[[email protected]].save Ransomware - How to remove

If your files were locked with the .[[email protected]].save extension, broken even if you change their names, and if you were presented with a ransom note talking about how “all your files have been encrypted” and to write to an email address, these are classic symptoms of a ransomware infection, in this case — a version of Dharma ransomware. [[email protected]].save is similar to Dharma-Btc, 2k19sys, TOR13 — other Dharma/CrySiS variants.

If you saw a pop-up which mentions the [email protected] and [email protected] email addresses, and if your locked files have had the [[email protected]] bit appended to their names, you must have been hit with the [[email protected]].save virus, or just Save as some people call it.

I want to make it very clear that the virus is only meant to take advantage of the victims and that the criminals responsible for it shouldn’t be trusted. They want to make money off this, nothing more. They probably have the key needed for decryption (sometimes they don’t send it after being paid), but the amount of money they usually ask is a few thousand dollars, which is prohibitive to most people. And paying the ransom wouldn’t remove the [[email protected]].save virus from the infected computer, which means that your files would still be in danger of getting encrypted again.

How to avoid ransomware infections

Ransomware viruses are distributed in a variety of ways by many separate criminal groups, but there are only so many ways for [[email protected]].save to find itself on your device.

• Malspam is one of the most dangerous ways that ransomware is spread. In the past, Dharma has used an antivirus tool installation distributed using email to infect computers. Emails warning about faulty PC security were carrying the virus, as well as a legitimate cybersecurity program. This combination of scam, bundling, and email spam was effective in tricking victims that nothing malicious was happening on their computer. If you are able to recognize fake security warnings, such scams do not work, but targeted phishing can be extremely difficult to avoid.
• Remote desktop is used by cyber extortionists to perform targeted attacks, so disable it if you aren’t using. If you are using it, set the passwords to something very complex and make use of VPN to stop outsiders from accessing your computer and installing [[email protected]].save, or some more serious virus on your PC.
• Trojans install viruses, so if your computer is already infected with a serious virus, being infected with more is almost inevitable.
• Malvertising is used to spread malware, and it’s very difficult to dodge. Generally, malicious ads are encountered on websites that already have a poor reputation, but, less frequently, they happen anywhere online. Just remember to not trust pop-up windows, especially when they originate in the browser.

At the end of the day, avoiding viruses online is nearly impossible, so your best bet is creating a backup of your data so that, if you ever lose the files, they can be restored from another copy. If you do have backups and they were stored properly — disconnected from the infected device — the impact of the [[email protected]].save virus is severely diminished.

How to remove [[email protected]].save

To remove Save, a professional antivirus application is needed, like Spyhunter. If there are viruses other than [[email protected]].save, they should be removed, too. As is shown here, most reputable antivirus tools can recognize how malicious this program is. There is the possibility that the virus will resist removal, so disconnect your PC from the internet and enter safe mode before scanning it.

Unfortunately, this won’t fix the encrypted files. Nor is there a free decryptor for [[email protected]].save. In general, ransomware uses really strong and secure encryption. Amateur ransomware coders sometimes implement it poorly and leave the door open for decryption (or make the files undecryptable completely), but [[email protected]].save is not the work of amateurs. And though previously Dharma’s keys were leaked to the public and, based on them, a free decryption tool was created, the new versions, including [[email protected]].save, haven’t had their private keys exposed, which means that no free decryptor currently exists. One might be developed in the future, but that’s very unlikely.

The [[email protected]].save files might not be decryptable, but there are still a few things to try to recover the files. Previous copies, likely encrypted by [[email protected]].save, but still worth trying. Data recovery, which can restore deleted files from a hard drive provided that they were not overwritten, could possibly recover some data, too. However, there is no guaranteed way to get the files back. [[email protected]].save and other modern ransomware has become sophisticated and try to make file recovery as difficult as possible.

Automatic Malware removal tools

How to recover [[email protected]].save Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Save Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Save

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to [[email protected]].save Ransomware. You can check other tools here.  

Step 3. Restore Save Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Save tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover [[email protected]].save Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.