PGPSnippet - How to remove

PGPSnippet is a small but very malicious ransomware virus that started performing its evil deeds in a cyberspace since the end of May 2018. This crypto-extortionist has been caught spreading in compressed file bundles. It runs a ‘PGPSnippet.exe’ once the victim opens the infected files and acts in a typical ransomware behavior: locks the certain files, appends .decodeme666@tutanota_com extension to their names and asks for a $500 ransom in Bitcoins for the decryption key. While PGPSnippet crypto-malware is a tough cookie, 2-viruses.com team has prepared several solutions that will help if this ransomware starts threatening you.

What is the PGPSnippet virus and how does it distribute?

When it comes to the function PGPSnippet crypto-extortionist performs just like any other file-encrypting – ransom-demanding, such as Sigrun, CSGO or Sepsis. So far it’s been known that the PGPSnippet is based on PGP (Pretty Good Privacy) software that is used for the email security and mostly spreads via spam email attachments and through bundling, meaning that it is included in a software package with several other programs we download when we want to update or install something. When we open the infected attachment or extract the downloaded programs virus starts to spread itself performing various intricate techniques affecting Windows registry, security, firewall. After making sure that system is not stopping the process runs a scan looking for personal files it could target and lock with special ciphers, marking compromised data with .decodeme666@tutanota_com name extension.

After PGPSnippet crypto-virus is done with the malevolent operation it drops ‘!!!README_DECRYPT!!!.txt’ file on the victim’s desktop which is a ransom note with further directions to get the files back. It says:

ATTENTION !
All your documents and other files ENCRYPTED !!!
TO RESTORE YOUR FILES YOU MUST TO PAY: 500$ by Bitcoin to this address:
You can open an wallet here:
hxxps://electrum.org/#download
hxxps://blockchain.info
hxxps://localbitcoins.com/
hxxps://paxful.com/en
hxxps://www.bestchange.com/
Send the file on the way “WIN + R >> %APPDATA%” file name hosts.txt to our e-mail after paymentat this email address: [email protected]
We will confirm payment and send to you decrypt key + instruction
Remember: you have a 72 hours and if you not paid, that price will up
ATTENTION : all your attempts to decrypt your PC without our software and key can lead to irreversible destruction
of your files !

To create more stress PGPSnippet virus specifically locks personal files like pictures, documents and videos, and adds a time limit, so the victim would be more willing to pay these $500 dollars for the decryption. Unfortunately, this works even on many experienced internet/PC users and the situation gets worse when the files stay locked, your system infected and you lose a few hundred dollars to some shady hackers. That is why you should never pay the ransom.

Even though the main name of this ransomware is PGPSnippet, but most of the antivirus/anti-spyware programs identify it as Zusy.275751 trojan. You can read a more detailed information on Virustotal.com, however, this malware is more than a trojan and should be treated way more carefully.

How to delete PGPSnippet ransomware and restore the encrypted files

Ransomware infections, PGPSnippet included, are one of the hardest to fix, because they are very persistent, get into the system without warning, copy themselves into the registry to reload every time the system is restarted and use difficult unique encryption techniques that are hard to crack even for the most skilled cyber analysts. At the moment there is no decryption tool for the PGPSnippet virus, but to pay the ransom is the worst solution you can make. Because cyber crooks not only will leave your files locked but also use the transferred money for further ransomware improvement.

Nevertheless, there are some things you should try before giving up, which have saved quite a few PGPSnippet and other ransomware infection victims. The recovery should start with the malicious infection source removal. This step can be done easily by using automatic malware removal tools that are made specifically to hunt cyber threats and have the updated database of all newest parasites. You can use any type of malware, just make sure that it is not a PUP and an actual trusted tool. We recommend Spyhunter and . By simply following anti-spyware software user’s guide you should be able to permanently remove PGPSnippet from your PC and safely move on to the next step – unlocking your files. 

Restore the PGPSnippet encrypted files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point in time when the system restore snapshot was created. Usually, PGPSnippet tries to delete all possible Shadow Volume Copies, so this method may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Note: In many cases, it is impossible to restore data files affected by modern ransomware. Thus we recommend using decent cloud backup software as a precaution, like Carbonite, BackBlaze, CrashPlan or Mozy Home.

Automatic Malware removal tools