Carcn Ransomware - How to remove

This ransomware from the Dharma/CrySiS family. Carcn uses encryption to scramble the data of files on a computer. The files are useless without a key (a very large number that is impossible to guess right) to decrypt them. The key is only known to the people who spread this ransomware. In exchange for decryption of the files, the criminals ask for money.

Ransomware usually asks its victims to pay the ransom in Bitcoins, transactions in which are irreversible and anonymous. Thus, if the files are not restored even after having paid the ransom, the criminals still keep the money. Indeed, some ransomware developers in the past have been too lazy or incompetent to implement a way to decrypt the files that they had encrypted. This is why some cybercriminals offer to decrypt one file for free — to prove that they can do that.

Ransomware like the Carcn virus is dangerous to both businesses and individuals. Restoring the files costs time, and is not always successful. And if backups of the encrypted files are not available, the files could be entirely lost.

Still, it is not a good idea to pay for the decryption. Paying encourages the harmful practice and still does not guarantee recovery of the files, as the cybercriminals have no obligation to be fair.

How to recognise the Carc virus

The Carcn encrypted files are renamed by appending “.id-[unique id].[[email protected]].carcn” to the original name of each file.

[original file name].[file type].id-[unique id].[[email protected]].carcn

A ransom note file is created, called “FILES ENCRYPTED.txt”. Email addresses ([email protected] and [email protected]) are provided in the ransom note and the victim is encouraged to contact the cybercriminals

all your data has been locked us
You want to return?
write email [email protected] or [email protected]

It looks like the creators of the Carcn ransomware havent changed the text of the ransom note for many iterations of this virus.

How this ransomware is distributed

Some ways the malware, including the Carcn ransomware, spread are:

• Remote Desktop Protocol hacks,
• Infected email attachments,
• Fake security warnings and fake software update prompts,
• Bundles of free software,
• Software cracks and pirated files.

Malware doesn’t usually spread alone, so there is a high risk that if the Carcn ransomware is installed on your machine, there are more malicious apps there. The malware could be adware, disrupting the browsing of the internet by injecting advertisements into every website, keyloggers, trying to steal personal information, like passwords; crypto miners, using your computer’s processing power to mine someone else cryptocurrency.

Viruses can exploit unpatched operating system security flaws and pass by antivirus programs undetected when the antivirus program hasn’t been updated for too long (normally antivirus programs need to be updated at least once per day).

Trojans can trick people into installing viruses by pretending to be another program and, if the antivirus doesn’t catch them, the malware can edit the system’s security settings, which could, for example, prevent some websites from loading. This is bad news if those websites concern cybersecurity.

Keep your passwords complex and change them frequently, scan new files before running or opening them, and don’t trust flashy warnings about your computer’s compromised security or needed updates if these warnings originate in the browser. Keep copies of your files either on the cloud, or on an external disk so that the loss of your files in case of a ransomware attack is not so devastating.

How to remove Carcn Ransomware

There is no free tool that would allow people to decrypt the files. Still, it could be worth it to backup your encrypted files somewhere and wait for a decryption tool to be released. It’s possible — other ransomware of the Dharma family has a decryption tool, though it works only because the decryption keys were leaked.

First, you should remove the Carcn virus and other malware from your system. The safest way to do that is by using antivirus software, like Spyhunter, or malwarebytes. You can also remove the virus manually, but it is advised that afterwards you scan the system to make sure that you found all the malware.

Automatic Malware removal tools

How to recover Carcn Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Carcn Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Carcn Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Carcn Ransomware. You can check other tools here.  

Step 3. Restore Carcn Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Carcn Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Carcn Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.