Void ransomware (Virus Removal Instructions) - Decryption Steps Included
Void virus Removal Guide
What is Void ransomware?
Void ransomware is a malicious cyber infection that uses a combination of encryption algorithms to render files on a host machine useless
Void ransomware drops a ransom note in each folder on the host computer
Void is a dangerous ransomware virus that has been detected at the beginning of April 2020. The name of the ransomware suggests that it may stem from the also known file-encrypting ransomware VoidCryp. However, the ransomware is still under investigation and shows some relations with Ouroborus. The two share some malicious files, which is why AV engines tend to recognize it as Ransom:Win32/Ouroboros.d16a998c and Trojan[Ransom]/Win32.Odveta.gen[1]. The current Void version is known for attaching .void file extension to most of the files, which are encrypted using a combination of AES and RSA-2048[2] ciphers. Aside from .void extension, locked files also contain a related email address, most frequently xtredboy@protonmail.com or encryptedxtredboy@protonmail.com.
The distribution of the Void ransomware virus complies with the typical ransomware distribution methods. Usually, ransomware payload is launched via unprotected insecure RDP configurations,[3] spam email attachments, botnets, fake software updates or infected installers. However, the most frequently exploited distribution technique remains spam email attachments. Upon infiltration, Void malware initiates multiple system's changes withing the following system's folders:
%SystemDrive%\ (C:\)
%SystemRoot% (C:\Windows, %WinDir%)
%UserProfile%
%UserProfile%\AppData\Roaming\
%AllUserProfile%
%AppData%
%AppData%\Local\Temp\
%LocalAppData%
%ProgramData%
%Temp% (C:\Windows, %UserProfile%\%AppData%\Local)
Title | Void |
Type | Cryptomalware, file locking virus |
Family | Currently not specified |
Versions | Spade, Lalaland, Konx, Shiton, Decme, Hmmmmm, Legend |
Related files | stevenxx134@gmail.com.exe |
Extension | [ID].void file extension is appended to all non-system files |
Ransom note | Decryption-Info.HTA, IDo.txt or pubkey.txt |
Contact email | xtredboy@protonmail.com or encryptedxtredboy@protonmail.com |
Encryption | Combination of AES and RSA-2048 |
File decryption |
The official Void descriptor is not available. The ransomware locks files using a combination of difficult-to-crack ciphers, which is why it may be difficult to get files back without paying the ransom. Nevertheless, upon full Void removal with SpyHunter 5Combo Cleaner or another AV engine, you can use:
|
Tip |
In most of the cases, ransomware viruses seriously damage Windows files and may lead to abnormal OS performance (prolonged boot process, crashes, errors, BSOD, etc.). If you encounter any of these problems or if you want to prevent them in the future, you should repair the system with FortectIntego utility. |
According to researchers, one of the main executables that Void runs is stevenxx134@gmail.com.exe. The file starts running in the background and can hardly be disabled manually. Once the background processes are implemented, the ransomware manifests its presence by corrupting all files kept on the host machine. Each affected file is marked by .void suffix. Besides, each folder that contains encrypted files contains a ransom note in the form of a Decryption-Info.HTA, IDo.txt or pubkey.txt. The ransom note contains the following information:
Your Files has Been Encrypted
Your Files Has Been Encrypted with AES + RSA Algorithm
If You Need Your Files You Have To Pay Decryption Price
You can Send Some Little Files Less Than 1MB for Test (The Test Files Should not Contain valuable Data Like Databases Large Excel Sheets or Backups
After 48 Hour Decryption Price Will be Doubled so You Better Contact us Before Times Up
Using Recovery Tools or 3rd Party Application May cause Damage To Your Files And increase price
The Steps You Should Do To Get Your Files Back:
1- Contact Email on Files And Send ID on The Files Then Do agreement on a Price
2- Send Some Files for Decryption Test ( Dont Pay to Anyone Else who is Not Able to Decrypt Your Test Files!)
After Geting Test Files Pay The price in Bitcoin And Get Decryption Tool + RSA key
Your Case ID :EJHPFWKYCNQ5***
Our Email : xtredboy@protonmail.com
In Case Of No Answer : Encryptedxtredboy@protonmail.com
Unfortunately, Void decryption software is not yet available. Security experts revealed that the malware exploits AES + RSA-2048 ciphers that blend diverse coding methods and render files on the victim's PC's permanently locked without a specific descriptor. Currently, the only way to get files encrypted by Void ransomware is to pay the ransom. Paying the ransom is not an easy task for less IT-savvy people because they have to create a Bitcoin wallet and purchase Bitcoins at first.
As evident that actors behind Void virus own a personal decryption key, criminals offer a free decryption test. For this purpose, the victim has to send 1MB file within 48 hours to xtredboy@protonmail.com or Encryptedxtredboy@protonmail.com email address and indicate the ID number which is provided on the ransom note.
However, we do not recommend supporting criminals for their illegal activities. Even though they are trying to scare their victims into believing that their files will be permanently removed if they try alternative data recovery tools or attempt to remove Void ransomware with an antivirus, such claims do not have a clear ground. It is not clear yet what the cost of the Void decryption key is. However, based on the analysis of ransomware viruses it is presumed that the cost may vary from $300 to $2000 in Bitcoin[4].
Upon infiltration, void locks non-system files and appends .void file extension
Those unwilling to have deals with criminals are recommended to boot the system into Safe Mode with Networking and make a copy of locked files. After that, run a full system check with SpyHunter 5Combo Cleaner, Malwarebytes or another reliable AV engine and remove Void ransomware permanently. It's important to note that ransomware-related files may be hidden in folders like %AppData%, which by default are hidden by the operating system. Therefore, before checking the system for the virus you may need to configure Windows to show hidden files & folders.
Tip: it is advisable to initiate a full system repair right after Void removal. As we have already pointed out, ransomware is extremely malicious in general since it is capable of compromising multiple settings and files on a host machine. A scan with an AV engine can hardly restore these changes. Therefore, to prevent the system's crashes, BSOD, errors and other side effects try using FortectIntego repair tool.
Sort emails carefully and avoid pirated software to prevent files from encryption
According to researchers who are dedicated to cybersecurity issues like ransomware attacks, the straightest way to launch ransomware payload is to open malicious email attachments or leave RDP connections unprotected,
Although there are many other means to attack PCs, fake software downloads, software cracks, and similar methods do not work as efficiently as, for example, well-prepared spam emails work. Criminals exploit botnets to distribute phishing emails to a huge number of email addresses. Malicious spam emails typically contain a hyperlink or an attachment, which is either leads to a website that impersonates reliable vendors (bank, Microsoft, PayPal, DHL, etc.) or asks to open a shared document, which is of high importance. Opening the attachment or clicking on the provided link leads to the execution of ransomware payload and immediate encryption of files.
Remote Desktop sessions is yet another widely exploited medium for ransomware dissemination. This technique most successfully works when attacking businesses and organizations. Remote Desktop Protocol (RDP) is an encrypted channel used to prevent third parties from viewing the sessions. Unfortunately, RDP has multiple vulnerabilities, which gives a fairground for man-in-the-middle attacks. Therefore, it is advisable to take care of the RDP and put the access behind VPN and make sure to use additional software tools to ensure a full RDP's protection.
There is no free Void decryptor yet, though criminals provide victims with a Void decoder in exchange for a redemption
In general, it's very important to take all security measures to keep the system protected from virus attacks. Software cracks, unpatched vulnerabilities, pirated software and similar means that are well-known for bad actors can easily turn to a backdoor for ransomware attacks. Therefore, make sure to update your OS regularly, as well as rely on a powerful AV tool.
Explaining Void removal peculiarities
Void ransomware is a misleading type of threat that can root into the OS and initiate multiple changes on the system to prevent detection and removal. Therefore, the only possible way to get rid of ransomware files is to launch a professional AV utility. We recommend using SpyHunter 5Combo Cleaner or Malwarebytes, though you can any tool that has an updated virus database and a powerful malware scanner.
Do not fall for manic if any attempt to remove Void virus is terminated. This ransomware may run malicious processes that block AV engines. Therefore, success in Void removal can be achieved while in Safe Mode with Networking only. The guide below will explain how to change the environment and how to launch the AV scanner step-by-step.
Getting rid of Void virus. Follow these steps
Manual removal using Safe Mode
To remove Void ransomware from Windows, boot the system into Safe Mode with Networking
Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
Downloads
Recycle Bin
Temporary files - Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
After you are finished, reboot the PC in normal mode.
Remove Void using System Restore
An alternative to Safe Mode, System Restore feature can also be used to terminate Void
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of Void. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove Void from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.If your files are encrypted by Void, you can use several methods to restore them:
Try Data Recovery Pro
Data Recovery Pro is a utility that is primarily used for data recovery after the system's crash. However, it turned out to be a powerful tool in decrypting files locked by ransomware.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by Void ransomware;
- Restore them.
Windows Previous Version feature can help to get some files back
If your OS have a feature of the Previous Version enabled, try to retrieve files encrypted by Void using this funcion.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
Check for Volumes Shadow copies
The latest ransomware tends to eliminate Volume Shadow Copies. However, the are many examples when crooks failed to eliminate Shadow Copies and the Void virus may be the case. Therefore, try to perform the following steps to decrypt files locked by this ransomware.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
No Void descriptor available
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Void and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Access your website securely from any location
When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.
If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.
Recover files after data-affecting malware attacks
While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.
Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection.
- ^ stevenxx134@gmail.com.exe file. VirusTotal. Analysis of malicious URLs and files.
- ^ Spotlight on ransomware: Ransomware encryption methods. Emsisoft. Innovative anti-malware solutions.
- ^ Securing Remote Desktop (RDP) for System Administrators. Berkeley. Information Security Office.
- ^ Bitcoin Has Lost Steam. But Criminals Still Love It. The New York Thimes. American newspaper.