Ferosas Virus - How to remove

Ferosas is a virus that infects a computer and corrupts the files on it. A ransom of hundreds of dollars is demanded of the victims if they want to get their files back. This file-locking ransomware affects Windows computers and can be very devastating for those who aren’t ready. Still, there are a few possible solutions to get at least some of the corrupted files back.

If your computer was infected with Ferosas, then a lot of the files have become unusable. The encrypted files simply have a new extension appended to their names — .ferosas. These can be image, video, audio, files, text files, spreadsheets, and a multitude of other types.

picture.jpg.ferosas

A ransom note in a file named _readme.txt is created and put in your folders. It contains the contacts of the extortionists behind Ferosas ([email protected], [email protected], and a Telegram account called @datarestore).

ATTENTION!

Don’t worry my friend, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you…

You can compare the Ferosas ransom note with the notes of the other STOP/DJVU variants — Drume, Guvara, Promorad2.

In the ransom note, the developers of Ferosas demand money — $490 or $980. The cheaper sum is for those who contact the extortionists in the first three days. $490 may be a ridiculous price, but $980 is even more outrageous. Looks like the ransom note is trying to rush the victims, to stress them out, to discourage them from researching solutions. This is predatory, but expected of cybercriminals.

You shouldn’t pay the ransom. Not just because that would be supporting crime (what the developers of Ferosas are doing is illegal). Ransomware developers, even the ones who are competent enough to decrypt the flies that they have encrypted, don’t always keep their promise to provide the people who paid with working decryption tools. Sometimes extortionists ask for more money, other times they just leave. If a cryptovirus is old, the extortionists might have already lost the decryption keys. Whatever the reason, according to CyberEdge, only around 60% of those who paid the ransom actually recovered their encrypted data.

How to be ready for ransomware?

Ransomware is difficult to solve one it has infected the system, but there are ways to minimize the risk and harm. Ferosas is part of the STOP/DJVU family of ransomware, so we can look at how DJVU cryptoviruses and other malware have behaved in the past and come up with a few bits of advice:

• Create file backups. It’s very important to have backups of all the important files and programs. With backups, recovering from Ferosas or another serious virus could be relatively painless.
• Be familiar with phishing emails. Malicious spam is very often used to spread malware, and all the people in your organization, company, or family who use the same computer or network could encounter a malicious spam email and unwittingly invite a virus, or leak private information.
• Update your antivirus and your software. Sometimes, malware targets security holes that could be patched with already-existing updates.
• Use antivirus software to scan unfamiliar files and links before opening them.
• Be careful when pirating software cracks (or any file). STOP/DJVU viruses have sometimes been distributed in software cracks.
• Freeware bundles and adware, too, have distributed ransomware. Be skeptical when downloading and installing free software, especially from sites that have a history of pushing unwanted software on their users.

Are the files really lost?

Encryption is useful for securing connections to protect private information from being exposed. Thanks to encryption, we can do things like online banking without someone impersonating us and taking over our bank accounts.

The developers of Ferosas are only a few of the many online criminals who abuse encryption to extort money.

Encrypted files basically have their contents — their building blocks — scrambled. Generally, ransomware uses symmetric encryption on the files. Symmetric encryption is fast, but not very safe, as it allows the same key that encrypted the files to decrypt them, too. So then the cryptovirus would encrypt the symmetric key with an asymmetric algorithm. There is no way to decrypt that without getting the private key from Ferosas’ developers — with the exception of the offline key, which might be used if the connection with Ferosas’s server didn’t work. In that case, try the decryptor that @demonslay335 has developed (here’s direct download).

In many cases, including Ferosas, ransomware-encrypted files cannot be decrypted, but there are other things to try. Restoring from backups, maybe even file recovery software. There is a guide just below this article.

How to remove Ferosas

First of all, Ferosas should be removed from the system, along with whatever Trojans it probably brought with it. Because Ferosas tries to cripple Windows Defender, it might be a good idea to try an additional antivirus program, like Spyhunter. Ferosas messes with other settings, too, like which websites can be accessed (you might need to edit your hosts file to fix that).

How to recover Ferosas Virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Ferosas has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Ferosas Virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Ferosas. You can check other tools here.  

Step 3. Restore Ferosas Virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Ferosas tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Ferosas Virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.