Arescrypt ransomware - How to remove

Arescrypt ransomware, developed and publicly shared on Github back in December 2017 by @Blackvikingpro and @LucidScorpion, currently caught @malwarehunterteam’s eyes, presumably having a chance to become as misused as a Hidden Tear Project.

Developers of this open source ransomware, whose name means Arsenal of Reaping Exploitational Suffering (ARES), claim to share it just for educational purposes, because of the different working techniques, but that doesn’t make the cybersecurity specialist happy and more worried, because we all know that Arescrypt virus will be mostly adjusted and used by the crooks and not students, causing more compromised machines, encrypted files, and unsatisfied computer users.

Because Arescrypt is a new ransomware and yet has not been used as an actual parasite to infect anyone, some facts are still unclear. What is more, this virus template can be adjusted by the hackers as much as they want, starting from the name, extension and ending with a ransom size. Therefore, educate yourself before Arescrypt becomes widely spread in order to be prepared to avoid or fix this new notorious ransomware.

How does Arescrypt virus work

Arescrypt virus just like any other ransomware compromises computers unnoticed and locks the important files, promising to decrypt them if the victim pays a certain amount of money – ransom. The good examples are the famous WannaCry, NotPetya, RandomLocker and etc. However, Arescrypt is slightly different than the other ransomware.

Unlike the rest, Arescrypt has the ‘all-in-one’ function that allows the parasite to encrypt the files, verify the ransom payment and decrypt files if the victim actually paid. Other ransom demanding threats post the text file providing the compromised user with email and crypto wallet where they should send the money, but this is not reliable and most affected people do not pay because they are not sure if crooks will send the decryptor to them back. In this case, Arescrypt developers are expecting that the ransom collecting will be more successful and faster because right after the payment files will get unlocked.

Additional unique Arescrypt crypto-extortionist qualities include:

• Unique API calls to configurable server (standalone PHP script included)
• Information stored in DAT (configuration) file – obfuscated too
• Extensive configuration file
• Sandboxing capabilities

Arescypt is developed to compromise Windows OS only and takes payments in Bitcoin, Litecoin, and Zcash. Locked files’ extension and ransom amount will depend on how hackers will customize it.

These qualities make this virus special and different, however, some features still need to be improved, that is why the developers posted it on Github. Unfortunately, malware professionals are afraid that this will turn into the Hidden Tear project which will allow anyone to modify this ransomware and spread even more threats to the virtual world, while there is plenty to take care of already.

How can Arescrypt ransomware spread

Since the virus is not being distributed yet and is only posted on Github as a sample it can use any ransomware spreading method. Most likely – Malspam. Targeted victims will get a socially engineered email trying to convince them to open the attachment, which is infected with the Arescrypt ransomware. One click will be enough to initiate the virus.

Nevertheless, you can get Arescrypt or any other ransomware in many other different ways such as P2P networks, rootkits, malvertising ads, infected public networks, removable media, torrents, freeware bundles, compromised websites.

Meanwhile, most believe that a good, expensive antivirus will protect you fully from any virtual parasite, they are not completely right. Actually, viruses are becoming more and more cunning and can easily overcome the protection and invade your system. Antivirus helps from minor infections, but when it comes to AresCrypt ransomware, the threat will pass it with no trouble. That is why you should really take a look into How to prevent getting a ransomware infection and what.

How to clean your PC from Arescrypt ransomware infection

While antiviruses are not the greatest way to protect your PC from getting malware, anti-spyware tools are an irreplaceable method of removing the AresCrypt and other parasites once they are already in the system. The best tools so far are Spyhunter and Malwarebytes. Spyhunter has really sophisticated spyware hunting/removal skills.

Automatic Malware removal tools

Sometimes you need to know how to remove the Arescrypt based ransomware before you can use any malware removal software because the virus interrupts your browsing/downloading functions. For that, we have prepared a detailed guide on how to remove the Arescrypt ransomware from the Windows OS. At the moment there is no decryptor for the Arescrypt ransomware family, but keep an eye on the decryptor for updates.

How can you remove Arescrypt virus for free

How to recover Arescrypt ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Arescrypt ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Arescrypt ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Arescrypt ransomware. You can check other tools here.  

Step 3. Restore Arescrypt ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Arescrypt ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Arescrypt ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.