Severity scale:  
  (94/100)

Remove Worm ransomware (Removal Guide) - Free Instructions

removal by Gabriel E. Hall - - | Type: Ransomware

Worm ransomware is a file locking virus that uses extortion tactics after locking all the data on the host machine

Worm ransomware
Worm ransomware is a file locking virus that belongs to one of the most prominent families - Paradise

Worm ransomware is a new variant of Paradise virus – a relatively old strain that is also used as a Ransomware-as-a-Service (RaaS). This version was analyzed by a security researcher Michael Gillespie at the end of October 2019.[1] Just like its predecessors, malware is designed for money extortion after locking all personal files on the infected machine.

Worm ransomware enters computers by using one of the multiple distribution methods (such as spam email attachments, software vulnerabilities,[2] fake updates, software cracks, etc.) and starts a scan that looks for pictures, videos, documents, databases, and other personal data. After that, Worm virus encrypts each of the files by using RSA cipher and marks them with [id]-[victim ID].[corpseworm@protonmail.com].worm appendix.

Victims can also spot a ransom note #_ABOUT_YOUR_FILES_#$=$$.html, which is dropped on the desktop and all the affected folders. The content of the message states that users have to pay a ransom in Bitcoins if they want their data back. While there is no Worm ransomware decryptor developed yet, victims are advised staying away from file locking malware developers.

Name Worm ransowmare
Type Cryptovirus
Malware family Worm virus is a variant of Paradise ransomware 
File extension All pictures, videos, photos, music and other files are appended with .worm extension. An example of an encrypted file: picture.jpg[id-GYMXkaDq].[corpseworm@protonmail.com].worm
Ransom note  #_ABOUT_YOUR_FILES_#$=$$.html ransom note is dropped on the desktop and all the folders where the locked files are located
Contact corpseworm@protonmail.com or telegram @helprestore
Detection
  • Gen:Heur.Ransom.REntS.Gen.1 (B)
  • FileRepMalware
  • Ransom.Paradise
  • Trojan:Win32/Tiggre!rfn
  • HEUR:Trojan-Ransom.MSIL.Crypren.gen
  • Trojan.Encoder.26770
  • A Variant Of MSIL/Filecoder.Paradise.H

44 engines detect the dropper as malicious on Virus Total (10/30/2019)

Infiltration means Hackers typically use several distribution methods, including spam emails, exploits, software cracks, repacked installers, fake updates, unprotected RDP connections, etc.
File decryption Only possible via backups or third-party recovery software
Removal Scan your machine in Safe Mode with reputable anti-malware software in order to terminate all malicious entries made by malware
Recovery To fix virus damage and avoid possible reinstallation of Windows OS, use Reimage Reimage Cleaner to recover from ransomware infection

As soon as users interact with a malicious dropper if Worm ransomware, several files are dropped into %AppData%, %UserProfile%, and Desktop folders. From there, several processes are launched, the Windows registry is modified, and all automated Windows backups are deleted with the help of vssadmin.exe Delete Shadows /All /Quiet command. The changes to the system are made for the file encryption process to be performed uninterrupted and to complicate encrypted file recovery after Worm ransomware removal.

Soon after that, the Worm virus scans the computer's hard drive and all the connected drives, looking for files to encrypt. In most of the cases, the most commonly-used file types are targeted, such as .pdf, MS Office files, videos, and others. Users then cannot open the data anymore, although system files are spared for malware to operate (the goal or Worm ransomware authors is not to corrupt victims' machines but rather lock data so that they would pay the ransom). The ransom note, which is dropped into several locations on the computer, states the following:

All your files was encrypted!
«Paradise» R Team!
Ur unique ID
GYMXkaDq
Your personal KEY

YOUR FILES HAS BEEN LOCKED!
All your personal data that was stored on this computer have been crypted due a security problem.
To restore them, write to us by е-mail,.
You have to pay in Bitcoins.
After payment we will send you the special decryption tool that will restore all your files.
NEED PROOF?
Before payment you can send us 1-3 files , and we decrypt it for free.
File size should not exceed 1MB.
Please note that files must NOT contain valuable information.
HOW TO PAY
We accept payments in bitcoins, but you do not need to be able to use bitcoins.
You do not need a bitcoin account.
I will explain how you can pay using ANY currency in any way convenient to you.
Our mails
Mail:
corpseworm@protonmail.com
or
Mail:
telegram @helprestore
Caution!
Do not rename files
Do not try to restore your data using third-party software, it may cause permanent data loss(If you do not believe us, and still try to – make copies of all files so that we can help you if third-party software harms them)
As evidence, we can for free restore one file
Decoders of other users is not suitable to restore your files – encryption key is created on your computer when the program is launched – it is unique.

Even though the attackers claim that no other decryption method is possible, you should not listen to them. It is in their best interest for you to pay the ransom, that is why they are even providing a test decryption service – they are trying to create a false sense of security. However, please remember that they are cybercriminals and might not send you Worm ransomware decryptor as promised.

Worm ransomware virus
Worm ransomware is a type of malware that focuses on locking pictures, music, database, document, and other files on the host machine and then demands ransom for their release

Instead, remove Worm ransomware and try alternative file recovery methods we provide at the bottom section of this post. While there is no decryptor currently available, you might be successful in restoring at least some of your files using recovery software or other methods. However, remember that you have to terminate the infection first with anti-malware. After that, we also advise you use Reimage Reimage Cleaner to fix crippled Windows system files.

Protect your machine from future ransomware infections

Paradise ransomware is one of many file-locking virus families that are dominant currently. For example, Djvu, Phobos, Scarab, and many others are lurking in the wild, actively trying to infect unsuspecting users. The truth is, most of the infections with ransomware happen due to negligence from users' side – they are not careful enough when browsing the internet, updating their software, opening emails, and doing other daily tasks.

The main precautionary measure against ransomware and other malware is caution, as most distribution methods rely on some sort of social engineering.[3] Here are a few tips from security experts from novirus.uk[4] – these will help you to keep your computer away from ransomware:

  • Update your OS and all the installed software regularly – do not postpone the updates infinitely;
  • Equip your computer with anti-malware and anti-virus software with real-time protection feature;
  • Never use a default RDP port and disable the connection as soon as it is not required anymore;
  • Treat each unsolicited email as a threat – never open attachments that ask you to enable macro function;
  • Enable ad-blocker, firewall, and other additional protection features;
  • Use robust passwords for RDP and all other accounts or employ a password manager;
  • Watch out for website spoofing: making a copy of a legitimate website is easy, and crooks often do so in order to make users download a malicious executable disguised a legitimate program;
  • Never visit torrent or warez sites that host pirated applications or software cracks/keygens.

Be aware that no protection means can guarantee full protection, so you should always ensure that personal files are stored on a remote server or external drive as a backup.

Worm ransomware encrypted files
Worm ransomware appends a long extension to files and then they become inaccessible

Remove Worm ransomware and then attempt data recovery using third-party tools or other methods

Be aware that, as long as Worm virus is present on your machine, all the incoming files and those on external storage will be encrypted as well. Therefore, make sure you never connect USB Flash drives, external HDDs, or other devices to your computer until you remove Worm ransomware. Unfortunately, the process might sometimes be a little bit complicated, as malware is often set to intercept anti-virus software to prevent its elimination.

However, you can bypass those measures by accessing Safe Mode with Networking – check out the instructions on how to enter it below. Once there, employ a powerful anti-malware program and thoroughly scan the infected computer – successful Worm ransomware removal is almost guaranteed this way. After that, you should employ PC repair so software Reimage Reimage Cleaner to fix the damage done by the virus. Finally, you can attempt to recover data as per methods described below. In unsuccessful, make a copy of all compromised files and wait till security experts deploy a working Worm ransomware decryptor.

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Reimage Cleaner Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Reimage Cleaner, submit a question to our support team and provide as much details as possible.
Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage Cleaner, try running Combo Cleaner.

To remove Worm virus, follow these steps:

Remove Worm using Safe Mode with Networking

Worm ransomware may interfere with your security software. Access Safe Mode with Networking to bypass this functionality:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Worm

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Worm removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Worm using System Restore

System Restore might sometimes work when trying to eliminate the virus:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Worm. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner and make sure that Worm removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Worm from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Worm, you can use several methods to restore them:

Try Data Recovery Pro method

Recovery software like Data Recovery Pro might sometimes be able to retrieve some copies of your files pre-contamination.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Worm ransomware;
  • Restore them.

Windows Previous Versions feature might work in some cases

If you had System Restore enabled, sometimes it might be possible to recover files one-by-one.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might sometimes recover all the affected data

If Worm virus failed to delete Shadow Volume copies, your best bet is to try ShadowExplorer.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryptor is currently available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Worm and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions

References


Your opinion regarding Worm ransomware