Encryptile ransomware - How to remove

Just last week we first heard of a name “Encryptile” which refers to a new ransomware virus. We no longer get startled by the number of crypto-nightmares that get released of their leashes. It is vital to keep a straight head and think of the most rational ways of obviating or defeating a ransomware. Due to the work that was done to analyze Encryptile virus, it is easier to get acquainted with its main features, methods of distribution and demands. It is important that the nightmare of Encryptile would not haunt you in your dreams like Freddy Krueger. Try to dodge its long nails and wake up from a disturbing dream that this virus really is. As Halloween is approaching, it is quite fun to find relations between ransomware viruses and most-feared characters. Nevertheless, being infected is not to be taken as a celebration. Encryptile virus is a crypto-ransomware which uses AES and RSA combination for file encryption and appends .encryptile extension to the end of every encoded file.

About Encryptile Ransomware

If you are expecting fireworks, bombs and other extravagant artillery from Encryptile virus, you might be a tiny bit disappointed as it seems to follow the steps, common to a bunch of other ransomware infections around. The first objective for viruses, pursuing the ransom-demanding technique, is to make their payload available for download.

After the primary walk to your device, Encryptile virus will do everything in its power to be ran automatically after an infected computer is launching its regular processes and programs. To be considered as a part of executables that have to be ran, the payload of Encryptile virus has to take matters into its own hand. As it is programmed, the malicious executable will modify Windows Registry Keys, specifically the ones that are related with automatic launch of programs. Right after getting the chance of running, the payload will proceed to a third step. This one is a combination of four smaller objectives: running scans for files to encrypt, encoding them with AES and RSA algorithms, informing C&C server about a new victim and, finally, letting the victim himself/herself become aware of the unfortunate situation he is in over his head. An unlucky person is informed via a ransom letter and a program, designed for decryption of files.

Let’s take a closer look at the letter that is left behind by Encryptile virus. Virus gives exactly 3 days of time to send the required sum of bitcoins and have a chance of getting back the encoded data. We have already mentioned that a tool for decryption is installed in victims’ devices. If the ransom successfully reaches crooks, they promise that after clicking on the “Check Payment” button, you will be able to clearly see the AES key for decryption. Crooks that design this hoax of Encryptile virus also wishes that their victims would contact [email protected]. They even promise to decrypt one file to prove their good intentions. The following text can be found in the ransom note:

Your files are safely encrypted with strongest AES encryption and a private RSA key
Warning! If anti-virus deletes software then look at the screenshot and text documents. You can still get your files if you pay by the time. Any cracking attempts will result in a termination of both keys.
Your important files are encrypted with a AES and RSA key, only for this computer. To unlock all of your files as if nothing ever happened, please send 0.053773 bitcoin to the bitcoin address by 3 days or both keys will be terminated and your files will be sold. There are tutorials and links to popular bitcoin markets to help you buy bitcoin easier. There is video proof the password downloads after payment, and that the decryption is flawless and you can’t recover/restore any files without the keys. Send the exact amount of bitcoin. Wait a few minutes and hit “Check payment”. After payment, the keys will download and the AES key will appear. Then go to “Decrypt” and enter the AES key. Web browsers and basic programs are only allowed until you pay. We will decrypt 1 file. E-mail us with your ID and file.
E-mail: [email protected]
ID: [your ID will be displayed here] 1Q8bF8MgLpZkcmHXPSFjjdpDfGMPVTHjSn
0.053773
[Deadline] If anti-virus stopped software, e-mail ID after you pay.
How to buy bitcoin https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version)
https://localbitcoins.com, https://paxful.com/buy-bitcoin

How to Decrypt Files Encrypted by Encryptile Ransomware?

Encryptile virus is not user-friendly and it won’t act in the best interest of its victims. According to the ransom note, the creators of this variant demand 0.053773 Bitcoins (about 38 dollars). This price is actually extremely low, compared to ransomware viruses that viciously demand 3-4 bitcoins for decryption. With such a small fee, people might actually consider paying it. However, we hope that you won’t be one of those people and your response will be “no”. Even if your valuable data is encoded by Encryptile virus, you should never try to retrieve files by sending bitcoins. One of the possible scenarios is that crooks will disappear or give you a decryption key which will not do anything good. For the future, keep in mind one thing: backup storages are a facility that should be exploited much more than it usually is.

How is Encryptile Ransomware Distributed?

Encryptile virus probably won’t use any innovative techniques for distribution as it is not a very novel variant. It is new, but it pursues the same objectives like any other ransomware. In addition to that, it also uses well-known methods for being introduced to Internet users. You might have already noticed that sometimes, peculiar and inviting letters can be spotted in your email inboxes. Never go around opening them or worse: downloading the executables it offers. After many occasions, people downloaded a payload of a ransomware instead of the promised file.

An anti-malware tool will assist you in the removal of Encryptile virus without any delays. After that, you can try to restore your files by following the advices below that can help you (universal file-recovery tools or Volume Shadow Copies). Spyhunter or Malwarebytes are one of most efficient malware fighters that will be dedicated to keeping your device running smoother than ever.

How to recover Encryptile ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Encryptile ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Encryptile ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Encryptile ransomware. You can check other tools here.  

Step 3. Restore Encryptile ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Encryptile ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Encryptile ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.