ransomware (Virus Removal Guide) - updated Apr 2020 virus Removal Guide

What is ransomware? ransomware is a type of malware that blackmails victims to pay ransom by locking their files ransomware ransomware is a file-encrypting virus which demands to contact the criminals after data encryption. ransomware is a file locking virus that belongs to a well-established Scarab family, which operates as RaaS (Ransomware-as-a-service).[1] This version of the malware was first spotted in July 2018, although it is now resurfacing again, with multiple victims reporting getting infected.

Once inside the system, ransomware strips Windows computers from their defenses and then initiates the data encryption process. After that, all pictures, documents, databases, and other files can no longer be accessed, and are marked with appendix. As soon as data is locked, victims can access HOW TO RECOVER ENCRYPTED FILES.txt file, which is essentially a note from the attackers. Inside, the attackers claim that an email to address should be sent in order to negotiate a price for a decryptor.

The note also mentions that if the requirements are not fulfilled within two days, the secret key that can unlock files will be deleted permanently. It is important to note that ransomware removal will not retrieve access to data, although there are a few other methods that might help you in some cases.

Type Ransomware
Ransomware family Scarab
encryption method All non-system and non-executable files are encrypted with the help of RSA
extension Files are appended with appending. Example of the encrypted file:
distribution Threat actors employ a variety of delivery methods, including spam emails, malicious ads, software cracks, etc.
symptoms Files marked with a specific extension are no longer accessible and encrypted with a strong algorithm
File Decryption Unfortunately, this variant of Scarab is using improved encryption method to lock data with RSA, so it can no longer be decrypted for free without backups. Alternative ways how to get back compromised data are indicated at the end of this article
elimination To get rid of malware, perform a full system scan with a powerful anti-malware tool
System fix In case your Windows does not perform as well as prior to malware infection (lags, crashes, returns errors), fix virus damage with FortectIntego repair software

Since the virus utilizes a Ransomware-as-a-Service scheme, it can be delivered in several different methods. In essence, it makes the infection rate much higher, which also increases the chances of victims paying the ransom. Some of the delivery techniques include:

  • Spam emails with boobytrapped attachments (documents, archives, PDF files);
  • Malicious ads that are placed on less secure of hacked websites;
  • Weakly protected Remote Desktop (RDP) connections that are using a default port;
  • Botnets – malicious spam is sent by using infected hosts (Necurs is known to spread Scarab ransomware variants);
  • Software cracks and pirated program installers, etc.

After the infiltration, ransomware leaves the ransom-demanding message and indicates the following information:


Your important files produced on this computer have been encrypted due a security problem
If you want to restore them, write us to the e-mail:
You have to pay for decryption. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.

Before paying you can send to us up to 3 files for free decryption.
Please note that files must NOT contain valuable information
and their total size must be less than 1Mb

Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss
If you not write on e-mail in 2 day – your key has been deleted and you cant decrypt your files

Cybercriminals claim that they have virus decryptor and offer free decryption of 3 regular files. Additionally, they ask to contact them as soon as possible since the price of data recovery depends on it. However, our experts note that attackers are unreliable people and one should never agree to their terms[2].

There are multiple other ways how you can decrypt files with extension without financially motivating the hackers. Furthermore, if you have backups stored in the cloud, you can quickly restore locked files to the primary state and avoid financial losses. ransomware ransomware is a new variant of Scarab virus family.

Thus, we strongly advise you to remove ransomware before it has damaged your system even more. Unfortunately, simple elimination procedure won't eliminate this cyber threat as it would reappear after the startup and start data encryption once again.

You can perform safe ransomware removal by employing a reliable security tool. Such antivirus applications are designed to get rid of all virus-related components from the computer and ensure its security in the future. Later, make sure to check alternative data recovery methods below and also fix virus damage with the help of FortectIntego.

Spam emails and malicious ads are the primary ransomware distribution sources

The answer to the question of how I got infected with ransomware is very simple. Most file-encrypting viruses spread utilizing the same technique for quite some time now — malicious email attachments. This distribution method is based on the recklessness of novice PC users as they tend to open spam emails that include malicious files.

Criminals create emails that mimic legal documents, invoices, or shopping receipts from well-known brands and companies. Typically, attachments that execute malware are macro-embedded documents, such as .doc, or .xls, although other file types, such as .zip, .pdf, .html, can also be used.

Likewise, you should carefully monitor your activity online and avoid opening any emails from unreliable and suspicious sources. Also, stay away from ads on insecure websites, such as porn, torrent, and similar. If clicked, they might enable malicious scripts and start an automatic download of the crypto-malware[3].

Get rid of ransomware and proceed to data recovery

We understand that you want to recover files with extension as quickly as possible. Although, experts[4] note that it is only possible when you uninstall the file-encrypting virus from your system completely. Since this task might be complicated, we suggest using a professional malware removal software.

You should start ransomware removal by installing an antivirus. Our top choices are SpyHunter 5Combo Cleaner and Malwarebytes. They are effective, and easy-to-use to you will be able to proceed with data recovery steps and unlock your files quickly.

Although, if you can't remove ransomware since the virus prevents you from installing the security tool, you should check the instructions below. They are designed to guide you through the whole elimination and file recovery procedure.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of virus. Follow these steps

Manual removal using Safe Mode

Boot your computer into Safe Mode with Networking to disable the infection:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by, you can use several methods to restore them:

Data Recovery Pro could help ransomware victims

If you have files encrypted by the ransomware, try recovering them with this professional software. Additionally, it might help you get back the access to data which has been accidentally deleted or compromised in other ways.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by ransomware;
  • Restore them.

Windows Previous Versions Feature option

Fortunately, Windows users can take advantage of an inbuilt feature which allows to travel back in time and restore files from their previous versions.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Try ShadowExplorer software

This application is designed to use Shadow Volume Copies on the system to recover encrypted data. Make sure that they are in place and follow the instructions below:

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored. ransomware decryptor is not available.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Stream videos without limitations, no matter where you are

There are multiple parties that could find out almost anything about you by checking your online activity. While this is highly unlikely, advertisers and tech companies are constantly tracking you online. The first step to privacy should be a secure browser that focuses on tracker reduction to a minimum.

Even if you employ a secure browser, you will not be able to access websites that are restricted due to local government laws or other reasons. In other words, you may not be able to stream Disney+ or US-based Netflix in some countries. To bypass these restrictions, you can employ a powerful Private Internet Access VPN, which provides dedicated servers for torrenting and streaming, not slowing you down in the process.

Data backups are important – recover your lost files

Ransomware is one of the biggest threats to personal data. Once it is executed on a machine, it launches a sophisticated encryption algorithm that locks all your files, although it does not destroy them. The most common misconception is that anti-malware software can return files to their previous states. This is not true, however, and data remains locked after the malicious payload is deleted.

While regular data backups are the only secure method to recover your files after a ransomware attack, tools such as Data Recovery Pro can also be effective and restore at least some of your lost data.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions