Azer Ransomware Virus - How To Remove?

 

Azer crypto-virus is an elaborate infection that proceeds with a combination of ciphers that turns executables into barely-recognizable. This variant is generated by the same creators that introduced the CryptoMix nightmare: we already analyzed it and you can read about its technical features in our article. The newer sample requires victims to contact donald@trampo.info email address and sets original ID numbers for people that face loss of their valuable digital data. Two samples have already resurfaced: gangbang.exe and powerstateoff.exe and both of them behave like common crypto-viruses (with a couple of exceptions).

What are the features of this crypto-virus?

The infection inserts INTERESTING_INFORMATION_FOR_DECRYPT.TXT which launches a window, containing a brief message from hackers. They announce that all of the users’ executables have been encoded. While this detail is not included in the ransom note, specialists have found out that AES cipher is exploited to damage data and the RSA-1024 is applied to the private key for decryption. This crypto-virus works offline and does not require Internet connection to be functional. Also, webmafia@asia.com is also an email address that users are expected to contact for more information.

Azer ransomware virus

_bangbros.exe sample also appears to be demanding that donald@trampo.info email address would be contacted. It is an older variant which was first discovered back in March of 2017. The newer variant of CryptoMix has been noticed to not only ruin the content of the files, but also the filenames. -email-[email_address].AZER is a rather long extension for a crypto-virus to append to corrupted data. The exact ransom that crooks are indicating as the sum for file-decryption is unknown. We presume that victims will find out these details after contacting one of the recommended emails.

What to do if I am infected?

In case you are one of the unlucky users that have become compromised by this Azer crypto-infection, you should not pay the ransom. If for some unknown reason you contact hackers, pay the ransom and they actually provide you with a functional decryptor, you should share it with security specialists. This tool could help researchers discover possible techniques of file-decryption that would not include the act of paying the ransom.

If the ransom that the hackers demand is absolutely absurd, you should not pay it. Instead, try to recover your data via other options. One of them is the Shadow Volume Copies that could be restored if Azer virus does not initiate a command to delete them. Furthermore, you could contact specialists that work on the task of generating a free recovery tool.

However, there is one option that does not require paying the ransom or asking researchers for help. If you are an attentive, you should already be used to storing executables into backup storages or keeping files into other secure locations. One of the easiest and free options is to store your files in USB flash drivers. If you lose all of your files to encryption, you do not have to bother with their decryption. All you have to do is eliminate the infection from your computer and retrieve files from the alternative location.

The best way to remove a crypto-virus is to scan your system for viruses. Reimage, Spyhunter or Malwarebytes will detect the exact locations on malicious executables. Then, it will offer quick removal. If you have experience in the field of removing malware manually, you could follow the guidelines at the end of this page.

There are several methods that crypto-virus might have exploited to be delivered. One of them is the campaigns of malicious spam. Deceptive emails have been noticed to contain attachments that are actually capable of launching a payload of ransomware. Do not download files that you receive via emails and make sure to always open those messages that do not appear to be of a misleading nature.

How to recover Azer ransomware virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again. CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Azer ransomware virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Azer ransomware virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to Azer ransomware virus. You can check other tools here.


Step 3. Restore Azer ransomware virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Azer ransomware virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.


Previous version
b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Azer ransomware virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download Data Recovery Pro (commercial)
  • Install and scan for recently deleted files. Data Recovery Pro

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

     
 

About the author

 - Main Editor
I have started 2-viruses.com in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.
 
July 10, 2017 04:01, July 10, 2017 04:01
 
   
 

Leave a Reply

Your email address will not be published. Required fields are marked *