Severity scale:  

Remove ransomware (Virus Removal Guide) - updated Apr 2020

removal by Jake Doevan - - | Type: Ransomware ransomware is a type of malware that blackmails victims to pay ransom by locking their files ransomware image ransomware is a file locking virus that belongs to a well-established Scarab family, which operates as RaaS (Ransomware-as-a-service).[1] This version of the malware was first spotted in July 2018, although it is now resurfacing again, with multiple victims reporting getting infected. 

Once inside the system, ransomware strips Windows computers from their defenses and then initiates the data encryption process. After that, all pictures, documents, databases, and other files can no longer be accessed, and are marked with appendix. As soon as data is locked, victims can access HOW TO RECOVER ENCRYPTED FILES.txt file, which is essentially a note from the attackers. Inside, the attackers claim that an email to address should be sent in order to negotiate a price for a decryptor.

The note also mentions that if the requirements are not fulfilled within two days, the secret key that can unlock files will be deleted permanently. It is important to note that ransomware removal will not retrieve access to data, although there are a few other methods that might help you in some cases.

Type Ransomware
Ransomware family Scarab
encryption method All non-system and non-executable files are encrypted with the help of RSA
extension Files are appended with appending. Example of the encrypted file:
distribution Threat actors employ a variety of delivery methods, including spam emails, malicious ads, software cracks, etc.
symptoms Files marked with a specific extension are no longer accessible and encrypted with a strong algorithm
File Decryption Unfortunately, this variant of Scarab is using improved encryption method to lock data with RSA, so it can no longer be decrypted for free without backups. Alternative ways how to get back compromised data are indicated at the end of this article
elimination To get rid of malware, perform a full system scan with a powerful anti-malware tool
System fix In case your Windows does not perform as well as prior to malware infection (lags, crashes, returns errors), fix virus damage with Reimage Reimage Cleaner Intego repair software

Since the virus utilizes a Ransomware-as-a-Service scheme, it can be delivered in several different methods. In essence, it makes the infection rate much higher, which also increases the chances of victims paying the ransom. Some of the delivery techniques include:

  • Spam emails with boobytrapped attachments (documents, archives, PDF files);
  • Malicious ads that are placed on less secure of hacked websites;
  • Weakly protected Remote Desktop (RDP) connections that are using a default port;
  • Botnets – malicious spam is sent by using infected hosts (Necurs is known to spread Scarab ransomware variants);
  • Software cracks and pirated program installers, etc.

After the infiltration, ransomware leaves the ransom-demanding message and indicates the following information:


Your important files produced on this computer have been encrypted due a security problem
If you want to restore them, write us to the e-mail:
You have to pay for decryption. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.

Before paying you can send to us up to 3 files for free decryption.
Please note that files must NOT contain valuable information
and their total size must be less than 1Mb

Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss
If you not write on e-mail in 2 day – your key has been deleted and you cant decrypt your files

Cybercriminals claim that they have virus decryptor and offer free decryption of 3 regular files. Additionally, they ask to contact them as soon as possible since the price of data recovery depends on it. However, our experts note that attackers are unreliable people and one should never agree to their terms[2].

There are multiple other ways how you can decrypt files with extension without financially motivating the hackers. Furthermore, if you have backups stored in the cloud, you can quickly restore locked files to the primary state and avoid financial losses. ransomware ransomware is a new variant of Scarab virus family.

Thus, we strongly advise you to remove ransomware before it has damaged your system even more. Unfortunately, simple elimination procedure won't eliminate this cyber threat as it would reappear after the startup and start data encryption once again.

You can perform safe ransomware removal by employing a reliable security tool. Such antivirus applications are designed to get rid of all virus-related components from the computer and ensure its security in the future. Later, make sure to check alternative data recovery methods below and also fix virus damage with the help of Reimage Reimage Cleaner Intego.

Spam emails and malicious ads are the primary ransomware distribution sources

The answer to the question of how I got infected with ransomware is very simple. Most file-encrypting viruses spread utilizing the same technique for quite some time now — malicious email attachments. This distribution method is based on the recklessness of novice PC users as they tend to open spam emails that include malicious files.

Criminals create emails that mimic legal documents, invoices, or shopping receipts from well-known brands and companies. Typically, attachments that execute malware are macro-embedded documents, such as .doc, or .xls, although other file types, such as .zip, .pdf, .html, can also be used.

Likewise, you should carefully monitor your activity online and avoid opening any emails from unreliable and suspicious sources. Also, stay away from ads on insecure websites, such as porn, torrent, and similar. If clicked, they might enable malicious scripts and start an automatic download of the crypto-malware[3].

Get rid of ransomware and proceed to data recovery

We understand that you want to recover files with extension as quickly as possible. Although, experts[4] note that it is only possible when you uninstall the file-encrypting virus from your system completely. Since this task might be complicated, we suggest using a professional malware removal software.

You should start ransomware removal by installing an antivirus. Our top choices are SpyHunter 5Combo Cleaner and Malwarebytes. They are effective, and easy-to-use to you will be able to proceed with data recovery steps and unlock your files quickly.

Although, if you can't remove ransomware since the virus prevents you from installing the security tool, you should check the instructions below. They are designed to guide you through the whole elimination and file recovery procedure.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove virus, follow these steps:

Remove using Safe Mode with Networking

Boot your computer into Safe Mode with Networking to disable the infection:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by, you can use several methods to restore them:

Data Recovery Pro could help ransomware victims

If you have files encrypted by the ransomware, try recovering them with this professional software. Additionally, it might help you get back the access to data which has been accidentally deleted or compromised in other ways.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by ransomware;
  • Restore them.

Windows Previous Versions Feature option

Fortunately, Windows users can take advantage of an inbuilt feature which allows to travel back in time and restore files from their previous versions.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Try ShadowExplorer software

This application is designed to use Shadow Volume Copies on the system to recover encrypted data. Make sure that they are in place and follow the instructions below:

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored. ransomware decryptor is not available.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer various losses due to cyber infections or their own faulty doings. Software issues created by malware or direct data loss due to encryption can lead to problems with your device or permanent damage. When you have proper up-to-date backups, you can easily recover after such an incident and get back to work.

It is crucial to create updates to your backups after any changes on the device, so you can get back to the point you were working on when malware changes anything or issues with the device causes data or performance corruption. Rely on such behavior and make file backup your daily or weekly habit.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware occurs out of nowhere. Use Data Recovery Pro for the system restoring purpose.

About the author

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions


Your opinion regarding ransomware