Russian Eda2 Ransomware - How To Remove?


Here we present an archaic fatherly-figure for many ransomware viruses in the world: Russian Eda2 Ransomware. This Trojan ransomware was often undetected due to the manner of hiding its center file as a seemingly unaggressive application.

About Russian Eda2 Ransomware

Russian Eda2 ransomware is based on an open-source code and was initially created as a project for academic reasons only. Russian Eda2 was recruited to commit cyber attacks to Russian-speaking countries. It separated the possible victims and people from other locations by checking their display language settings. If the computer was caught with a Russian language selection, then the ransomware was free to start its deeds. However, this ransomware itself is not widely spread anymore, but many copy-cats began to emerge on the Internet. If somehow you got infected by a Russian Eda2 follower, the script for its course is common for all of these threats.

At first, infection grabs the powerless files from users’ computers and makes them unavailable for usage. AES-256 encryption algorithm is used to encrypt these files. Actually, two keys are generated in this process. Two twins, one harmful and one decent. Public key is used for the encryption of files and the private key, hidden from victims, is the elixir of resurrection.

Russian Eda2 Ransomware can choose from over 40 types of files to encrypt. Files ending in djvu, .djv, .rb, .epub, .html, .htm,. asp, .aspx, .php, .phtml, .xls, .xlsx, .xlsm, .csv, and many more can suffer from complete corruption. Users will be able to clearly estimate the damages as this ransomware singles out the encrypted data by adding a small surprise: .locked file extension.

Then, after damaging a proper amount of material in users’ computer, Russian Eda2 Ransomware was ready to follow the second step of its plan. Desktop background will be altered to contain a clear letter of demands: your files have been kidnapped, pay ransom to free them.

Your computer system will not function properly and it will seem that a certain blockage has been built in order to prevent you from using it. The hackers’ demands will also appear in a form of a file called README.html that will urge users to pay the ransom in exchange of their precious data. The fee will most approximately be about 59 dollars or 0.1 BTC when converted to bitcoins. Bitcoin trading system will be used to make this transaction as hackers tend to leave their identities a secretive matter.

How is Russian Eda2 Ransomware Disseminated?

Russian Eda2 Ransomware might not be threat to you as it is not circulating around the Internet anymore. However, its admirers can cause trouble. Couple of ways for it to attach itself to you like an annoying wart are via shady Spam letters and updates for your software. Fake Java or Adobe Acrobat applications might be offered to be updated for you but actually, a ransomware application enters the system and hides in the jungle of your device. Same thing happens if you open Spam letters and download an application or file it provides.

How to Decrypt Files Encrypted by Russian Eda2 Ransomware

Paying a ransom might seem the easiest shortcut out of this nightmare. However, hackers can disappear after the transaction and leave you hanging. Never waste your money to these untrustworthy people.

Since the Russian Eda2 Ransomware is not threatening anymore, topic of the decryption of the files is vague. If you encounter any of followers of this damaging virus, pay attention that a special tool for recovery might possibly be established. Furthermore, Kaspersky tools, R-Studio, PhotoRec or other data recovery tools can attempt to recover files. If not, recover it from back-up storages or use the feature of a ‘Previous Versions’ that is offered by Windows Vista and Windows 7.

To remove ransomware applications like Russian Eda2, use Reimage, SpyHunter, Hitman or Malwarebytes. Take ransomware viruses like a lesson to always secure your files in a safe back-up storage and exploit a powerful anti-malware tool that will detect this sneaky Trojan.

Update of the 9th of January, 2016. A yet unseen sample of EDA2 ransomware has been spotted by security researchers. This active infection appends .LoCKED extension to the data it ruins. DecryptFile.txt file is left behind and it recommends people to download a TOR browser and access a specific website to get more information.

How to recover Russian Eda2 Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again. CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Russian Eda2 Ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Russian Eda2 Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to Russian Eda2 Ransomware. You can check other tools here.

Step 3. Restore Russian Eda2 Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Russian Eda2 Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

Previous version
b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Russian Eda2 Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download Data Recovery Pro (commercial)
  • Install and scan for recently deleted files. Data Recovery Pro

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Manual removal


Important Note: Although it is possible to manually remove Russian Eda2 Ransomware, such activity can permanently damage your system if any mistakes are made in the process, as advanced spyware parasites are able to automatically repair themselves if not completely removed. Thus, manual spyware removal is recommended for experienced users only, such as IT specialists or highly qualified system administrators. For other users, we recommend using Reimage or other tools found on

External decryptor:

About the author

 - Main Editor
I have started in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.
June 13, 2016 06:52, January 9, 2017 08:30

Leave a Reply

Your email address will not be published. Required fields are marked *