Virus-encoder Ransomware
Like most other ransomware, the Virus-encoder Ransomware encrypts the targeted system files and makes them unreadable. The files are not recoverable without a secret key that was used in the encryption method. The Virus-encoder Ransomware also leaves a ransom note on the infected device. This is usually a file created on the desktop or infected folders. The Virus-encoder Ransomware note is named "# DECRYPT MY FILES #.txt." The Virus-encoder Ransomware does not appear to attack any specific region or Internet user. The Virus-encoder Ransomware is also known as "GetCrypt" and is spread by the RIG Exploit Kit.
Table of Contents
Symptoms of a Virus-encoder Ransomware Infection
The Virus-encoder Ransomware is distributed to vulnerable machines using spam email, file downloads and corrupted torrents. The infected file needs to be downloaded and executed or opened (if it's an MS Office document) before it can affect a system. The Virus-encoder Ransomware can be delivered in the form of an executable (.exe), a system file (.dll) or even an MS Office document (.doc, .docx, .xls, .xlsx). Once it is downloaded and opened on a system that does not have up-to-date virus definitions, it enters the file system and begins to encrypt all the files it can access. The Virus-encoder Ransomware uses the Salsa20 and RSA-4096 encryption methods to make the files unreadable. It then leaves a ransom note on the desktop and any infected folders. This note informs the users that their data is unrecoverable without an original encryption key, which will be provided to them after a ransom amount is paid, usually in Bitcoin.
Sample Ransom Note
'Attention!
Your computer has been attacked by a virus-encoder! All your files are now encrypted using cryptographically strong algorithm. Without the original key recovery is impossible. To get the decoder and the original key, you need to email us at [email protected] Our assistance i not free, so expect to pay a reasonable price for our decrypting services. No exceptions will be made. In the subject line of your email include the id number, which can be found in the file name of all encrypted files. It is in your interest to respond as soon as possible to ensure the restoration of your files. P.S. only in case you do not receive a response from the first email address within 48 hours, please use this alternative email address: dalailama2015@protonmail.ch.'
Protecting Yourself from the Virus-encoder Ransomware
If you don't use an anti-malware or ant-virus software currently, you should download and install one immediately. Most mainstream operating systems like Windows or Macs ship with protective software these days but any anti-virus or anti-malware software is only as good as its virus definitions. These are updated regularly (usually daily) and should be downloaded as soon as they come out. When downloading files from the Internet, always make sure you are downloading them from a trusted website. Malware also can be hidden inside a torrent. Refrain from downloading torrents from unknown sources unless you know what you are doing and do not run any executable downloaded from a torrent especially.
Malware like the Virus-encoder Ransomware also can be spread using spam email. Never download an attachment from any email unless you are certain who the sender is. Even if a file is attached to an email from a known source, double-check to make sure the email address is accurate. When downloading attachments from an authentic email, make sure the attachment makes sense in context with the email content. Avoid running executable files attached to emails at all costs. Sometimes a corrupted file can be attached to an email without the sender's knowledge. To protect your data, backup your system regularly. Despite your best efforts and diligence, there is always the possibility of corrupted scripts being run on your system somehow. In this case, the best way forward is to start fresh from a formatted hard disk or restore your system from a backup. For the most important data, it is considered a good practice to keep a copy in the cloud, or physically on a disk that is located in a separate location or at least on a different network.
My Device Has Been Infected. What do I do Now?
There are tools and software available online that purport to be able to decrypt your attacked files and remove any malware infecting your system. While some may be effective at detecting and removing malware, it is nearly impossible to recover encrypted files without a decryption key. You can try manual methods of putting your computer into "Safe Mode" and then searching for infected or corrupted files and deleting them. However, this will not remove the malware and the process to accomplish that should only be undertaken by experts or very knowledgeable PC users, as it can cause further loss of data.
NEVER choose to pay the ransom or try to contact the attackers. Contacting them could put you at greater risk of further attacks, and there is little to no chance of any paid ransom being honored with decrypted data.
