Virus-encoder ransomware (Virus Removal Guide) - updated May 2019

Virus-encoder virus Removal Guide

What is Virus-encoder ransomware?

Virus-encoder ransomware is a relatively old data locking malware that recently came back with its newest version that attaches four random letters to files after the encryption

Virus-encoder ransomwareVirus-encoder ransomware is a file locking virus that is also known as GetCrypt ransomware

Virus-encoder ransomware is a dangerous cyber-threat that focuses on locking data on the host computer and then demand ransom from its owner for the decryption tool. Initial release dates back to 2016, however, the malware recently made a comeback with the new version, dubbed GetCrypt ransomware.

Just as all file-locking viruses, Virus-encoder ransomware uses a sophisticated file locking technology that uses ancryption algorithms.[1] The original malware used AES + RSA ciphers, while the new version resorts to RSA + Salsa20. Regardless of which encryption method is used, victims cannot access their pictures, music, videos, and other data anymore, which is marked by a random extension at the end of each file.

As explained by cybercriminals in a ransom note # DECRYPT MY FILES #.txt, users need to email them via helpme@freespeechmail.org, and, later via getcrypt@cocl.li/cryptget@tutanota.com to be able to retrieve the data with the unique decryption tool that is stored on a remote server and cost a specific amount of Bitcoins. However, experts suggest avoiding any contact with the criminals and rather focus on Virus-encoder ransomware removal.

Name Virus-encoder
Also known as GetCrypt
Type Ransomware
Infiltration Rig exploit kit,
Cipher AES, RSA, Salsa20
Contact helpme@freespeechmail.org, getcrypt@cocl.li, cryptget@tutanota.com
Ransom note # DECRYPT MY FILES #.txt
Removal Use anti-malware software, such as SpyHunter 5Combo Cleaner
File decryption Make use of Emsisoft's decryptor
Recovery To restore Windows system files, scan it with FortectIntego

There are a variety of methods Virus-encoder ransomware could get into your machine, including via spam emails, fake updates, unprotected RDP,[2] software cracks, etc. Nevertheless, security researchers observed the latest samples of the virus being distributed via Rig exploit kit.[3]

Once inside the system, Virus-encoder virus will show the following ransom note

Attention! Your computer has been attacked by virus-encoder!

All your files are now encrypted using cryptographically strong algorithm.

Without the original key recovery is impossible.

To get the decoder and the original key, you need to email us at helpme@freespeechmail.org

Our assistance is not free, so expect to pay a reasonable price for our decrypting services. No exceptions will be made.

Later versions of Virus-encoder ransomware drop a very similar note, although the contact emails are different. Regardless of what type of message you receive, you should not get in contact with cybercriminals as it can result in money loss. Quite often, bad actors are simply not interested in sending the decryptor for the paid money and choose to ignore victims. In some cases, virus authors themselves are incapable of restoring the encoded data.

Therefore, it is best to ignore the criminals and remove Virus-encoder ransomware from your device entirely. For that, you need to employ reputable anti-malware software, because deleting the virus manually is practically impossible for a regular user. After that, experts[4] recommend scanning the device with FortectIntego to fix broken Windows system files, such registry.

After you terminate the infection and fix Windows system, you can connect your backup device to restore your personal files. In case you did not have any prepared, there are alternative methods that you can try – such as third-party recovery tools. Additionally, if you are infected with the latest version of Virus-encoder ransomware, you can also try the official decryption tool that was recently released by Emsisoft security researchers.

Virus-encoder ransomware virusVirus-encoder is a ransomware-type virus that locks up all personal data on the device and then demands ransomware for the decryption tool

Ransomware-type virus propagation methods and how to avoid them

Virus-encoder can infiltrate your computer via several different ways. For example:

  • It can infect your computer if you tend to open unknown email letters from unknown senders AND especially if you download the attachments from such messages. It is the most common way of the virus-encoder distribution. Such emails are often sent to business people.
  • If you tend to surf through unreliable websites, if you are browsing through a site that shows an enormous amount of ads, suggests to fill various surveys or offers to install free software, you should know that such web page is not worth your trust. Sometimes even one click can initiate execution of a malicious program.
  • If you tend to install new programs on your computer carelessly, always check if the website that provides the download link is reliable. Also, when installing new programs, select the Advanced or Custom installation setting, and deselect every statement that suggests installing unfamiliar applications.

Terminate Virus-encoder ransomware with the help of reputable security application

Virus-encoder ransomware removal should not be executed manually – cryptoviruses usually make significant changes to the Windows operating system, and restoring all the settings and fixing infected system files is not an easy task. Therefore, you should rather trust reputable security software that can do the job for you automatically.

If Virus-encoder virus is tampering with your security software, you should access a safe environment where the functionality of the threat will be disabled. Please follow the instructions below to find out how to remove Virus-encoder ransomware in the Safe Mode with Networking.

If you got infected with the latest variant of the malware, there is a good chance you can recover your files with the help of Emsisoft's decryption tool. If your System is infiltrated by the older version – you can try alternative solutions, such as recovery software. We provide all the download links and usage instructions below.

Offer
do it now!
Download
Fortect Happiness
Guarantee
Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Virus-encoder virus. Follow these steps

Manual removal using Safe Mode

If Virus-encoder ransomware is preventing your security software from running correctly, enter Safe Mode with Networking:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
    Settings
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
    Reboot
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.
    Startup

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Downloads
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

    %AppData%
    %LocalAppData%
    %ProgramData%
    %WinDir%

After you are finished, reboot the PC in normal mode.

Remove Virus-encoder using System Restore

You can also use System Restore to terminate the virus:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Virus-encoder. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Virus-encoder removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Virus-encoder from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Virus-encoder, you can use several methods to restore them:

Make use of Data Recovery Pro for file decryption

This software might be able to recover at least some files that are locked by the ransomware.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Virus-encoder ransomware;
  • Restore them.

Windows Previous Versions feature might be useful

This option is only viable if you had System Restore point enabled before the attack.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

In some cases, ShadowExplorer might get all your files back

ShadowExplorer is very likely to restore all your files if the malware failed to delete Shadow Volume snapshots.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Make use of Emsisoft decryption tool

Download Emsisoft's decrypter and recover your files for free if you are affected by the latest version of Virus-encoder ransomware.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Virus-encoder and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.

 

Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 

 

About the author
Jake Doevan
Jake Doevan - Computer technology expert

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

References