Infected with RansomWarrior Ransomware? Need to decrypt your files?
What is RansomWarrior Ransomware
RansomWarrior is a cryptographer, cryptovirus, the genealogy of which is for certain unknown. The virus is the development of Indian hackers, most active in August this year. Like many analogs, RansomWarrior encrypts most user files, such as office documents, archives, photos and videos, and much more. The cryptovirus uses the AES algorithm, and also adds the .THBEC extension using the following template: Encrypted#.THBEC
RansomWarrior uses a dialog box with the name RansomWarrior 1.0 as a note of redemption. Here’s how it looks:
text in the note:
Oops!!! Your Files Has Been Encrypted By RansomWarrior 1.0
Message for you from RansomWarrior 1.0
Hello, we are a group of dedicated hackers from India. We have encrypted all your files so we can get your money. All your important files has been encrypted which means you are going to pay us a ransom of 349 USD in Bitcoins. So first of all you can decrypt to of your important files and we will show you which files has been decrypted. Just so you can see that we do have your decryption key, and you will be able to buy it from us. You won't be able to get your important files back if you don't buy your decryption key. Notice a clock on the side, when that date arrives your important files will be deleted(You have 24 hours to pay the ransom).
You will be able to get Bitcoins, at sites such as coinbase.com or localbitcoins.com. There are also others, but usually these are the usual choice
(Make sure to get a little bit more Bitcoins, due to transaction fees and the crypto currency is very volatile. It's also a good idea to get the Bitcoins,
as soon as possible, because sometimes the purchasing process can take hours. You would also need a wallet for your Bitcoins if you are not using
the coinbase.com wallet. When you have your Bitcoins in your wallet. You are going to download and install the tor browser. Go to torproject.org and
then follow the instructions given there.
You need the tor browser, because our payment website is located in darknet. When you have downloaded and installed the tor browser. Go to this link: zpkjjp57apz76k3q.onion\Pay\PayThis\Payment_1000731.PHP When you are on the website, you simply transfer your Bitcoins to the address that are provided to you(You can copy the address and then paste it in your Bitcoin wallet when you are transfering the Bitcoins). When your Bitcoins arrive to our wallet, you will be notified and then be able to download the decryption key. When you have your decryption key, simply place the key in your C:\ And then get all your important files back. The ransomware will then decrypt everything and remove itself.
Here is the entire lists of the way it's done:
1. Decrypt 2 important files as proof of decryption key and we decrypt to keep a good reputation about RansomWarrior 1.0.
2. Get a Bitcoin wallet(If needed)
3. Get the Bitcoins from coinbase.com or localbitcoins.com or an alternative.
4. Download and install the tor browser from torproject.org
5. Go to our website: zpkjjp57apz76k3q.onion\Pay\PayThis\Payment_1000731.PHP
6. Pay your Bitcoins to the Bitcoin address showed.
7. When accepted download your decryption key and put it in your C:\.
8. Then decrypt all of your important files and wait till the ransomware deletes itself.
Bonus tips:
1. Do this process as fast as possible, to make sure you get your important files back.(Due to Bitcoins sometimes take some time.)
2. If you are old and this seems confusing, get help from a younger relative or equivalent.
3. Always remember that the clock is ticking.
4. Do not attempt to adjust any of the files in the folder or try to adjust the clock on your computer. This can cause the ransomware to delete itself
along with your important files.
5. If you do no. 4 make sure you have technical experience.
6. We will decrypt your important files for our price stated, destroying things is not something we want to do.
7. Save your time(It's limited) by not reporting it to the police, they can't help you anyways(And will jut turn your away).
8. Also disable your anti malware software, because this can delete the ransomware(And we can't guarantee your important files).
9. Have a good day with the love from India.
[Get Your Important Files Back]
[Get 2 Important Files Dencrypted For Free]
Looks scary, is not it? In the note, the attackers demand a ransom of $ 349, and they insist on cryptocurrency currency, in particular bitcoins. This is done so that attackers can escape punishment for their actions. One thing is for sure – this is a deception, in no case do you pay them even a penny. No one will ever decrypt your files, since the main task of scammers is to get your money. Try to remove RansomWarrior and decrypt your files using our guides.
Update: Use following service to identify the version and type of ransomware you were attacked by: ID Ransomware. If you want to decrypt your files, please follow our instruction below or, if you have any difficulties, please contact us: submit@securitystronghold.com. We really can help to decrypt your files.
How RansomWarrior infected your PC
The penetration into the system occurs on the same scheme – through an unprotected network. This is because users do not use the proper antivirus software. Also, RansomWarrior can penetrate as an attachment in spam mailing or as an update for a flash player or other program. One thing is clear – you need to get rid of RansomWarrior right now, using our recommendations.
First of all, don’t panic. Follow these easy steps below.
1. Start your computer in Safe Mode with networking. To do that, restart your computer before your system starts hit F8 several times. This will stop system from loading and will show Advanced boot options screen. Choose Safe mode with networking option from the options list using up and down arrows on your keyboard and hit Enter.
2. Log in to the system infected with the RansomWarrior virus. Launch your Internet browser and download a reliable anti-malware program and start a full system scan. Once the scan is complete, review scan results and remove all entries detected.
Recommended Solution:
Norton is a powerful removal tool. It can remove all instances of newest viruses, similar to RansomWarrior – files, folders, registry keys.
*Trial version of Norton provides detection of computer viruses for FREE. To remove malware, you have to purchase the full version of Norton.
You may find more detailed information about antivirus products in our article – Top 5 Antivirus Software for Windows
Restore your files using shadow copies
- Download and run Stellar Data Recovery.
- Select type of files you want to restore and click Next.
- Select the drive and folder where your files are located and date that you want to restore them from and press Scan.
- Once the scanning process is done, click Recover to restore your files.
Step 2: Remove following files and folders of RansomWarrior:
Related connections or other entries:
zpkjjp57apz76k3q.onion\Pay\PayThis\Payment_1000731.PHP
Related files:
A Big Present.exe
Payment_1000731.PHP
How to decrypt files infected by RansomWarrior?
You can try to use manual methods to restore and decrypt your files.
Decrypt files manually
Restore the system using System Restore
Although latest versions of RansomWarrior remove system restore files, this method may help you partially restore your files. Give it a try and use standard System Restore to revive your data.
- Initiate the search for ‘system restore‘
- Click on the result
- Choose the date before the infection appearance
- Follow the on-screen instructions
Roll the files back to the previous version
Previous versions can be copies of files and folders created by Windows Backup (if it is active) or copies of files and folders created by System Restore. You can use this feature to restore files and folders that you accidentally modified or deleted, or that were damaged. This feature is available in Windows 7 and later versions.
- Right-click the file and choose Properties
- Open the Previous Version tab
- Select the latest version and click Copy
- Click Restore
Protect your computer from ransomware
Most modern antiviruses can protect your PC from ransomware and crypto-trojans, but thousands of people still get infected. There are several programs that use different approach t protect from ransomware and lockers. One of the best is HitmanPro.Alert with CryptoGuard. You may already know HitmanPro as famous cloud-based anti-malware scanner. Check out ultimate active protection software from SurfRight.
Written by Rami Douafi