Carote Ransomware - How to remove

Reports about Carote infections appeared on the weekend and it appears to be another version of STOP/Djvu ransomware. The virus does not seem to introduce any new features or weaknesses, which means that Carote is just as dangerous as the other new versions of Djvu. Although there are possible solutions to recover files locked by this ransomware, none of them have high chances of success. But the most important part — deleting the virus off of your machine — is achievable by any victim.

Carote can most easily be recognized by the “.carote” extension applied to the locked files and most often distributed with illegitimate copies of commercial software online. This virus uses cryptography to lock people’s files and it hides the key, then tries to force you to pay money for it.

What does Carote do

Like most malware out there, the purpose of Carote is to help its developers make money — same as other ransomware, like Dragon, Junior, or Tflower. All these infections demand money from the victims who have just had their files locked by the virus, although not all of them follow through and restore the files.

Carote leaves a ransom note “_readme.txt” on the infected computer in which the ransom amount is specified (just under a thousand dollars) and the criminals even promise to decrypt a single file to prove that they can do it. They also give their email addresses ([email protected] and [email protected]).

Carote locks your files by running them through an encryption algorithm and it’s good enough to make the files useless as they are. The encryption would be reversible if you had decryption software (which is the same for every victim of Carote), and the decryption key (which is unique for everyone). Unfortunately, the key is only known to the culprits responsible for this virus, and the victims are left with their documents, pictures, movies, songs, and various important files locked and unusable. Carote marks these files with the “.carote” extension and doesn’t re-encrypt the marked files, but this suffix is nothing more than a label — removing it won’t fix the files.

If Carote can do all this without being stopped by your anti-malware software, that’s because it’s disabled it before it started encrypting your files. The virus is capable of that, as well as of starting up regularly to lock any new files that you create. After you remove Carote, you will need to fix your antivirus and some other settings that the cryptovirus messes with.

How Carote spreads

The developers of Carote malware have employed a few different distribution methods and currently, most victims seem to get this virus through infected software that’s distributed for free. Files are freely available to pirate, but it’s also well known that they’re commonly used to spread malware, usually as a way to monetize it. So it’s unsurprising that te most common infection story is of someone who torrented an expensive program, downloaded a crack, or tried to activate a product without buying it.

There are other ways that ransomware, including the predecessors of Carote, spreads:

• Remote Desktop hacks — someone gets access to your computer through RDP because your password was too weak and anyone was allowed to attempt a connection.
• Ransomware downloaded with a message, usually email — malicious spam messages are distributed with links to malware, or malicious files as attachments, hoping that careless recipients will download and open them without scanning them first.

Worse, Carote sometimes installs a password-stealing trojan together with itself to try and steal a few passwords to possibly hijack a few of your accounts later.

How to delete Carote and restore the files

Until you’ve removed Carote and other malware from your computer, don’t use it for anything important. The virus is persistent and the trojan it brings with it can be used to steal your accounts and even make unauthorized purchases with your money, so cleaning their computer would be the priority for most of Carote’s victims.

You can use Spyhunter, or any other competent antivirus program to run a scan of your system and find the viruses. Ransomware like Carote is easily detected by professional anti-malware. Remember to update yours after the computer is clean because Carote has broken it. And don’t be alarmed by the files marked with the “.carote” label — they are not dangerous, even though some security products out there delete them — be careful about that, you might need the encrypted files later.

Backups are your best bet for getting your files back, though only if they were stored separately from the infected computer. Remember that any hardware connected to the machine or even just on the same local network can be impacted by Carote. At the same time, ransomware can fail to delete backups or encrypt some files (such as the big files), so look into it and see if your infection experienced some technical difficulties.

If backups are not an option, look into data recovery which might help you recover some files.

Finally, check out STOPDecrypter, which is a program capable of decrypting the files locked by some versions of STOP/Djvu in the cases when the virus was forced to use a hardcoded encryption key — those cases aren’t common, but if the author of this program updates it to support Carote, then you might be able to recover some of your files. It’s theoretically possible that the authors of this virus will be caught by law enforcement and the decryption keys released, or that some genius cybersecurity researchers find out a way to decrypt some of the files. The hope, though small, is always there and you can keep the encrypted files that you hope to recover.

Automatic Malware removal tools

How to recover Carote Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Carote Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Carote Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Carote Ransomware. You can check other tools here.  

Step 3. Restore Carote Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Carote Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Carote Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.