Virus-encoder ransomware (Virus Removal Guide) - updated May 2019
Virus-encoder virus Removal Guide
What is Virus-encoder ransomware?
Virus-encoder ransomware is a relatively old data locking malware that recently came back with its newest version that attaches four random letters to files after the encryption
Virus-encoder ransomware is a file locking virus that is also known as GetCrypt ransomware
Virus-encoder ransomware is a dangerous cyber-threat that focuses on locking data on the host computer and then demand ransom from its owner for the decryption tool. Initial release dates back to 2016, however, the malware recently made a comeback with the new version, dubbed GetCrypt ransomware.
Just as all file-locking viruses, Virus-encoder ransomware uses a sophisticated file locking technology that uses ancryption algorithms.[1] The original malware used AES + RSA ciphers, while the new version resorts to RSA + Salsa20. Regardless of which encryption method is used, victims cannot access their pictures, music, videos, and other data anymore, which is marked by a random extension at the end of each file.
As explained by cybercriminals in a ransom note # DECRYPT MY FILES #.txt, users need to email them via helpme@freespeechmail.org, and, later via getcrypt@cocl.li/cryptget@tutanota.com to be able to retrieve the data with the unique decryption tool that is stored on a remote server and cost a specific amount of Bitcoins. However, experts suggest avoiding any contact with the criminals and rather focus on Virus-encoder ransomware removal.
Name | Virus-encoder |
Also known as | GetCrypt |
Type | Ransomware |
Infiltration | Rig exploit kit, |
Cipher | AES, RSA, Salsa20 |
Contact | helpme@freespeechmail.org, getcrypt@cocl.li, cryptget@tutanota.com |
Ransom note | # DECRYPT MY FILES #.txt |
Removal | Use anti-malware software, such as SpyHunter 5Combo Cleaner |
File decryption | Make use of Emsisoft's decryptor |
Recovery | To restore Windows system files, scan it with FortectIntego |
There are a variety of methods Virus-encoder ransomware could get into your machine, including via spam emails, fake updates, unprotected RDP,[2] software cracks, etc. Nevertheless, security researchers observed the latest samples of the virus being distributed via Rig exploit kit.[3]
Once inside the system, Virus-encoder virus will show the following ransom note
Attention! Your computer has been attacked by virus-encoder!
All your files are now encrypted using cryptographically strong algorithm.
Without the original key recovery is impossible.
To get the decoder and the original key, you need to email us at helpme@freespeechmail.org
Our assistance is not free, so expect to pay a reasonable price for our decrypting services. No exceptions will be made.
Later versions of Virus-encoder ransomware drop a very similar note, although the contact emails are different. Regardless of what type of message you receive, you should not get in contact with cybercriminals as it can result in money loss. Quite often, bad actors are simply not interested in sending the decryptor for the paid money and choose to ignore victims. In some cases, virus authors themselves are incapable of restoring the encoded data.
Therefore, it is best to ignore the criminals and remove Virus-encoder ransomware from your device entirely. For that, you need to employ reputable anti-malware software, because deleting the virus manually is practically impossible for a regular user. After that, experts[4] recommend scanning the device with FortectIntego to fix broken Windows system files, such registry.
After you terminate the infection and fix Windows system, you can connect your backup device to restore your personal files. In case you did not have any prepared, there are alternative methods that you can try – such as third-party recovery tools. Additionally, if you are infected with the latest version of Virus-encoder ransomware, you can also try the official decryption tool that was recently released by Emsisoft security researchers.
Virus-encoder is a ransomware-type virus that locks up all personal data on the device and then demands ransomware for the decryption tool
Ransomware-type virus propagation methods and how to avoid them
Virus-encoder can infiltrate your computer via several different ways. For example:
- It can infect your computer if you tend to open unknown email letters from unknown senders AND especially if you download the attachments from such messages. It is the most common way of the virus-encoder distribution. Such emails are often sent to business people.
- If you tend to surf through unreliable websites, if you are browsing through a site that shows an enormous amount of ads, suggests to fill various surveys or offers to install free software, you should know that such web page is not worth your trust. Sometimes even one click can initiate execution of a malicious program.
- If you tend to install new programs on your computer carelessly, always check if the website that provides the download link is reliable. Also, when installing new programs, select the Advanced or Custom installation setting, and deselect every statement that suggests installing unfamiliar applications.
Terminate Virus-encoder ransomware with the help of reputable security application
Virus-encoder ransomware removal should not be executed manually – cryptoviruses usually make significant changes to the Windows operating system, and restoring all the settings and fixing infected system files is not an easy task. Therefore, you should rather trust reputable security software that can do the job for you automatically.
If Virus-encoder virus is tampering with your security software, you should access a safe environment where the functionality of the threat will be disabled. Please follow the instructions below to find out how to remove Virus-encoder ransomware in the Safe Mode with Networking.
If you got infected with the latest variant of the malware, there is a good chance you can recover your files with the help of Emsisoft's decryption tool. If your System is infiltrated by the older version – you can try alternative solutions, such as recovery software. We provide all the download links and usage instructions below.
Getting rid of Virus-encoder virus. Follow these steps
Manual removal using Safe Mode
If Virus-encoder ransomware is preventing your security software from running correctly, enter Safe Mode with Networking:
Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
Downloads
Recycle Bin
Temporary files - Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
After you are finished, reboot the PC in normal mode.
Remove Virus-encoder using System Restore
You can also use System Restore to terminate the virus:
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of Virus-encoder. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove Virus-encoder from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.If your files are encrypted by Virus-encoder, you can use several methods to restore them:
Make use of Data Recovery Pro for file decryption
This software might be able to recover at least some files that are locked by the ransomware.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by Virus-encoder ransomware;
- Restore them.
Windows Previous Versions feature might be useful
This option is only viable if you had System Restore point enabled before the attack.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
In some cases, ShadowExplorer might get all your files back
ShadowExplorer is very likely to restore all your files if the malware failed to delete Shadow Volume snapshots.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Make use of Emsisoft decryption tool
Download Emsisoft's decrypter and recover your files for free if you are affected by the latest version of Virus-encoder ransomware.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Virus-encoder and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Access your website securely from any location
When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.
If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.
Recover files after data-affecting malware attacks
While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.
Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection.
- ^ Encryption Algorithm. Techopedia. Where Information Technology and Business Meet.
- ^ Ransomware attacks via RDP choke SMBs. Avast. The official security blog.
- ^ Jakub Křoustek. Threat Landscape Dashboard RIG Exploit Kit. McAfee. Official website.
- ^ Novirus. Novirus. Cybersecurity experts from the UK.