File Spider ransomware virus is a new threat from the crypto-malware group which was discovered on 10th of December, 2017. Security researchers found two main samples of this infection and both of them are created as .doc files: BAYER_CROPSCIENCE_OFFICE_BEOGRAD_93876.doc and CUMMINS_SERBOMONTE_DOO_72225.doc. The infection appears to run a PowerShell, just like OhNo! Ransomware we discussed back in August of 2017.
The File Spider crypto-virus consists of two parts: a file for encryption called enc.exe and one for decryption, created as dec.exe. This latter file is the main GUI. Victims will be urged to read ransom notes that will launch, informing that that files are encrypted and they have to enter the recommended TOR website. Many crypto-viruses feature TOR domains: My Decrypter is one of them. If they attempt to decrypt files in other ways, all of their data might be lost forever. People wil; expect to launch one of the ransom notes by clicking on HOW TO DECRYPT FILES.url. However, this will actually run an enc.exe file. Here is original text of the ransom note:
As you may have already noticed, all your important files are encrypted and you no longer have access to them. A unique key has been generated specifically for this PC and two very strong encryption algorithm was applied in that process. Original content of your files are wiped and overwritten with encrypted data so it cannot be recovered using any conventional data recovery tool.
The good news is that there is still a chance to recover your files, you just need to have the right key.
To obtain the key, visit our website from the menu above. You have to be fast, after 96 hours the key will be blocked and all your files will remain permanently encrypted since no one will be able to recover them without the key!
Remember, do not try anything stupid, the program has several security measures to delete all your files and cause the damage to your PC.
To avoid any misunderstanding, please read Help section.
File Spider Ransomware quicklinks
Automatic Malware removal tools
File Spider crypto-virus encrypts files, has a Tor website and features a graphical interface
The technique of using malicious macros is often abused by hackers. As a result, crooks are able to perform malicious tasks, shell commands and applications. Therefore, you should always be careful when downloading .doc files. There are quite a few malicious tricks hackers can exploit when it comes to Microsoft Office files: learn more here.
By enabling editing feature, you are allowing malicious task to be accomplished automatically (without your knowledge). Consider this you find a .doc file as an attachment to one of the email letters. Before downloading the file, make sure that its sender is reliable (even Mac users should be worried).
If victims have any questions, hackers are instructing them to contact [email protected] email address. To not negotiate with creators of File Spider crypto-malware because there is no point in doing so. Hackers are still going to require ransoms for file-decryption and there is very little that you can do. Obviously, do not pay the demanded fee as crooks might not even be capable of decrypting files (https://blog.avast.com/ransomware-top-3-reasons-you-should-never-pay). On the other hand, they might be tricking users and abandoning them after the ransoms are paid.
No decryption tool for the File Spider virus yet: try alternative methods
For now, security researchers cannot offer you a guaranteed fix for the encryption. However, File Spider ransomware appears to be spreading at the moment. This means that security researchers could obtain enough information to generate a free file recovery tool. Until then, victims should not pay the demanded sums of money as this will only support ransomware projects in the future. Please try universal file recovery tools that might also be capable of helping you restore data to their original form.
Furthermore, you could take a look at the Shadow Volume Copies. To be more specific, you should check whether ransomware deleted them during the process of encryption. It could be that the authors of this ransomware infection are from Germany, but this is very difficult to fully confirm.
Things to do in order to get rid of File Spider crypto-malware
Before you try any of the file-recovery options, we suggest you to get rid of the malicious files first. If you find a successful technique and recover your data, ransomware could re-encrypt data. Therefore, you can follow the guidelines bellow to get rid of the crypto-virus manually. On another hand, keeping computers malware-free is the main mission of Spyhunter. Consider installing this extremely reliable anti-malware tool and enjoy a safer browsing experience.
As for the distribution of ransomware, we are to remind you of the two most popular techniques. First of all, these infections that spread via malicious spam campaigns. In other cases, improperly protected RDPs can become the reasons for a ransomware. Lastly, some ransomware infections can end up in operating systems after users interact with malicious online advertisements.
How to recover File Spider ransomware encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before File Spider ransomware has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of File Spider ransomwareAfter restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to File Spider ransomware. You can check other tools here.
Step 3. Restore File Spider ransomware affected files using Shadow Volume CopiesIf you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually File Spider ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover File Spider ransomware encrypted filesThere are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download a data recovery program.
- Install and scan for recently deleted files.