GoldenEye Ransomware - How to remove

Petya and Mischa are not two names of your Russian fellows: we are referring to a couple of crypto-ransomware viruses that no longer pose a threat. Security researchers investigated these two cases thoroughly, gathered enough evidences and finally managed to produce functional decryption for these two infections. Nevertheless, the creators of latter viruses have no intention of resigning so easily. Just recently, a relative of Petya and Mischa came into the cyber world. IT specialists did not waste valuable time and quickly jumped into an opportunity to analyze it. As it turned out, GoldenEye crypto-ransomware targets German-speaking users and sends spam messages in this language as well. Its main installer is said to be appended to email letters that are allegedly originating from legitimate sources. You should not trust people via emails and choose to stick ot the old fashioned face-to-face conversations on important subjects.

What is the GoldenEye Ransomware?

Preceding introduction was quite informative about the general aspects about GoldenEye virus, leaving out more specific details. As IT specialists revealed, this variant is closely related with Petya ad Mischa in the terms that all of these infections a similar path for encryption. However, even though these ransomware samples are comparable, they too have some distinguishing aspects. GoldenEye virus can be indicated as the improved version of P&M since it has developed a skill to encrypt both users’ files and drives.

goldeneye-ransomware-2-viruses

At first, once the ransomware has successfully infiltrated into Temp folder, visual basic for applications programming language will ran the malicious app. After that, there is almost nothing standing in the way between GoldenEye virus and encoding. This twisted love affair targets both data and drive’s master file table.

goldeneye-sendmessage-2-viruses

Primarily, ransomware will initiate its dirty work by encrypting files with various extensions and adding eight characters at the end (letters, numbers or symbols in no particular order). Furthermore, if the virus actually manages to infect master boot record of your computer, you will be forbidden from accessing all of the files on your hard drive. To cover up its crime, GoldenEye virus uses a misleading screen, indicating that your disks contain errors and are in need of repair. Soon, this screen disappears and a frightening image of a yellow skull appears. After that, you will have to come to terms with the fact that a ransomware has invaded your space. The following images are going to contain information about the websites that users are advised to access via Tor browser. It is basically a fancy version of any other ransomware that also demands bitcoins.

goldeneye-enter-personal-2-viruses

GoldenEye virus differs in a way that it produces a lot of instructions about purchasing bitcoins and even offers a possibility to send a message to the crooks. You should not try to engage in a conversation with the filthy people as nothing good can derive from it.

goldeneye-purchasebitcoins-2-viruses

In addition to that, never pay the demanded ransom. In this case, GoldenEye virus demands 1.33284506 BTC which is 1001.71 US dollars.

goldeneye-transaction-2-viruses

What does GoldenEye Ransomware pan for its distribution?

Similar to many other ransomware samples, GoldenEye virus also spreads via infectious email letters. Since German-speaking users are targeted, the letters might be written in this language to make them more believable. You might receive bizarre notifications about delayed payments, money matters, transactions, flight tickets or etc. Whatever it is, make sure that the message is originating from a reliable source instead of a completely shady one. Even if the sender’s email looks similar to the official one, you should make assumptions that might easily be incorrect.

Is there a way to decrypt files and drives that are ruined by GoldenEye Ransomware?

At the time that this article was written, security researchers were only touching the surface of this infection. In order to find a suitable method for decryption, IT geniuses have to analyze an infection in detail. You can check whether Shadow Volume Copies are deleted and attempt to restore them. In addition to that, some people find universal tools helpful. Even if these recommendations do not work for the better, never pay shady programmers a gigantic sum of money for decryption. You will only be acting as a sponsor for further infectious spam campaigns.

Spyhunter or Malwarebytes will appropriately check the state of your device and eliminate GoldenEye virus. These tools will also be convenient if you are infected with other types of malware.

How to recover GoldenEye Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before GoldenEye Ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of GoldenEye Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to GoldenEye Ransomware. You can check other tools here.  

Step 3. Restore GoldenEye Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually GoldenEye Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover GoldenEye Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Removal guides in other languages

Leave a Reply

Your email address will not be published. Required fields are marked *