FOX ransomware - How to remove

FOX ransomware is a project developed by some cyber criminals that is meant to lure money out of people that got their computers infected. This infection is categorized as ransomware because it employs specific encryption technique to lock up the files that are stored on an infected computer and then demands a ransom in order to provide a special tool that could unlock those files. While files are locked, no one can open or use them in any other way, so it can cause a lot of inconveniences. Also, users tend to get really scared, because it’s something they have never dealt with before.

Cyber criminals operating such infections take advantage of this situation and even use scare techniques to force users into paying. That’s probably the worst thing you can do in such a situation. Not only because there are other alternatives to solve this problem that are way cheaper, but also because every paid ransom is a support for cyber criminals which allows them to continue their dirty jobs and infect other computers, develop new malware.

Luckily, you have found a way to our website and if your computer is infected with FOX virus, we can help you. In this article, we will provide you with instructions on how to remove this infection from a computer and restore files that are currently locked.

What Damage Is Caused By FOX ransomware

You already know that this infection is categorized as ransomware, so it’s kind of obvious that files of this threat are distributed using illegal methods. Usually, users are tricked into uploading them to their computers because they come attached to some kind of well crafted ’spammy that claims you have some important information which is detailed in the attached text document. In reality, that “text” document is not what it claims to be and once the user downloads it, malicious files of FOX ransomware are automatically executed on the system.

Once that is done, FOX ransomware starts scanning the system for files that can possibly be encrypted. Unfortunately, that’s almost any file that you can think of. It can lock your photos, text documents, audio and video files, exe files and so on. That means after FOX is done encrypting your files, you will be left with almost nothing.

How do they encrypt files? Well, as most of the other ransomware infections, they employ AES-128 cryptography. RansomAES, Nemucod-AES, and ShutUpAndDance viruses also use the same cryptography to encrypt files.

You will immediately notice that your files were encrypted because Fox ransomware adds [email protected].*random_numbers*.FOX extension to the end of every encrypted file. If your file is marked with this unique extension, it means it’s locked and you can’t use it.

Also, another thing that will tell you about the infection – #FOX_README#.rtf file that will be placed on every folder that has encrypted files on it. This so-called ’ransom will provide the information about current situation of the infected system. It goes like this:

HOW TO RECOVER YOUR FILES INSTRUCTION
ATENTION!!!
We are realy sorry to inform you that ALL YOUR FILES WERE ENCRYPTED
by our automatic software. It became possible because of bad server security.
ATENTION!!!
Please don’t worry, we can help you to RESTORE your server to original
state and decrypt all your files quickly and safely!
INFORMATION!!!
Files are not broken!!!
Files were encrypted with AES-128+RSA-2048 crypto algorithms.
There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data!
* Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!
* Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.
HOW TO RECOVER FILES???
Please write us to the e-mail (write on English or use professional translator):
[email protected]
[email protected]
[email protected]
You have to send your message on each of our 3 emails due to the fact that the message may not reach their intended recipient for a variety of reasons!
In subject line write your personal ID: c0pyc@tfr0mpcr1sk
We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files.
* Please note that files must not contain any valuable information and their total size must be less than 5Mb.
OUR ADVICE!!!
Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.
We will definitely reach an agreement 😉 !!!

ALTERNATIVE COMMUNICATION
If yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 24 hours please sеnd us Bitmеssаgеs frоm а wеb brоwsеr thrоugh thе wеbpаgе hxxps://bitmsg.me. Bеlоw is а tutоriаl оn hоw tо sеnd bitmеssаgе viа wеb brоwsеr:
1. Оpеn in yоur brоwsеr thе link hxxps://bitmsg.me/users/sign_up аnd mаkе thе rеgistrаtiоn bу еntеring nаmе еmаil аnd pаsswоrd.
2. Уоu must cоnfirm thе rеgistrаtiоn, rеturn tо уоur еmаil аnd fоllоw thе instructiоns thаt wеrе sеnt tо уоu.
3. Rеturn tо sitе аnd сlick “Lоgin” lаbеl оr usе link hxxps://bitmsg.me/users/sign_in, еntеr уоur еmаil аnd pаsswоrd аnd click thе “Sign in” buttоn.
4. Сlick thе “Сrеаtе Rаndоm аddrеss” buttоn.
5. Сlick thе “Nеw mаssаgе” buttоn.
6. Sеnding mеssаgе:
Tо: Еntеr аddrеss: BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm
Subjесt: Еntеr уоur ID: 2D0D30719CD9D741
Mеssаgе: Dеscribе whаt уоu think nеcеssаrу.
Сlick thе “Sеnd mеssаgе” buttоn.
s0NDfj7c

As we have told you before, cyber criminals are using scare techniques and they claim that your personal files will be removed after 7 days if you fail to pay the ransom. Do not believe that – usually that’s not true, they are only trying to force users to pay this way.

Even if it is actually true, you shouldn’t be paying the ransom. Instead of that, look at the alternative removal and decryption methods that are provided below – it’s a much cheaper and convenient way to solve a problem like this.

How To Decrypt Files And Remove FOX Virus

First of all, you need to understand that removing the virus and decrypting files that it has encrypted are two separate tasks. I.e. it’s not enough only to decrypt files or only to remove the virus – those have to be done complementary.

Obviously, you need to get rid of FOX ransomware first. That can be easily done by using a decent anti-malware tool, such as Spyhunter. So just scan your system with one of those and all malicious files of FOX ransomware should be automatically detected and removed within minutes.

Unfortunately, that won’t unlock your personal files. To do this, you have several options – to restore them from a backup or to use a file recovery tool that would do that for you. If you have a valid backup file that was made before this infection and stored on an external drive, you can follow this guide and perform a system restore. If you don’t have such an option, try using one of many free file recovery tools.

Also, if you have any questions regarding the removal of the Fox ransomware or decrypting files of [email protected].*random_numbers*.FOX extension, do not hesitate to ask us a question in the comments section below and we will try to help you.

Automatic Malware removal tools

How to recover FOX ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before FOX ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of FOX ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to FOX ransomware. You can check other tools here.  

Step 3. Restore FOX ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually FOX ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover FOX ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.