Calix Ransomware - How to remove

Calix Ransomware is a virus that infects systems in a variety of ways and locks files using cryptography. The locked files are renamed so that their names end with “.id[[random]-2451].[[email protected]].calix”, including the email address of the criminals behind this attack. Calix is a type of Phobos ransomware and there is no way to decrypt its files for free.

Can you decrypt Calix files

Calix has been around for a few weeks, while the Phobos family of ransomware (Calix is a type of Phobos) is even older. Although this ransomware is well-known and cybersecurity researchers have analyzed it already, no one has been able to come up with a way to help the victims decrypt their files. The encryption is too well-implemented. And to make recovery even harder, Calix deletes backup folders and shadow volume copies in the system.

Cryptography is no joke, however, Calix doesn’t always encrypt whole files, but only enough to break them and prevent them from being read by programs. The larger the file, the more unencrypted data there remains in it. And though it’s not readable by programs, some data might be salvageable. For example, try to repair your video files, or extract the encrypted archives to restore some of the lost data. Data recovery programs might also get some useful data back.

Calix ransomware details:

Calix details	VirusTotal link Similar to Adame, Caley, Banta, and other viruses
Ransomware distribution	Infected through breached Remote Desktop Downloaded thanks to malicious emails
Remove Calix ransomware	Delete Calix using antivirus programs (SpyHunter)
Restore Calix files	Restore from backups Repair the files Use data recovery

Calix left the email addresses of the extortionists promising that they can help fix the files, but contacting them is risky. Sure, they have a way to reverse the encryption. But the ransom is usually very big – the people behind Calix aren’t interested unless the victim has a few thousand dollars. On top of that, some of the people fail to get back to the victims after they get paid the money. The victims being ignored after they send the money isn’t an uncommon story.

The best option is to have backups from before the infection ever happened.

Lastly, it’s important to make sure that Calix is gone from the computer. This can be done by scanning the infected device with a competent antivirus program, like SpyHunter. When the ransomware is quarantined or deleted, it won’t be able to re-encrypt any more files. The file that infected the system should also be removed. System settings should be repaired: for example, Calix disables the firewall.

Calix infection symptoms

Calix is named so after the extension that it gives the encrypted files. The label given to each of the affected files is this:

.id[[random]-2451].[[email protected]].calix

for example,

song.mp3.id[71D2C847-2451].[[email protected]].calix

Calix also creates ransom notes – info.hta, info.txt. Once it’s done running, the ransomware opens an html file in which the extortionists urge the victim to contact them and to send them files for free test decryption, allowing the criminals to prove that they are able to recover them (doesn’t guarantee that they will do anything after they have their money, by the way). Info.txt contents:

!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address: [email protected].
If we don’t answer in 24h., send e-mail to this address: [email protected]

Network storage is also attacked by Calix and the files there might get encrypted, too.

Although Calix ransomware is dangerous, the files it locks are not and can be moved to other devices safely.

How Calix infects computers

Calix is a part of Phobos, one of the most widespread ransomware infections during the last year. The victims include businesses and individual computer users. Although the ransomware seems to be made to extort well-off organizations, it might catch smaller fish in its net, too.

Calix might spread in a variety of ways. One of the most effective is spam emails. These are email messages that carry a link or file infected with Calix ransomware. The goal of these emails is to convince people to download and start the virus on their own. So the letters promise that the link or attached document is very important, urgent, interesting. etc. This might be solved by just scanning the file using a security program.

Another likely way that Calix spreads is by Remote Desktop. The attackers likely get the credentials for this earlier with the help of phishing attacks, or by guessing the most common passwords. After you delete Calix, make sure to secure RDP better than before.

Automatic Malware removal tools

How to recover Calix Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Calix has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Calix Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Calix. You can check other tools here.  

Step 3. Restore Calix Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Calix tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Calix Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.