CryptoViki Ransomware - How To Remove?

 

CryptoViki ransomware virus has surfaced and it plans to leave people no choice but to submit to hackers’ demands. Once CryptoViki contrives and delivers its payload called a.exe into operating systems, further modulations in Windows Registry Keys and other user settings will be supported. For instance, desktop image will be reconstructed to foster an original picture wallpaper.jpg which displays a ransom note. Identical text can be found in readme.txt file which will also be inserted. Through the course of analysis, this specific ransomware infection was determined to be enforcing encryption process with a traditional AES algorithm. It presumably targets English and Russian speaking communities as the ransom notes incorporate both of these versions.

More detailed description of this virus

The ransom note is intended to be found in multiple places. Firstly, a new background image will immediately introduce the principal requisitions that a ransomware is making. Additionally, the same content will be introduced to users once readme.txt is launched. Nevertheless, these demands are preliminary and insist that people would contact cryptoviki@gmail.com for more detailed instructions. If victims do engage in an email transaction between them and the crooks, authors of CryptoViki will be glad to explain where a specific amount of bitcoins should be sent.

CryptoViki virus

However, you definitely should not believe that crooks will put effort into restoring encoded data. It is very possible that they do not even have the resources to recover files to the state of functioning. A .viki extension marks files that have been scrambled into oblivion. After examining the payload, we discovered that the virus creates a process of “vssadmin Delete Shadows /All /Quiet“ which means that Shadow Volume Copies will be permanently destroyed.

This ransomware nightmare is detectable by a number of security tools. Bunch of them regard a.exe file as “Gen.Troj.Heur!c”. All ransomware infections are Trojans, meaning that they enter devices under rogue files and initiate their activity in secret. Hackers attempt to confuse users by naming malicious executables as regular processes or harmless files. In the Windows Task Manager, a stealthy process that belongs to a ransomware infection might be hiding under a false name. Because of this stealthy feature, detection of ransomware becomes complex. Crooks are constantly attempting to swindle money out of people and we hope you won’t be tempted to pay the ransom in exchange for your files.

CryptoViki ransomware

Crooks are never to be trusted. After payments are sent, they might abandon their victims and leave files encrypted. Why would they bother helping users when they have already received money that they are after? It is important to get rid of a ransomware infection before any file-recovery methods can be applied. Run a scan with Reimage, Spyhunter or Hitman for the sake of finding the malicious source. These anti-malware tools will detect all malware that might be negatively influencing your operating system.

File-recovery options

Since we do not advise you to contact hackers and play their vicious games, you should consider alternative methods that could help you return files back to normal. An original decryptor has not been produced yet, but there is a chance that researchers will be able to succeed in this task. Until then, you could give other techniques a shot. For instance, try tools that already exist. To some extent, they could function. However, if you have previously stored your files in backup storages, your search is over. All you have to do is get rid of the malicious processes and retrieve files from the alternative location.

Transmission of ransomware

There are multiple techniques that crypto-viruses can utilize for their distribution. Spam campaigns could deliver email messages that are tainted with harmful executables. Never download attachments from letters that do not appear completely legitimate. Hackers could pose as representatives of respectable facilities and instruct you to download files or follow links. Both of these actions could lead you to a ransomware infection.

How to recover CryptoViki ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again. CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before CryptoViki virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of CryptoViki ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to CryptoViki virus. You can check other tools here.


Step 3. Restore CryptoViki ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually CryptoViki virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.


Previous version
b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover CryptoViki ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download Data Recovery Pro (commercial)
  • Install and scan for recently deleted files. Data Recovery Pro

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

     
 

About the author

 - Main Editor
I have started 2-viruses.com in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.
 
May 18, 2017 00:35, May 18, 2017 00:35
   
 

Leave a Reply

Your email address will not be published. Required fields are marked *