Brusaf File-locker - How to remove

Brusaf is a serious computer virus that can, in the worst cases, cost the victim their files permanently. If you see that your files won’t open and have been renamed to have “.brusaf” attached like a second extension, those are symptoms of a Brusaf infection. This virus is new, but it’s part of a known malware family — STOP/Djvu. That’s enough to show that this illegal activity has been lucrative enough for the extortionists to keep the attacks up. Nowadays, new versions of STOP are being discovered every week and the number of victims seems to remain high.

The type of ransomware that Brusaf is can lock your files by using strong, unbreakable encryption. It does not lock your screen and the criminals behind it don’t threaten to release your data — but losing access to your own files is devastating enough. Private people lose their memories stored as photos, writings, personal projects. Businesses lose hours of activity and weeks of work. There is a simple way to protect yourself — file backups — but many people don’t do it and, when ransomware attacks, they are vulnerable. That makes Brusaf and other file-lockers, like Nqix, Adame, Eris, and others still very dangerous and devastating.

How Brusaf infects computers

Various ransomware viruses have many different ways to spread.

• Manual installation of the virus through hacked Remote Desktop accounts.
• Infected files and links that arrive with email spam.
• Previously installed trojans downloading the ransomware.
• Automatic downloads of the virus thanks to malicious websites and ads.
• Infected bundles uploaded on filesharing networks or spoofed download sites disguised as a safe program or file.

Brusaf often uses that last one, infecting programs like software activators (though you should never assume that these are safe), free browsers, cracked expensive programs. Downloading and running them without first scanning them starts Brusaf, which disguises itself by displaying a fake Windows Update window. The encryption process begins and very quickly documents, images, spreadsheets, and other files are encrypted.

Now, the affected files are renamed by attaching “.brusaf”, causing Windows to believe that they’re the file type of BRUSAF. The reason why Windows is still functioning is that file-lockers avoid encrypting the files needed for the operating system: they want the victims to still be able to use their computer so that they can read the ransom note (_readme.txt) in which the criminals (who use [email protected], [email protected], and a Telegram account @datarestore) declare that they require the $980 (or $490) ransom to be paid before they send the decryption tools. By the way, security expers advise to never pay the ransom unless you absolutely have to.

One issue that all victims of Brusaf should be aware of is that the virus likely spreads a password-stealer called AZORult, which means that the criminals might try to hack your online accounts, as well as your cryptocurrency and banking accounts.

How to remove Brusaf

Brusaf and the other malware should be removed or at least quarantined so that the malicious programs can’t do any more harm. Any competent antivirus program should work, like Spyhunter.

Only when you’ve cleared your computer of the harmful programs is it safe to use it for personal business, but there are still a few things to fix:

• First, make sure to update everything that you can. Using out-of-date software is an unnecessary security risk, and Brusaf sometimes deletes updates of the antivirus tool to avoid being detected, so your antivirus might actually be broken after the infection.
• Also, check your hosts file for malicious edits.
• As well, secure your browsing to avoid being infected.

Automatic Malware removal tools

Can the files be unlocked?

The main way to be safe against ransomware attacks is to have backups set up previously. Backups are also great in case your hardware malfunctions, so they’re definitely useful to have. All the important files should be kept in secure storage that can’t be infected by Brusaf or another virus. There are a few ways to set up a backup, pick the one that is the most comfortable to you.

In theory, the files that have the “.brusaf” extension should be fixable because the virus used cryptography to lock them. However, to unlock the files, it’s mandatory to have the decryption key, and there is no way to get it other than from the developers of Brusaf. That’s a problem because not only do they ask for a few hundred dollars for the keys, but extortionists are also famously unreliable, as illustrated by this graph by CyberEdge: a significant number of ransomware victims who pay the ransom fail to recover their data.

There is a chance that one of the encryption keys used on your data can be recovered, so make sure to read this FAQ post by the developer of a free decryption tool for STOP ransomware.

The guide below this post includes a few ways to get back lost data, they’re worth trying, even though the chances of getting back all of your files are low because Brusaf’s developers have been trying to make their malware more difficult to recover from. By the way, some people say that they were able to recover some file types by just removing the “.brusaf”extensions, but this rarely works. Save copies of your locked files before you edit them to not corrupt tem permanently.

How to recover Brusaf File-locker encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Brusaf Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Brusaf File-locker

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Brusaf Ransomware. You can check other tools here.  

Step 3. Restore Brusaf File-locker affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Brusaf Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Brusaf File-locker encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.