Pico ransomware - How to remove

Cyberworld was threatened again by another new cryptovirus called Pico ransomware v1.0. This threat was discovered and reported on Twitter by a malware researcher @siri_urz. It is believed to be created from the same template as another crypto demanding virus called Thanatos ransomware. Pico virus has the typical tendencies of encrypting files with difficult algorithms and asking for the ransom in order to restore them. Pico ransomware uses .PICO string to attach to every locked file’s name and in total requests USD $100 in cryptocurrency from the victim for the decryptor.

At the moment Pico virus is targeting regular Windows users and not companies, therefore even if you are not infected by this ransomware you should be careful and learn more about it before it’s too late. Despite Pico ransomware being just a variant of another crypto infection it works well and seems to be in development. If you have been attacked by Pico, make sure not to fall the virus trap and pay the ransom, because there have been many cases where victims paid hundreds of dollars but no decryption keys were delivered and crooks never contacted them. In this article, we will show how to delete Pico ransomware and possibly restore locked data without having to send a dime to hackers, so keep on reading.

What is Pico ransomware

As you can see from the name, Pico virus is a ransomware type of malware, which means that after getting into victim’s computer, it uses encryption like AES/RSA to lock the personal files and drops ransom note, requesting a certain amount of money paid in cryptocurrency for anonymity. This type of virus is the most notorious because it has skills to modify registry keys to become more persistent, stop and damage antivirus in victim’s PC to not be detected, to get access to various directories where all the most precious files are stored and encrypt them with ciphers which generate the unlocking key which is available only for virus developers.

Pico ransomware, as we mentioned in the introduction is a version or a copy of another ransom demanding virus – Thanatos. They both have very similar ransom notes, working principles and etc., but it was not likely developed by the same hackers. Most likely it was bought from the same malware template distributor on the DarkNet. What gave this information away was the PDB file path from virus analysis: C:\Users\Username\Desktop\Ransomware\ThanatosSource\Release\Ransomware.pdb. For more technical details, please see VirusTotal report.

After Pico ransomware enters the system and modifies all the settings to make itself undiscoverable and persistent, it starts looking for files like pictures, videos, documents and everything else that is not a system file. This is because crooks don’t want to ruin your computer so you could make the payment, but still ‘kidnap’ the rest precious files. In order for you to know that Pico virus owns your data it appends .PICO extension to every locked file and drops README.txt ransom note to explain what happened:

[———————————————————————————]

Pico Ransomware v1.0

Your files was encrypted. To decrypt your files,
follow next steps:

1. Send $100 to one of these wallets:
BTC: 3QK9umWMV1nrn8nadZ9eGnJ76Bg4jiJLem
ETH: 0xBb171CC7113dbdc532C42D22928f6b6c56fBE242

2. Send your TXID and your MachineID to mail
E-Mail: [email protected]
MactineID:

[———————————————————————————]

Do not waste your time, files can only be
decrypted by our decode tool.

In this ransom note, you can see typical ransomware information, such as requested amount $100 in BTC or ETH cryptocurrencies, crypto wallet addresses and email where you should contact crooks for the decryptor ([email protected]). At times, paying the ransom does seem like the only option, but easy money will only encourage hackers to create more viruses like Pico and there is no guarantee that you will get your data back, therefore the best thing would be to skip to the removal part and get rid of Pico ransomware once and for all.

How does Pico ransomware infect computers

The invasion of malware like Pico cryptovirus must be very flexible and able to bypass the system’s security, not only in home computers but also well-protected machines in banks, healthcare facilities, government offices and other companies. Although it seems that Pico ransomware is designed to focus on simple personal computer owners rather than corporations, yet it still spreads via the most optimal way suitable for both cases – malicious socially engineered emails. Moreover, distribution via email does not require any technical skills, which ransomware actors usually are lacking, since they alter the already existing cryptovirus templates from GitHub or DarkNet (where they can also buy email addresses lists to make distribution even easier).

Pico virus developers come up with several different bogus email messages saying that you got a new invoice, receipt, complaint or notification from your bank, client or healthcare provider which needs an immediate attention and provides either a link or attachment with a document, where supposedly the rest information is. This link or document, unfortunately, launches Pico ransomware installation into your PC if you click on it or enable Macros on a malevolent downloaded document. And then Pico virus silently runs in the background already encrypting precious files, while you are still confused why the link or file did not work.

How to remove Pico ransomware fast and recover locked files

Pico ransomware infection is not just a simple browser hijacker or adware infection which can be removed by uninstalling the malicious extension from the browser or PUP from the Control Panel. Solving Pico virus damage requires a pretty good understanding of technical computer features because if you make a mistake when trying to get rid of the virus you can actually delete very important Windows data which will ruin your PC and require a new OS installation. Not to mention that after that you can forget restoring files. So what is the best way to solve the Pico infection in this case?

The easiest Pico ransomware removal method which will take care of everything and will not cause you any stress is the Spyhunter malware removal tools. These special anti-spyware programs are created to deal with various types of malware and uninstall them from every possible directory in the computer. They simply ask you to run a full Window’s scan and then start the hunt for the programs with malicious behavior. Not only these security tools find visible threats like Pico virus, but also silent crypto miners too (which sometimes can sit in the computer undiscovered for years). As you know, every malware has a potential to bring other malware because the system becomes vulnerable so there is a big chance that your Windows may have more viruses than just Pico crypto infection.

As for the encrypted file recovery, right now you won’t be able to find the decryptor, but cybersecurity professionals are working on the decrypting program for Pico ransomware. Since Pico virus can delete Shadow Copies, there is not much you can do to restore locked data at the moment. However, since you do not know how dangerous Pico variant in your computer is, you shall try our instructions below on file restore with certain programs. If that does not work, after you clean the PC, keep the encrypted files stored somewhere in your PC and constantly check our page or Watchpointdata.com to see if there is a decryptor released.

Automatic Malware removal tools

Can you delete Pico virus without antivirus

Even though Pico virus can be really persistent and dangerous there is a way to delete it without an additional security program. However, in this case, your encrypted files have a bigger chance to be deleted. On the contrary, you should not keep Pico ransomware any longer in your PC, because it will cause much more damage than your computer is in right now. Therefore, in order to successfully remove Pico crypto demanding virus, you will have to follow our provided instructions step-by-step below this article. And lastly, if you want to prevent such infections from happening in the future 2-viruses.com team does really encourage to invest into a good antivirus/anti-spyware.

How to recover Pico ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Pico has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Pico virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Pico ransomware. You can check other tools here.  

Step 3. Restore Pico affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Pico virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Pico ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.