A newly detected malware virus has been crowned and its title is All_Your_Documents. Basing our agreements on characterization of different categories of threats, we can state, hands down, that this sample is a ransomware. There is no need to contemplate too much and rack brains to determine the main goal of All_Your_Documents virus. It is natural to assume that a ransomware is supposed to be somehow related with ransom-demanding, and such associations are correct. Ransomware variants apply algorithms for encryption to commence an encoding process, and hackers either prefer AES or RSA ciphers. In some cases, a combination of the two can be exploited when the private key for decryption, generated by AES, is additionally locked under the influence of RSA. All_Your_Documents differs from other samples by instead of encrypting files, it chose to hold them hostage in a .rar file, secured with a password. Also, All_Your_Documents ransomware will raise the fee for the secret code everyday the ransom remains unpaid. The starting point is 0.35 BTC and the next three days are free. After that, the virus demands 0.05 BT more, until it reaches the final price: 1.85 BTC. Explaining this in other terms means that the primary 358.79 USD can reach the amount of 1896.45 USD. This conflict should not be settled with you paying the ransom and wasting loads of money. Read the full article to find out how All_Your_Documents virus should be properly handed.
Review of All_Your_Documents ransomware and explanations of its activity
In other areas, All_Your_Documents is expected to proceed quite similarly to other ransomware infections. It has a payment website, opened only via TOR browser and the page gives information about the bitcoins, making a transaction, its amount and the bitcoin wallet to receive such a contribution. Before such demands are made known to the infected user, All_Your_Documents ransomware has to carry out a couple objectives. Obviously, its distribution technique has to be successful. After that, the virus will initiate changes in the device, making it possible to start the file-locking process. For this purpose, some entries might be slipped into Windows Registry Keys. It possible to assume that All_Your_Documents virus will make an effort to contact its C&C server. This is done to celebrate a new victim and announce about him/her to the hackers.
Upon this interaction, virus will make it its mission to find certain files and lock them in one All_Your_Documents.rar file. Selected data will be removed from their original locations and placed into one, password-protected piece of data. Then, it will place another file: All Your Files in Archive!.txt to give the primary information about the infection. The locked WinRAR file be explained to be placed in root of each disk, ina folder called All_Your_Documents. Also, there is also a link to a payment website that we mentioned before. You are forced to download TOR browser to access it since other browsers won’t find such a domain. In the website, hackers also leave a bitcoin wallet to send the required fee: 1MDXGYZsnMNvZGLXkrnTdQ5Kdfzy4NgKMt. No matter how desperately you need your files out of that .rar archive, you have to remain cautious and remember that hackers have a tendency to leave people hanging. Which means that a password to unlock the All_Your_Documents.rar might not be provided even if you do pay.
Is there any way to unlock the archive and defeat All_Your_Documents ransomware?
Security researchers have not figured out the password yet, but just give it time. If there are any changes, we are sure to inform you about them. For now, there is not much we can say in this area. You can retrieve your files from backup storages, that is you have stored them there beforehand. If you are yet unaware of the advantages of having your files in such facilities, you have been missing out. Storing important data in a second location is a clever decision and we support it 100%. In case your original, stored in hard drives, are encrypted/locked, you cam simply eliminate the ransomware and retrieve your files from a storage. If you do not trust an online storage to keep your files safe, you can always keep your files in USB flash drives.
All_Your_Documents ransomware and its distribution
All_Your_Documents ransomware might differ from other ransomware viruses, but its distribution is very likely to be exactly the same. You can find its payload disguised as a random file, appended to random email letters. We are always stressing out the importance of keeping your email accounts free from spam. You can do this my simply removing letters that fall out of context completely and appear to have reached you from unknown source. Ransomware can also be spread in social networking sites or take advantage out of exploit kits.
Reimage, Spyhunter or Malwarebytes have a set course of action to destroy infections like All_Your_Documents ransomware. They won’t assist you with the unlocking process, but it will remove the infection itself. Before it does, make sure to copy the .rar file in case the virus decided to delete it during its elimination.
- Review of All_Your_Documents ransomware and explanations of its activity
- Is there any way to unlock the archive and defeat All_Your_Documents ransomware?
- All_Your_Documents ransomware and its distribution
- Automatic All_Your_Documents ransomware removal tools
- How to recover All_Your_Documents ransomware encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- Step 2. Complete removal of All_Your_Documents ransomware
- Step 3. Restore All_Your_Documents ransomware affected files using Shadow Volume Copies
- Step 4. Use Data Recovery programs to recover All_Your_Documents ransomware encrypted files
Automatic All_Your_Documents ransomware removal tools
How to recover All_Your_Documents ransomware encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before All_Your_Documents virus has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of All_Your_Documents ransomware
After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to All_Your_Documents virus. You can check other tools here.
Step 3. Restore All_Your_Documents ransomware affected files using Shadow Volume Copies
If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually All_Your_Documents virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.
Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.a) Native Windows Previous Versions
Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer
It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover All_Your_Documents ransomware encrypted files
There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download Data Recovery Pro (commercial)
- Install and scan for recently deleted files.
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.