NEWS ransomware (Free Guide) - Quick Decryption Solution

NEWS virus Removal Guide

What is NEWS ransomware?

NEWS ransomware is the file-encrypting virus that spreads infection via email attachments

NEWS ransomwareNEWS ransomware is the virus that encrypts files found on the system and marks them using the full pattern with victims' ID and contact email. NEWS ransomware – cryptovirus that claims to offer a decryption tool for victims that decide to pay the ransom. It makes files useless after the encryption process and marks them using the appendix pattern .victims'ID-ID.[].NEWS. When files get encoded and marked using this extension, a ransom note appears on the screen and in some of the folders containing encrypted data. The program window at first delivers payment instructions and initial information about the encryption process, so people can know what happened.

Then the text file FILES ENCRYPTED.txt informs NEWS ransomware virus victims what to do further – contact the developers via email addresses and However, that is not the best option since this is a version of Dharma ransomware – a known threat that is not decryptable from the start. Malicious actors that release new versions of the virus cannot guarantee that the decryption tool is available after the payment, so do not trust them and try to terminate the virus instead of contacting them. Crypto malware can easily damage the machine with additional processes, so the more time it gets on the device the more issues you need to fix later.

Name NEWS ransomware
Family Dharma ransomware
File marker .NEWS is the appendix that appears on every encrypted file after the original name and file type extension. The full pattern of the extension includes the email address of the crooks – .victims'ID-ID.[].NEWS
Ransom note The pop-up window shows up on the screen with instructions and payment options. This program window, in most cases, is named with one of the contact emails. Also, a ransom note in the text file named FILES ENCRYPTED.txt is added on every folder with encoded data and on the desktop. This file includes contact emails and encouragement to contact criminals for file recovery
Distribution Sites that include malicious code, files loaded on the emails with malicious macros[1] all can install either the malware that acts as a payload dropper or this cryptovirus directly on the system without additional interaction or permissions
Contact emails and
Elimination Get a professional anti-malware program and remove NEWS ransomware during a full system scan that indicates all the intruders and malicious programs, so it can delete any possible threats
Repair Ransomware is a powerful infection that interferes with other functions and affects system files behind the user's back, so you should get a PC repair tool or a system program like FortectIntego that can find virus damage and fix affected files. If you skip that step, your files may get affected again when you try to repair them from the backup

NEWS ransomware is the version of the Dharma virus that is known for delivering full instructions with payment options and places where Bitcoins can get purchased. Cryptocurrency extortion is the main aim of the malicious actors behind this threat. However, experts[2] do not recommend paying or even contacting such crook,s especially when it comes to this family.

This particular .[].NEWS ransomware delivers a shorter version of the common note:

Don't worry,you can return all your files!
If you want to restore them, follow this link:email YOUR ID 1E857D00
If you have not been answered via the link within 12 hours, write to us by
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Also, a text file with particular contact emails gets placed in various folders containing NEWS ransomware encrypted files. The particular ransom amount is not determined, so when people contact the criminals, malicious actors can specify the amount the victim needs to pay for the alleged decryption tool. These crooks may offer test decryption of one or a few files, but that is the method to fake trust between you and criminals. Don't fall for this scam.

Even though .[].NEWS ransomware aims to get money from people the encryption process is not the only activity malware runs on the machine. It starts the attack with file locking and gives 12 hours for victims to pay up. During the time on the system, threat also interferes with such settings, like security features or functions that allow file recovery to happen.

NEWS ransomware removal process may get difficult because of these alterations because the virus is set to disable AV tools, damage registry, and affect the performance of some of the applications and programs. When the anti-malware tool that already is on the system cannot work, you may reboot the machine in Safe Mode with Networking and launch the alternate AV tool from an external device, for example. NEWS ransomware virusNEWS ransomware - a threat that derives from a dangerous Dharma virus that is known to be undecryptable for many years now. Even when the ransom note from NEWS ransomware developers seems convincing, you should think twice before writing them an email. There are no better options than to get rid of the virus without communication with criminals and recover encrypted data.

There is no easy way to remove NEWS ransomware because cryptovirus is a dangerous and powerful malware that avoids detection[3] and makes the machine running poorly to keep the control of files and functions. Your files may bet damaged permanently and you may lose money of you consider paying the ransom as an option. Get a proper AV tool and remove the threat. Then clean the system with FortectIntego or a similar system tool and rely on data backups to replace affected files with safe copies.

.[].NEWS virus cannot be decrypted because researchers haven't released any tools available for users. It is not common to find decryptable Dharma versions, but you can still store some of the encrypted and malware-related files and wait for possible decrypter.

This wait may take longer than you think, so NEWS ransomware should be eliminated as soon as possible. Remember to keep in mind that any traces of the virus can affect the system significantly and even launch the secondary encryption. Windows registry, system functions, files, and parts of the device needed for file recovery or virus removal get altered, so the cryptovirus is persistent.

Double-check before adding any new files on the affected device, and make sure to repair the NEWS ransomware virus damage. If you need additional help, check the guide below the article. There are a few options for file restoring too, so check them out. .NEWS files virusNEWS ransomware is a malware that focuses on file-encrypting because this is the reason for ransom demands.

Ransomware comes from spam emails and infected websites

Malicious actors that develop such ransomware threats and other types of more dangerous malware are known for sending emails with malicious attachments or exploiting vulnerabilities of the targeted systems and programs. Criminals spam victims with notifications supposedly coming from companies or services that are popular, so people don't think too much before opening attached files or clicking on included links.

Don't fall for unexpected emails from DHL, FedEx, or eBay and other shipping companies, financial services. Especially when the email states about receipts, financial information, updates on your orders, and so on. You should resist even opening the email, especially downloading the document or executable file.

Embedded links, malicious website redirects, infected word documents with macros can load the payload of ransomware directly on the machine, so pay close attention to red flags or simply delete emails you were not expecting to get.

NEWS ransomware file virus needs to get deleted right away, so system damage is affected

Note that NEWS ransomware virus runs in the background without your knowledge. If you don't recall opening shady attachments or visiting any malicious websites, your device may have been affected for a while now. Additional processes, programs, and files affect the performance and security of the computer.

To remove NEWS ransomware and terminate all the activities, you need to get rid of all the related files and possible malware. When secondary viruses get installed, automatic virus termination is the only way to go. Rely on SpyHunter 5Combo Cleaner, Malwarebytes, or another anti-malware tool for the job.

When you performed a full system scan and proper NEWS ransomware removal, you should get a PC repair utility like FortectIntego. This program can find and fix damaged files, change settings back to normal without causing additional damage to your machine. Then go through the recovery options below.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of NEWS virus. Follow these steps

Manual removal using Safe Mode

To ensure that NEWS ransomware gets eliminated properly, reboot the machine in Safe Mode with Networking before scanning the system with the anti-malware program

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove NEWS using System Restore

System Restore can be the feature helpful for such NEWS ransomware elimination process because it repairs the system in a previous state

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of NEWS. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that NEWS removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove NEWS from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by NEWS, you can use several methods to restore them:

Data Recovery Pro is the option for encrypted file restoring

Data Recovery Pro can restore encrypted or accidentally deleted data for you

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by NEWS ransomware;
  • Restore them.

Windows Previous Versions is another feature that can be used in place of the data backups

When you enable System Restore feature, Windows Previous Versions can be used to recover after NEWS ransomware encryption

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer can help with files affected by NEWS ransomware virus

To get files after .[].NEWS ransomware attack back using this method, you need to know that Shadow Volume Copies were left untouched by the threat itself

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

.[].NEWS is not decryptable

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from NEWS and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Stream videos without limitations, no matter where you are

There are multiple parties that could find out almost anything about you by checking your online activity. While this is highly unlikely, advertisers and tech companies are constantly tracking you online. The first step to privacy should be a secure browser that focuses on tracker reduction to a minimum.

Even if you employ a secure browser, you will not be able to access websites that are restricted due to local government laws or other reasons. In other words, you may not be able to stream Disney+ or US-based Netflix in some countries. To bypass these restrictions, you can employ a powerful Private Internet Access VPN, which provides dedicated servers for torrenting and streaming, not slowing you down in the process.

Data backups are important – recover your lost files

Ransomware is one of the biggest threats to personal data. Once it is executed on a machine, it launches a sophisticated encryption algorithm that locks all your files, although it does not destroy them. The most common misconception is that anti-malware software can return files to their previous states. This is not true, however, and data remains locked after the malicious payload is deleted.

While regular data backups are the only secure method to recover your files after a ransomware attack, tools such as Data Recovery Pro can also be effective and restore at least some of your lost data.

About the author
Alice Woods
Alice Woods - Likes to teach users about virus prevention

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Alice Woods
About the company Esolutions