IT.Books Ransomware - How to remove

IT.Books virus is a fairly new open-source based ransomware threat, that was first mentioned on Twitter by MalwareHunterTeam in mid-September 2018. It is known that encryption techniques are borrowed from the Hidden Tear viruses and the ransom note (in the graphical user interface – GUI format) was copied from the Jigsaw ransomware. IT.Books cryptovirus infection, although not unique, yet can give you a hard time deleting it and trying to fix its damage. Despite the ransomware threatening that you need to pay the ransom in 1 hour in order to unlock the coded files and claiming that if you will try to get rid of it, all data will be lost, please, Do not rush to send money to crooks, because this rarely works and most likely you would get tricked again. 

It is very much possible to uninstall the infection manually and with certain Reputable cybersecurity programs without having to spend any crypto coins, which most likely would be used to improve the IT.Books ransomware in the future, adding more malicious features bought from the Dark Net. Although, the situation that you are in right now is very stressful and scary, yet the best solution for IT.Books virus is to collect yourself and try our suggestions mentioned at the end of this article.

How does IT.Books ransomware operate

IT.Books virus could basically be described as a cyber kidnapper. Once it gets into the system, using malicious ways, of course, it tries to find all files that you keep on your Windows, except for the System files and lock them with difficult mathematical cipher AES. (What role cryptography plays in ransomware). Only the crooks know the decrypting code, which they are willing to sell it to you for some cryptocurrency. Meanwhile, your files are inaccessible. Even though ransomware type of malware is becoming less and less popular, hackers still manage to scare some victims well enough to get hundreds, if not thousands, of dollars, which drives them to keep creating such threats.

IT.Books ransomware ransom note and lock screen

IT.Books ransomware is an interesting combination between two other ransomware – open-source cryptovirus sample Hidden Tear and Jigsaw. While mainly its functions and features are built using the samples from Github, crooks decided to add a little twist to their notorious creation and not just be a typical copy like ShutUpAndDanceAndreaGalliPooleZoorSorryHorros, and added the GUI ransom note from Jigsaw ransomware. While this could trick users with no technical knowledge, scientists figured out that this does not mean that IT.Books and Jigsaw viruses are related in any way, and IT.Books crypto threat should be more considered to be a Hidden Tear variant.

After the invasion IT.Books ransomware changes Windows registry keys and adds exceptions not to get detected by the current antivirus or to stay in the system even after you restart your PC. Then virus starts scanning the disk looking for files to encrypt and marking the compromised ones with .fucked extension at their names. That can be slightly inappropriate, especially if kids are using the same computer, because for example instead of the innocent ‘birthday_party.mp4’ you will be seeing ‘birthday_party.mp4.fucked’. But that is not all. IT.Books, once the whole encryption is done, will drop a ransom Notepad note called READ__IT.txt and will lock the screen with a Jigsaw’s GUI, providing all the information that you as a victim need to know about the current state of your PC and how to solve it.

READ__IT.txt says:

Files has Been encrypted with strong KEY
Send payment to our bitcoin address
You can visit google or localbitcoin to the buy bitcoin.
BTC Address: 13vs2K5TiDAn6eLSevnds8esWZfeUhov2d
After payment click contact us you will l recieve Decryption KEY in less than 1 hour.

Typical Jigsaw’s lock screen:

I want to play a game with you. Let me explain the rules:
All your files are being deleted. Your photos, videos, documents, etc…
But, don’t worry! It will only happen if you don’t comply.
However I’ve already encrypted your personal files, so you cannot access them.

Every hour I select some of them to delete permanently,
therefore I won’t be able to access them, either.
Are you familiar with the concept of exponential growth? Let me help you out.
It starts out slowly then increases rapidly.
During the first 24 hour you will only lose a few files,
the second day a few hundred, the third day a few thousand, and so on.

If you turn off your computer or try to close me, when I start next time
you will get 1000 files deleted as a punishment.
Yes you will want me to start next time, since I am the only one that
is capable to decrypt your personal data for you.
Now, let’s start and enjoy our little game together!

IT.Books ransomware, at the moment, is asking for $600 dollars (0,094 BTC) from its victims, which is in the middle price range of ransom requests, but not everyone has such amount of spare money ready to risked and spent to get files decrypted. The positive part is that IT.Books cryptovirus is using AES algorithm which is symmetric and not as hard to unlock as a combination of RSA and AES. Therefore no matter how important your files are, please, keep reading, because our instructions can be all you need to fix IT.Books crypto infection. Also, check VirusTotal analysis to see technical data about the IT.Books ransomware.

What are the distribution methods of IT.Books virus

Ransomware like IT.Books virus are usually spreading through Socially engineered emails, that are altered depending on the local, contacted business or person and etc., resulting in various bogus messages asking for a victim to open a secretly infected link or attachment that is a Resume, invoice, invitation, ticket, government papers, hospital records, a complaint or legal documents and etc. However IT.Books, as you can tell by the name, goes one narrow and clear way, that allows it to get into users’ computers – IT Books.

IT.Books ransomware decrypted message

There are many of us that are looking for online books to learn certain skills, but no matter the digital format, they are still very expensive. This leads people to look for ways to get free educational material for free, no matter if it can be illegal. IT.Books ransomware spreads as a ‘Free Download IT eBooks’ or ‘IT.Books.exe’ files, which can come from email, but also torrent sites, launching virus right into your PC, giving you a valuable lesson of online safety. Talking about online safety, you should read our guide on how to prevent ransomware viruses.

How to solve IT.Books ransomware infection

In a nutshell, if you don’t want to waste your time and dealing with computer issues is not the easiest task for you, then there is no doubt that the only possible way to remove IT.Books virus is to get Spyhunter anti-malware tools. Such spyware removal programs can save you from IT.Books ransomware and many other threats that possibly used the exposed vulnerabilities and entered into your computer too, but you just don’t know about it.

Deleting IT.Books virus is imperative before trying to recover files because if you will try to restore the locked data when the virus is still there, you will either not succeed it or IT.Books infection will lock your files again, this time possibly putting a double layer of ciphers on some files, so the first step is to remove and only then recover. This is why automatic security program is helping more than just a regular manual cleaning because at least you know after the system scan that your Windows are safe.

Automatic Malware removal tools

Download Spyhunter for Malware detection

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,

How to delete IT.Books virus and restore encrypted files

If your files are not that important to you, simply do a full system restore and enjoy the new fresh Windows OS, but if not try to use backups and get back to the state before the infection. To do so, you have to have backups in the first place. If that is not what you are looking for then anti-spyware can be your only solution.

As for the decryption, right now, there is no special decryptor specifically for IT.Books ransomware, but we advise to try other methods to access your locked files. You will find a few below in the instructions, but you might as well give the Hidden Tear and Jigsaw ransomware Decryption tools a try. Cybersecurity specialists are already working on the program that will help to unlock your precious files, so if nothing works, just keep the files stored and look for decryptor updates, religiously.

How to recover IT.Books Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before IT.Books has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of IT.Books Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to IT.Books. You can check other tools here.  

Step 3. Restore IT.Books Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually IT.Books tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover IT.Books Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *