[4] hackers might try to attract as to pay the ransom payment and then vanish. This is the main reason why it is worth trying alternative software for file restoring rather than emptying your pockets.

Offer
do it now!
Download
Fortect Happiness
Guarantee
Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Live virus. Follow these steps

Manual removal using Safe Mode

To diminish malicious changes on your Windows computer system, you should boot your machine in Safe Mode with Networking. If you do not know how to do that, use these guiding steps to complete the task:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
    Settings
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
    Reboot
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.
    Startup

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Downloads
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

    %AppData%
    %LocalAppData%
    %ProgramData%
    %WinDir%

After you are finished, reboot the PC in normal mode.

Remove Live using System Restore

To deactivate the ransomware virus and all related process on your infected device, you have to complete the following instructing steps in order to opt for the System Restore feature:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Live. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Live removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Live from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If you have seen .LIVE files on your computer's desktop, you should not hurry to pay the ransom as scamming is a possibility that may be awaiting you after payment. Rather than taking such a risk, you can try out some other data restoring techniques that we have provided below.

If your files are encrypted by Live, you can use several methods to restore them:

Employ Data Recovery Pro for file restoring tasks.

If you have been looking for software that could help you bring some of your files back to their primary states, you can try using this third-party tool as it might appear to be really helpful.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Live ransomware;
  • Restore them.

Windows Previous Versions feature might allow data recovery.

If you have enabled the System Restore feature in the past, this tool might help you to recover some of your individual files and documents.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Using Shadow Explorer can increase your chances of data restoring.

You can try out this software if the ransomware virus has locked your files. However, keep in mind, that this method might not work if the malware has permanently destroyed the Shadow Volume Copies of your data.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Currently, the cybersecurity experts are working on the official decrypter.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Live and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Lucia Danes
Lucia Danes - Virus researcher

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions

References