Age ([email protected]) Virus - How to remove

There is a ransomware infection called Age that infects PCs and uses encryption to break files. The Age ransomware can be first recognized by the extension “.id[XXXXXXX-2495].[[email protected]].age” that is given to each of the locked files. This note includes an email address that belongs to the people who are responsible for the infection and a unique ID.

You might recognize that Age is a Phobos infection. It uses a ransom note that instructs you to buy bitcoin, the extension includes the email address that the victims are told to contact, and anti-malware tools currently recognize Age as ransomware.

Ransomware attacks can be really devastating, whether or not you have backups:

  • They take time to recover from even if you have backups.
  • Ransomware might cost money to restore the files – and if you contact the extortionists, it’s a gamble if they’ll even help you after you send them money.
  • Important data might be totally lost regardless of whether the criminals send a decrypter.

Unfortunately, there is currently no way to fix the Age files and reverse the encryption for free. This is tragic considering that Phobos is currently one of the  most widespread ransomware families and a lot of people end up losing their files to Age. By the way, Adame seems to be the most popular version of Phobos at the moment.

Age features and removal description:

Age ransomware symptoms
  • Files cannot be opened
  • File names have a suffix “id[48DB4B76-2495].[[email protected]].age” added
Age ransomware distribution
  • Torrent sites
  • Malicious emails
  • RDP attacks
How to get rid of the infection
  • Delete malware using anti-malware scanners (SpyHunter)
How to restore the Age files
  • Restore from backups
  • Use data recovery software, shadow volume copies, etc.

Age features

The first thing you might notice after an Age attack is that files have their names changed. For example:

pres.doc.id[48DB4B76-2495].[[email protected]].age

The other email address given by Age ransomware is [email protected]. Each type of Phobos has different contacts listed and might even use a different infection tactic.

The ransomware uses a hybrid encryption scheme and only encrypts some data in each file, which allows it to do a lot of damage really quickly.

After Age is done encrypting the files, it shows a ransom note like this:

All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected]
Write this ID in the title of your message 48DB4B76-2495
In case of no answer in 24 hours write us to these e-mails:[email protected]
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.

It’s possible that the people behind Age see themselves as a sort of vigilante group that attacks those who “deserve” it by having poor security. It wouldn’t be the first time that cyber extortionists justify their actions this way. But it is true that poor Remote Desktop security increases the risk of infection.

"age", the ransom note

Age ransomware distribution

Age is a type of Phobos, and together with Calix, Caley, and others, it’s thought to be RaaS (ransomware-as-a-service), which means that the attacks are not carried out by the creators of the ransomware, but instead, the distributors and the creators work separately. They share the profits they get, but this allows the distribution of Phobos to be varied. I’ve heard of quite a few ways that Phobos ransomware has infected systems.

One of these ways that Age spreads could be malicious emails. This would mean that an Age download link or a file with a malicious macro arrives in an email. An infected installer with a fake virus alert is another example of how Age can spread. Also, if you’re from a business that could be a potential target for a ransomware attack, watch out for phishing emails because those could lead to the following attack.

Remote desktop attacks allow cyber-criminals to invade a system and plant Age ransomware, backdoors, to steal information, and do whatever else they want. The attack might occur on Friday night after work. The credentials for administrator accounts are often stolen using phishing attacks or guessed.

Torrent sites might be used to distribute Age. Files, installers, and tools infected with Age could be uploaded for free, for everyone to download. Not even long-time uploaders can be trusted. Considering that individual PC users rarely enable RDP in their computers, this is probably how they get infected.

Recovering Age files

This ransomware is secure enough that there’s not really any hope of decrypting the files without involving the criminals who are responsible – and they ask for ransom that is exorbitant for most individual PC users and even many businesses. The only real way to reverse the damage at the moment is to deal with the extortionists, which is extremely risky.

There is hope that some data from big files can be recovered thanks to Age only partially encrypting big files. Also, data recovery can help restore a lot of data in specific situations (if the infected drive is a hard drive, if it wasn’t used after the infection, and if you have spare drives).

However, having backups is the only real way to stay safe against ransomware attacks.

Before you can restore the files and use the infected computer, Age needs to be removed. This can be done using any competent anti-malware scanner, for example, SpyHunter. Then, it’s a good idea to update your software, make sure that all the passwords are complex enough that they can’t be guessed, and secure your browsing to avoid future infections.

Automatic Malware removal tools

Download Spyhunter for Malware detection
(Win)

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection
(Mac)

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,



How to recover Age ([email protected]) Virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Age ([email protected]) Virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of Age ([email protected]) Virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Age ([email protected]) Virus. You can check other tools here.  

Step 3. Restore Age ([email protected]) Virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Age ([email protected]) Virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Age ([email protected]) Virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Leave a Reply

Your email address will not be published. Required fields are marked *