Tampilkan postingan dengan label Ransomware. Tampilkan semua postingan
Tampilkan postingan dengan label Ransomware. Tampilkan semua postingan

Selasa, 01 Desember 2015

.vvv Extension / how_recover Ransomware Removal Guide

If all of a sudden, most of your files have become unreadable and they all end with a .vvv extension then your computer is infected with a new variant of TeslaCrypt ransomware. Some anti-virus engines detect it as TR/Crypt.ZPACK. This ransom virus leaves multiple files called how_recover+*.txt and how_recover+*.html on your computer with information on how to decrypt your files. There can't be many of us who don't know about the plethora of malicious software, phishing scams, data breaches and other threats that are increasingly sophisticated – and increasingly unpleasant – as they do their level best to defraud, con, threaten, frighten and rob us. Unfortunately for the likes of us, the only real way to safeguard our data, bank accounts, and sanity, is to stay one step ahead of the latest dangers. And that means knowing what we are dealing with. To that end, in this post we are going to take a look at a type of malware that is often overlooked, despite the fact that thanks to its thoroughly spiteful nature, it really does deserve a little more time in the spotlight. Welcome to your TeslaCrypt 101.


What is TeslaCrypt ransomware?

One reason why ransomware seems to be relatively unknown when compared to malware such as Trojan Horses or spyware is that it goes under a few different aliases. Alternatively called cryptoware, a cryptovirus, cryptoworm or cryptotrojan, if you've stumbled across any of these names before, then you are also reading about ransomware.

Call it what you like, TeslaCrypt ransomware is an extremely dangerous, and worrying, program and something you definitely want to take pains to avoid. If you're wondering just what it is that this malware can do, the names given to the various strains might give you a clue: ransom, crypto... Yes, it is a program that has been designed to infiltrate your computer, kidnap your data by encrypting it, and then demand a ransom for its release (usually $300 or more). The theory is that once you have paid the ransom, you will be sent a code which will allow you to decrypt your files. This particular variant encrypts your files and changes file extensions to .vvv, for example review.docx.vvv. Such encrypted Word documents cannot be opened by any program. You will simply get an error message. What is more, it manages to encrypt files on Dropbox folders. Luckily, Dropbox offers free versioning on all of its accounts which means that you will be able to restore your files from previous versions. Unfortunately, you can't do the same with files stored on your hard drive. This ransomware attempts to delete all previous versions of encrypted files.


Ways that TeslaCrypt is spread

Unfortunately, it is spread in a couple of different ways, so there are a number of things you need to watch out for if you are to avoid becoming prey. If you have visited a website that has been compromised by ransomware you will be infected, or if you open an email attachment or click a link in an instant chat app message that contains the malware, you will also kick start the ransomware process.

What happens during a ransomware attack?

As I said earlier, the way that TeslaCrypt works is to hijack your files and then demand that you pay in order that they are 'released'. However, it is not quite as clear cut as all that and please don't think that by capitulating to the kidnapper's demands you will get your data back. Do not lose sight of the fact that we are talking about cyber crime here – the likelihood of the mastermind behind the program actually caring enough to supply you with the code to decrypt your files once you have paid is... well, not really very likely.

Therefore, if you do receive an email or on screen message telling you your files are being held hostage, don't pay a penny unless you absolutely must and have not other choice.

Should I pay the ransom?

There is NO guarantee that the party responsible will release your files so follow the steps in the removal guide below to remove this ransomware from your computer and hopefully, decrypt your files.

How to get my files back?

If you have a recent backup, wipe your hard disk and reinstall your files. If you don't, try Shadow Explorer and Recuva programs or search your computer for previous versions of files. If you are lucky enough you may find files that were not encrypted and renamed to .vvv. But before restoring your files, please remove the ransomware and related malware files from your computer. To do so, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



Step 1: Removing TeslaCrypt (.vvv extension) ransomware and related malware:


Before restoring your files from shadow copies, make sure the TeslaCrypt is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.






Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again. If you don't know how to do that, please watch this video.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.


Step 2: Restoring files encrypted by TeslaCrypt (.vvv extension) virus:


Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.



3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.



Hopefully, this will help you to restore all encrypted files or at least some of them.

Rabu, 18 November 2015

.crinf Extension / ReadDecryptFilesHere.txt Ransomware Removal Guide

It doesn't take a rocket scientist or Silicon Valley whizz kid to work out that, by the law of averages, the more time we spend online, the greater the odds of us being attacked by ransomware, a phishing scam, a virus, or a hack attack are. That's okay, you think to yourself, I have a sturdy anti-virus program installed, and I never download anything dubious or look at 'adult' websites. Well, I'm sorry to be the bearers of bad news, but in this day and age it is ransomware and its ilk that has the upper hand.


Antivirus programs and security software are sophisticated, yes, but they are created reactively, not proactively. Once a new version of some malicious file encryption software, for example CryptInfinite, which appends .crinf extension to encrypted files and leaves ReadDecryptFilesHere.txt ransom note is released, the security companies then scramble to come up with an update that can deal with the threat. What that means for you is that if you are running on an old version of your anti-virus software, you are not adequately protected. Likewise if you do not update your Windows OS or the other programs you have running on your PC, you are also vulnerable. And what about that window of opportunity (for the cyber criminals) when they have launched their new ransomware but the security companies have not yet discovered it, or have not yet been able to counteract it?

So how can I protect myself from CryptInfinite .crinf extension ransomware?

The best thing you can do is to educate yourself as well as possible so that you have a fighting chance of giving malware a wider berth as possible. And with that in mind, we are going to delve a little deeper into the murky world of ransomware.

What is CryptInfinite .crinf extension ransomware?

In a nutshell it is a type of computer software program that has been designed to extort money out of innocent end users by holding their files, data, or computer operating system hostage. This is 21st century style kidnapping: ransom notes ReadDecryptFilesHere.txt are sent in the form of emails or on screen messages and the victim is your encrypted data which will only be released to you upon payment of a ransom. Once installed, it deletes Volume Shadow Copies, disables Windows restore feature and attempts to terminate certain Windows processes like registry editor. ReadDecryptFilesHere.txt and the contents are as follows:

Your personal files have been encrypted!
Your documents, photos, databases and other important files have been encrypted using a military grade encryption algorithm.
The only way to decrypt your files is with a unique decryption key stored remotely in our servers. All your files are now
unusable until you decrypt them. You have 24h to pay for the release of your decryption key. After 24h have passed, your
decryption key will be erased and you will never be able to restore your files.
To obtain your unique decryption key you will need to pay $300 using a PayPal MyCash voucher.
If the payment is not sent within 12h the amount to obtain your decryption key will be $1000.
PayPal MyCash vouchers can be purchased at CVS, 7-Eleven, Dollar General, fred's Super Dollar,
Family Dollar and many other stores.
------------------------------------------------------------------------------
After obtaining your PayPal MyCash voucher code you need to send an email to
decryptor171@mail2tor.com or decryptor171@scramble.io with the following information.
1. Your $300 PayPal MyCash PIN
2. Your encryption ID = [edited]
Shortly after the voucher is received and verified, all your files will be restored to their previous state.
All payments are processed and verified manually, do not try to send invalid PIN numbers.
------------------------------------------------------------------------------

So, as you can see, to obtain your unique decryption key you will need to pay $300 using a PayPal MyCash voucher and if you fail to do so within 12 hours cyber criminals will triple the price. Two emails addresses decryptor171@mail2tor.com and decryptor171@scramble.io are given to send them your encryption ID and PayPal MyCash PIN. In your case, email addresses can be different because cyber criminals change them often. After that, you will be able to download DecryptorMax.exe program which will decrypt your files.

So, fairly straightforward: I pay the ransom and my data is decrypted, right?

You didn't think it was going to be quite that simple did you? Just because you've handed over your hard earned cash there is no guarantee that you are going to be able to retrieve your files. This is a cyber criminal you are dealing with after all – hardly the most credible or legitimate person to enter into a business arrangement with!

How do you get infected by .crinf / ReadDecryptFilesHere.txt ransomware?

As with pretty much all forms of malware, ransomware infects you in a couple of ways: through an infected email or messenger program attachment or link, if it has been packaged with an application, download or program, or if you've visited a compromised website.

Help – I've been infected! What should I do?

Don't pay the ransom! If you have a recent backup, wipe your hard disk and reinstall your files. If you don't, try Shadow Explorer and Recuva programs or search your computer for previous versions of files. If you are lucky enough you may find files that were not encrypted and renamed to .crinf. But before restoring your files, please remove the ransomware and related malware files from your computer. To do so, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



Step 1: Removing .crinf extension (CryptInfinite) ransomware and related malware:


Before restoring your files from shadow copies, make sure the ransomware is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.






Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again. If you don't know how to do that, please watch this video.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.


Step 2: Restoring files encrypted by .crinf extension (CryptInfinite) virus:


Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.



3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.



Hopefully, this will help you to restore all encrypted files or at least some of them.

Selasa, 03 November 2015

How to Remove HELP_YOUR_FILES Virus and Restore Encrypted Files

HELP_YOUR_FILES.TXT, HELP_YOUR_FILES.HTML, and HELP_YOUR_FILES.PNG belong to the new variant of the CryptoWall ransomware. If all your files have random extensions (ie: 0hrpfndfq.p5r or d0prg.m4) appended on the end of the legit extension (ie: DOC, XLS, PDF, EXE etc) and you see HELP_YOUR_FILES files in every directory then your computer is infected with ransomware. It doesn't take a genius or a technical hotshot to know that there are an ever increasing plethora of malicious software programs lurking in the darkest reaches of the internet that are used by cyber criminals to manipulate us into handing over our data or details. Our bank accounts and our identities can be at serious risk – and so too can our actual computers. Protecting yourself when you're online is now more important than ever before.


One type of malware that you really do need to educate yourself about - even though it is not quite as infamous as some of its cousins - is something called ransomware. But don't be fooled into thinking that even though it's not talked about as much as adware or spyware that you can ignore its very existence. Believe me when I say that ransomware is definitely something that poses a very real threat to all of us and it is definitely something that you do not want on your PC.

What is HELP_YOUR_FILES ransomware?

HELP_YOUR_FILES will attack you in a few different ways. As with many types of malware it might be hidden in an attachment sent via a spam email. Other variants of this ransomware programs are upping their game and moving with the times by hiding in links that are sent in an instant messenger app. Yet others follow the tried and tested route of being packaged with another software program or app that the ransomware has infected. Last but not least, if you have paid a visit to a website that has been compromised by the malware then you will also unfortunately be put at risk. CryptoWall ransomware seems to be the most commonly delivered payload by the Angler EK. At the moment, it's possibly the most active and sophisticated exploit kit. Once installed, it injects code into explorer.exe or svchost.exe processes and disables system restore. Unfortunately, it can delete Volume Shadow Copies too.

When you think about it, if it seems that if every time you are online that you are at risk, then you wouldn't really be exaggerating – and this of course makes it of paramount importance why you need to not only protect yourself with firewalls and anti-viruses but to also proactively make sure you are using best practices when it comes to working or playing on the internet.

Being extremely careful when you open email attachments or click on links is crucial, even if you do know the sender – who's to say that your friend or colleague hasn't had their email or messenger app hacked?


What HELP_YOUR_FILES ransom virus can do

As the name suggests, it will kidnap your files, encrypt them so that you are unable to access them and then demand a ransom for their release. The ransom note will be left on your computer in the form of an HTML file or text/image files and will tell you in no uncertain terms how much you have to pay, and by what method, if you ever want to see your files again. HELP_YOUR_FILES.HTML ransom note:

Cannot you find the files you need?
Is the content of your files that you have watched not readable?
It is normal because the files' names, as well as the data in your files have been encrypted.

Congratulations!!!
You have become a part of large community CryptoWall.

As you can see, it claims to be a part of the CryptoWall family. And it probably is because certain elements are clearly copied from previous CryptoWall variants. The note will tell you that once you have paid you will be sent a code that will allow you to decrypt your documents. However, this is not a guarantee and there are countless examples of people having handed over their hard earned cash only to be sent a big fat nothing in return.

What should I do if I've been infected?

It's easy to say, but try not to panic. And whatever you do, don't pay the ransom unless the encrypted files are very important and you can't afford to lose them. If the encrypted files are not very important or you don't have money to pay the ransom, you can remove try to restore your files (at least some of them) using Shadow Explorer, Recuva and some other specialized tools listed below. Please note that even of you decide to pay the ransom there's really no guarantee that cyber crooks will recover your files. If you have any questions, please leave a comment below. Last, but not least, if there's anything you think I should add or correct, please let me know. It might be a pain but the issue needs to be dealt with – and the way to do it is by not giving in, not paying up and not letting the attackers win.

Written by Michael Kaur, http://deletemalware.blogspot.com



Step 1: Removing HELP_YOUR_FILES and related malware:


Before restoring your files from shadow copies, make sure HELP_YOUR_FILES is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.






2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.


Step 2: Restoring files encrypted by HELP_YOUR_FILES virus:


Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.



3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.



Hopefully, this will help you to restore all encrypted files or at least some of them.

Minggu, 25 Oktober 2015

Remove .breaking_bad Extension Virus and Restore Encrypted Files

You know as well as I do that when it comes to spending time online – whether that is for work or for play, the chances of being caught out by a phishing scam or being infected by ransomware which encrypts your files and changes file extensions to .breaking_bad are greatly increased. It's a sad fact of modern life that we are at constant threat by people who want to do us harm, steal or corrupt our data, or empty our bank accounts. And unfortunately, thinking that you are doing enough to protect yourself simply by installing some anti-virus software and sitting back and assuming it is going to keep you secure is simply not enough. Besides, added to that, the majority of people install an anti-virus tool when they first buy their computer and then rarely even give it a second thought. How out of date is YOUR anti-virus software?

When you take into account that business is seriously good in the cyber crime industry and the criminals that program and distribute viruses and malware are continually thinking up new and increasingly innovative ways to scam us out of our money or do us harm, it stands to reason that you should do everything you can to avoid becoming a victim by staying one step ahead of the latest threats. So without further ado, here we are going to take a look at a serious danger to internet users: ransomware.

What is ".breaking_bad" ransomware?

It is a thoroughly nasty piece of software and definitely something you want to learn about and avoid at all costs. In the most basic terms, it has been designed to con you out of your money. How it accomplishes this is by kidnapping the files that you have stored on your PC and holding them hostage until you pay a ransom for their release. It's a method of extortion that is as old as the hills – but adapted to harm a whole new generation of computer users.

But how does a cyber criminal hold your files hostage, you may be wondering. When you have been infected by this ransomware and all your files end with .breaking_bad extension, the program will encrypt your data so that you can no longer access it. Allegedly, once you have paid the ransom to get your files back you will be sent a code that enables you to decrypt them and restore them to their former state. This ransom virus leaves a text file on your computer with the following information:

Ваши файлы были зашифрованы.
Чтобы расшифровать их, Вам необходимо отправить код:
[edited]
на электронный адрес decodefile001@gmail.com или decodefile002@gmail.com.
Далее вы получите все необходимые инструкции.
Попытки расшифровать самостоятельно не приведут ни к чему, кроме безвозвратной потери информации.

All the important files on your computer were encrypted.
To decrypt the files you should send the following code:
[edited]
to e-mail address decodefile001@gmail.com or decodefile002@gmail.com.
Then you will receive all necessary instructions.
All the attempts of decryption by yourself will result only in irrevocable loss of your data.

The ransom text is written in Russian and English. To receive further instructions on how to get your files back you need to send your unique code to decodefile001@gmail.com or decodefile002@gmail.com.

That's annoying and potentially expensive, but my data is worth any amount of money!

Not so fast because there is absolutely no guarantee that a) you will be sent a decryption tool or b) if you were, the tool will work. Let us not forget that these are hardened cyber criminals that we are dealing with here. These are not benevolent kidnappers we are dealing with here. The likelihood is that they are simply going to take your money and run. Leaving you out of pocket and none the closer to getting your files back.

How to get my files back?

If you have a recent backup, wipe your hard disk and reinstall your files. If you don't, try Shadow Explorer and Recuva programs or search your computer for previous versions of files. If you are lucky enough you may find files that were not encrypted and renamed to .breaking_bad. But before restoring your files, please remove the ransomware and related malware files from your computer. To do so, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



Step 1: Removing .breaking_bad extension ransomware and related malware:


Before restoring your files from shadow copies, make sure the ransomware is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.






Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again. If you don't know how to do that, please watch this video.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.


Step 2: Restoring files encrypted by .breaking_bad ransom virus:


Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.



3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.



Hopefully, this will help you to restore all encrypted files or at least some of them.

Kamis, 22 Oktober 2015

.ccc Extension / howto_recover_file Ransomware Removal Guide

If all of a sudden, most of your files have been renamed with a .ccc extension and there are multiple files called howto_recover_file_*.txt and howto_recover_file_*.html on your desktop and in some folders then your computer has become infected with the improved TeslaCrypt ransomware variant disguised as CryptoWall. We are all well aware, in this day and age, that the more time we spend online, whether we are writing reports for work, playing shoot 'em up games, doing the weekly grocery shopping or simply killing time by stalking people on Facebook, the more risk there is of us falling victim to an online scam or by being infected by ransomware.


After all, there is an almost bottomless pit of money to be tapped in to in the cyber crime industry and ransomware programmers are becoming more sophisticated by the day – if not the hour! It's a dizzying thought when you stop to consider the cat and mouse games that producers of anti-virus software and security patches, and malicious software are playing. But what does it mean for people like you on me when all we want to do is connect online to chat to friends, post vacation photos, spend our hard earned cash on a pair of sneakers or – yes, actually do some work!? For a start we know have to be more careful than ever before if we don't want to become yet another statistic in the ongoing online battle between good and evil.

No two types of malicious software are the same which sadly for you and me means there is an endless amount of information to gen up on if we really want to give ourselves the best shot at defending ourselves against the latest threats.

With that in mind, in this article we are going to take a closer look at a type of malicious software program called ransomware. And in particular, the TeslaCrypt variant that changes file extension to .ccc. This malware is not as commonly known as some of the other types of malware – for example spyware or adware but we definitely think it is something that you should learn about how to protect yourself from, considering how unpleasant it is.

What is TeslaCrypt ransomware?

It is a nightmarish program which sounds like it has stepped straight out of the pages of a bad sci-fi movie. Its aim is to get you to pay an amount of money and the way it does this is by causing huge issues on your computer – mainly by making it impossible to use and encrypting your files so that you can't open them. Of course, a good deal of stress and upset are, naturally, part of the package for anyone who thinks that they may not be able to access their documents or photos ever again. And in light of this it can seem like the only option is to pay the sum of money in question.


You have more than likely discerned by now that it is this mode of operating that gives ransomware its name, for it does indeed hold you – or your files - hostage. Once installed, it leaves a ransom note howto_recover_file_* with instructions on how to get your files back. Cyber criminals will probably ask you to pay at least 1 bitcoin for the so called decoder tool.

Should I pay the ransom?

In a word: No! There is NO guarantee that the party responsible will release your files so follow the steps in the removal guide below to remove this ransomware from your computer and hopefully, decrypt your files.

How to get my files back?

If you have a recent backup, wipe your hard disk and reinstall your files. If you don't, try Shadow Explorer and Recuva programs or search your computer for previous versions of files. If you are lucky enough you may find files that were not encrypted and renamed to .ccc. But before restoring your files, please remove the ransomware and related malware files from your computer. To do so, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



Step 1: Removing TeslaCrypt (.ccc extension) ransomware and related malware:


Before restoring your files from shadow copies, make sure the TeslaCrypt is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.






Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again. If you don't know how to do that, please watch this video.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.


Step 2: Restoring files encrypted by TeslaCrypt (.ccc extension) virus:


Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.



3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.



Hopefully, this will help you to restore all encrypted files or at least some of them.