Acton Ransomware - How to remove

Acton is the name of file-encrypting ransomware, a version of Phobos. This cryptovirus infects computers and network, usually through RDP, and locks the files by scrambling their contents with a practically unbreakable encryption algorithm. The criminals responsible for Acton then demand money, usually a few thousand dollars.

Acton is similar to Frendi, Phoenix, and Adame viruses. Unfortunately, there is no way to decrypt Acton files. There are only ways to restore lost data like you would corrupted files, described in some detail in the last section of this article.

How Acton works

Acton can encrypt files including multimedia, document, text files, databases, archives, and other types that are likely to be created by the user and be important. The encryption is fast, you’re unlikely to notice it before it’s done. A symmetric algorithm is used on the files, the keys are encrypted with an asymmetric algorithm. Big files might not be completely encrypted, but they’re broken enough that they’re not functional.

After Acton is finished encrypting, it creates info.hta and info.txt files in which it tries to convince the victim to contact the criminals.

All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected]
Write this ID in the title of your message
In case of no answer in 24 hours write us to this e-mail:[email protected]
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
Also you can find other places to buy Bitcoins and beginners guide here:
• Do not rename encrypted files.
• Do not try to decrypt your data using third party software, it may cause permanent data loss.
• Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Acton has used these emails, and more:

The latest version used [email protected] and [email protected], with the former being included in the names of the encrypted files: .id[<random>-1091].[[email protected]].Acton.

Acton’s developers want you to not forget their promises to restore the files after payment. But don’t give in and do not pay unless you absolutely have to. Not only are the ransoms ridiculously high, thousands of dollars. but many of the distributors of Acton do not respond after getting their money, taking the ransom and leaving the victim hanging.

How to avoid ransomware

Acton is detected by a lot of antivirus tools but it doesn’t necessarily matter — the virus can be installed after the antivirus has been turned off.

Acton spreads through RDP. Remote Desktop is a very useful tool to access computers remotely and a lot of businesses and organizations use it, but it also makes the accessed computers vulnerable to being hacked. The extortionists find administrator accounts with weak credentials on exposed connections and use them to infect the computers with the Acton cryptovirus and possibly cause more problems, such as disabling the antivirus.

Infected emails are another way that ransomware similar to Acton is spread. Computers are infected by careless recipients of malicious email spam who open the messages out of curiosity or concern. The emails are usually crafted to evoke urgency, fear, rashness and get the reader to recklessly download and open the attached file.

Other ransomware distribution methods that aren’t used by Acton but should be considered include malvertising (outdated software exploited by infected ads to automatically download viruses) and infected files uploaded online (this is more of a threat to individuals and is used by STOP ransomware).

Acton ransom note screenshot

How to remove Acton

Remove the virus by scanning your computer with a powerful antivirus program, like Spyhunter, or another tool. Don’t be surprised if Acton is not the only infection on your computer — viruses often are bundled together. After Acton is removed, review your system and your settings, change your passwords, install security updates.

It’s also important to close any vulnerabilities, like an exposed Remote Desktop connection. Use a VPN that’s shared only with the people who need to access it and take other security measures to stop criminals from trying to break into your system. Don’t open spam emails, always scan the files you download. And, most importantly, make regular backups of your files so that you don’t lose your data.

Automatic Malware removal tools

Download Spyhunter for Malware detection

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,

How to recover Acton Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Acton Ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Acton Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Acton Ransomware. You can check other tools here.  

Step 3. Restore Acton Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Acton Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Acton Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *