Divinity Ransomware - How to remove

Divinity is a malicious program, file-encrypting ransomware. It infects Windows computers, locks files (and changes their names to end with “.divinity”), and then asks the victim to write to the extortionists on Telegram or Twitter.

Ransomware such as Divinity is used by cybercriminals to extort people for money. The victims are promised to be given their files back if they pay. There’s no guarantee that the criminals will actually return the data, though.

About Divinity ransomware:

Type of threat	Ransomware.
Divinity infection symptoms	Files don’t open, their names end with “.divinity”, their icons are blank pages, the desktop background is changed, ransom notes ask you to contact the people behind Divinity in order to decrypt your files.
How to get your data back	Restore your files from backups, see if Divinity failed to encrypt some of your data, undelete and repair some files, if possible.
How to delete Divinity ransomware	Use antivirus programs (Spyhunter, others) to find and delete all malware.

How Divinity ransomware works

Divinity ransomware, part of the Xorist family. Xorist has been around since 2016. It allows malicious actors can build their own versions of Xorist ransomware, give them their own flavor, including a different ransom note. Divinity is one such variant.

Because different groups of criminals build custom ransomware variants, it’s hard to predict how Xorist spreads. The creators of Divinity could have used spam emails, hacked RDP accounts, or even uploaded files infected with Divinity online and made them look like popular programs or media. There are many ways for ransomware to infect computers.

Once Divinity ransomware infects a computer, it quickly locks data and leaves a note asking for the extortionists to be contacted:

• the ransomware encrypts files, breaking their contents and making them unreadable,
• it also changes the names of these files by adding the suffix “.divinity”,
• the ransomware replaces the desktop background with a picture that shows the text “Infected by Divinity”,
• it shows an error message with the contacts of the extortionists,
• the ransomware also leaves ransom notes called “HOW TO DECRYPT FILES”.

Here’s the text of the ransom notes and the error pop-up displayed by Divinity ransomware:

========================================
Attention! Your files have been encrypted by divinity ransomware!
To restore your files and access them,
Contact @lulzed on telegram
Twitter @dissimilate
If you try to Decrypt your files all the data irreversibly is destroyed
========================================

Can you fix your files?

If you have backups, then you can restore your files after you delete Divinity ransomware. Having backups is the best way to defend yourself against ransomware. It’s just that, to protect the backups from cybercriminals, it’s important that they are not accessible from the infected computer. For example, external drives that are disconnected from your computers have no way of getting infected with Divinity.

If you don’t have backups, there are a few options to get some of your data back, but they are not perfect.

Divinity ransomware encrypts files, but not necessarily all of them. It might skip some file types, even some folders. So, look through your folders carefully and see what the situation is.

Cybersecurity companies Trend Micro and Emsisoft have released decryptors for Xorist ransomware. But Divinity is a new variant, so it’s not supported by these decryptors. Keep an eye on these tools and on Nomoreransom.org for news on decryption software. If a decryptor for Divinity is released, you’ll likely need a few examples of unencrypted files to match with the encrypted ones to help the decryption software.

How to remove Divinity ransomware

Use antivirus apps (Spyhunter, others) to remove malware – Divinity ransomware, as well as any other threats that might have been installed alongside it. You can also just format your drives if you’re okay with having to reinstall your software.

It’s important to know how Divinity infected your PC to stop that from repeating. It’s also important to protect the files that are important to you by backing them up. That way, no ransomware attack can destroy them.

Automatic Malware removal tools

How to recover Divinity Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Divinity Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Divinity Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Divinity Ransomware. You can check other tools here.  

Step 3. Restore Divinity Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Divinity Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Divinity Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.