ViaCrypt Ransomware Virus - How To Remove?

 

ViaCrypt Ransomware is a dangerous virus that can block the access to your files and request for the money in order to unlock them. In case your computer is infected with it, you will definitely notice it immediately because your desktop image will be changed and files encrypted. Proceed reading the article to learn how to act in this kind of situation.

How does ViaCrypt Ransomware work?

ViaCrypt is a typical ransomware infection so once inside of the computer it runs a scan of files in order to determine which of them can be encrypted. After the scan is over, it will add .via appendix to all of them. What does it mean? It means your those files are encrypted and you can’t open them because of that. Immediately afterwards you will notice a text file on your desktop, so called ransom note, by the name of ‘your system has been encrypted! please read further instructions!.txt’. Original text of the message:

Your system files has been encrypted and only way to recover them is by purchasing unlocking key.
Steps to gain access for files:
1) Please follow this page: http://sigmalab.lv/other/crypt/payment_request.php
2) Upload your public encryption key
3) Download decryption key
4) Drag and drop key on crawl.exe
5) Wait for files to be unlocked in background

ViaCrypt ransom note

As you can see, you are informed that your files were locked and in order to retrieve them you will be asked to pay the ransom. To do this, you are asked to head to their website and purchase unlocking key. The website looks like this:

ViACrypt ransomware website

From the website language and domain name we can guess that the origins of this malware come from Latvia. We highly suggest not to pay the ransom or contact those hackers since you do not know who they are and there are no guarantees that your files will be unlocked even if you pay the ransom. Moreover, paying the ransom equals supporting cyber criminals and that’s not a good thing to do.

At the moment there is no way to decrypt files with .via extension, but we will keep you updated and publish the information as soon as decryptor is ready. For now, the only way to retrieve your locked files is to restore when from a copy. Obviously, you have to have a legitimate copy of your hard disk that was made before the date of infection and was stored on an external hard drive or cloud. If you have one, take a look at our system restore guide.

Besides encrypted files, you have to solve another problem – remove the virus from your computer. Even though it could be done manually, we do not recommend to do it by your own since the process is rather complicated and you can cause more damage. It is known that makes changes to registry entries of Windows OS, so the virus would be launched every time you start your computer. This problem is extremely difficult to solve even if you have great computer skills, therefore we recommend to use reliable anti-malware tools. The job would be done within several minutes if you use either Reimage or SpyHunter for this task. Scan your system with either one of them and ViaCrypt Ransomware virus should be deleted for good.

Sometimes ransomware like ViaCrypt Ransomware has an ability to block anti-malware software, so you should try different options in case one of them is not working. There are plenty of decent anti-malware tools that can deal with ransomware.

In order to keep your computer safe from infections like this, you should properly protect your system and avoid risky activity on the Internet. Protecting your computer is almost natural nowadays and everyone should do it. There are three points of emphasis that we would like to mention:

  • Always protect your system with Anti-Malware software;
  • Always protect your system with Anti-Virus software;
  • Set up automated back-ups.

Speaking of safe Internet browsing, never visit websites that look suspicious – if your web browser warns you that the website you are about to visit is possibly malicious, do not ignore those warning. Another valuable tip – don’t open emails from spam category. It is the most common distribution method of ransomware, since it come as an attachment to spammy emails.

How to recover ViaCrypt Ransomware Virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again. CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before ViaCrypt Ransomware Virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of ViaCrypt Ransomware Virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to ViaCrypt Ransomware Virus. You can check other tools here.


Step 3. Restore ViaCrypt Ransomware Virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually ViaCrypt Ransomware Virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.


Previous version
b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover ViaCrypt Ransomware Virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download Data Recovery Pro (commercial)
  • Install and scan for recently deleted files. Data Recovery Pro

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Manual removal

 

Important Note: Although it is possible to manually remove ViaCrypt Ransomware Virus, such activity can permanently damage your system if any mistakes are made in the process, as advanced spyware parasites are able to automatically repair themselves if not completely removed. Thus, manual spyware removal is recommended for experienced users only, such as IT specialists or highly qualified system administrators. For other users, we recommend using Reimage or other tools found on 2-viruses.com.

Processes:
Extensions:
External decryptor:
     
 

About the author

 - Main Editor
I have started 2-viruses.com in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.
 
July 12, 2017 07:23, July 12, 2017 07:23
   
 

Leave a Reply

Your email address will not be published. Required fields are marked *