Usam ransomware (Virus Removal Instructions) - Decryption Methods Included

What is Usam ransomware?

Usam ransomware is a cryptovirus that belongs to the STOP / Djvu ransomware family

Usam is the latest version of the Djvu ransomware, which encrypts files, compromises the system, and blackmail victims to earn the money

Usam ransomware – a highly-malicious malware that locks the data on the Windows machine and blackmails victims to extort the money. The criminals behind this file-encrypting virus^[1] are infamous hackers that have launched STOP / Djvu ransomware a couple of years back and managed to release 233 new versions of the same virus.

The Usam virus is the latest Djvu version, which stands 233 on the list. First spotted in the middle of June 2020, the malware is actively distributed via software cracks, keygens, and unprotected RDPs. If the unsuspecting victim launches the ransomware payload, the virus immediately encrypts most of the non-personal files (music, videos, photos, documents, etc.) with the .usam extension, thus completely restricting the user’s access to them.

Unfortunately, .usam files cannot be decrypted for free. Even though there’s an official STOPdecryptor available for anyone, it is fully functional with the old Djvu versions that have been launched before the autumn of 2019. Based on the information provided on the _readme.txt file, the victims of this virus are supposed to transfer $490 in Bitcoins within 72 hours after having a conversation with criminals via gorentos@bitmessage.ch or gorentos@firemail.cc email.

Usam ransomware virus belongs to the Djvu family – this fact tells almost everything about the virus for the users who are interested in cybersecurity. In fact, all the variants that belong to this gang released after August 2019 are identical. Thus, taking a glance at its siblings, such as .kkll, .nlah, .pezi, .covm, .zwer, and many others are more or less the same, except file extensions and (in some cases) email addresses of the criminals differ.

If the Usam ransomware gets installed on the machine, first of all, it performs various changes on the Windows system with an intention to evade detection, ensure the successful launch of the encryption software, and grand persistence. For that, it may create malicious entries within %AppData%, %User% or %Temp% directories, run the PowerShell commands under administrative privileges to remove Shadow Volume Copies, disable AV program, and can download data-stealing Trojan Azorult as a secondary payload. These changes are not definite, thus dealing with ransomware means many problems with the system’s performance if Usam ransomware removal is not performed immediately.

The successful Usam ransomware infiltration is followed by a complete lockdown of personal files and the informational note dubbed as _readme.txt presentation on the desktop and other system folders. The note says:

ATTENTION!

Don’t worry, you can return all your files!

All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-WJa63R98Ku
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:
helpmanager@mail.ch

Reserve e-mail address to contact us:
restoremanager@airmail.cc

Your personal ID:

Seeing .usam files on the machine and have no access to personal files is a frustrating experience. However, paying the ransom is highly not recommended as you can unconsciously uncover personal details to criminals or experience another phony if criminals decide not to provide you with a functional Usam ransomware decryptor.

If you have file backups, there’s no reason for you to worry. Remove Usam virus from the system using updated anti-virus software. Do not try to eliminate malicious entries manually as you can accidentally delete some core Windows entries and, subsequently, trigger more Windows malfunctions.

Usam ransomware removal is a process that can only be performed with professional security software with an updated virus database. You can attempt to recover your encrypted files only after a full elimination of file-encrypting viruses. Our team has submitted a tutorial on how to decrypt .usam files without paying the ransom (at the end of the article).

Usam is the name of the file-encrypting ransomware, which is the 233 variant of the STOP/Djvu gang

Alternative methods to unlock inaccessible .usam files

The main trait allowing to stand the Usam ransomware virus from the crowd is its distinctive file extension. Thus, if you have noticed that the icons of your files became all the same (plain white icon) with a unified .usam extension appendix, there’s no doubt that the file-encrypting Djvu family member has hacked your machine.

Unfortunately, .usam file decryption is not possible without paying the ransom or using original file backups. If you have no backups or money to pay the criminals, there are very few changes that important work, documents, or family photos will be recovered.

As we have pointed out, one of the ways to decrypt Djvu files, including .usam encrypted files is to use a free Emsisoft’s decryption software. However, don’t give a lot of traction to this software as it can only unlock files for the versions using offline IDs. If you don’t want to be dejected by the unsuccessful decryption process, you can check whether your files have been encrypted using offline or online IDs by opening C: drive and accessing SystemID.txt. This directory contains all encrypted data. If you see some entries with the names ending with “t1,” then the free Emsisoft’s decryptor might work.

Otherwise, the .usam file virus can be eliminated using third-party data recovery tools like Data Recovery Pro, Shadow Volume Copies or System Restore feature. You can find a full guide for the decryption methods at the end of this article.

IMPORTANT: criminals have launched a fake DJVU decryptor which may be found on various discussion forums, torrenting sites, or other sites. This decryptor not only fails to unlock files. In fact, it’s another ransomware that drops a malicious crab.exe file, which downloads new Zorab ransomware^[2] and encrypts already encrypted files with .ZRB file extension.

The most common ransomware distribution methods listed

Hackers are using sophisticated methods to trick people into downloading malicious ransomware viruses. That’s a commonly known fact. However, millions of less tech-savvy people are still paying no attention to the websites they land on, to the content they download, to the ads they click, to the updates they download, and so on.

Therefore, we keep trying to increase people’s consciousness and grow their perception of cybersecurity by publishing the news on how hackers spread their newborn viruses or what new means have been invented to distribute good-old cyber infections. The team of cybersecurity experts from Dieviren.de^[3] has provided us with a list of most widely used Djvu ransomware distribution techniques, which is the following:

• Djvu ransomware family is most frequently distributed via cracks, keygens, loaders, and similar tools. If you are about to download a software crack to hack the license of Windows, Adobe Acrobat, Adobe Photoshop, game keygens, etc.
• Fake software updates. If the machine is infected by a rather aggressive adware-type malware, web browsers can redirect to sites infected with malicious scripts or display infected ads that once clicked download ransomware payload.
• Malicious spam email attachments. People can receive catchy email messages that contain ZIP, PDF, Microsoft Word attachments that ask people to enable Macros to view the content. DO NOT enable the supposed macros to open questionable attachments sent by unreliable senders. That’s a scheme used by hackers to spread ransomware, trojans, spyware, and other cyber threats.

To protect yourself from ransomware attacks, you should rely on a reputable AV security suite, which has in-built real-time protection, email filter, and other additional features.

Usam virus files can be detected by some AV tool while others do not recognize them as malicious

Usam ransomware removal options: no manual removal possibilities

There is no option to remove Usam ransomware virus manually. Victims should understand that the virus initiates too many changes on the system and runs too many malicious processes to be detected and eliminated without the help of professionals.

Although you can find some malicious entries as they may suck up CPU resources or display errors, there are very few chances that you will be allowed to disable any of them manually. Usam virus grants itself administrative privileges and, therefore, all related files are run “legally.”

Having this in mind, we strongly recommend you make a cold copy of the .usam files using a USB stick, external hard drive, or cloud and then perform a full Usam removal using an automated anti-virus program. For this purpose, you should use Malwarebytes, SpyHunter 5Combo Cleaner, or another reputable anti-malware suite.

Upon ransomware elimination, try to recover Windows system to the previous state by restoring Windows registry entries, startup files, and core processes. For that, take advantage of the FortectIntego recover tool. Finally, you can try to retrieve the locked files using alternative methods listed below.