Pottieq Ransomware was recently noticed by malware expert Jakub. At first, it was thought that it might be a variant of Aurora or Dharma viruses, but later it became clear that Pottieq virus is the new version of BandarChor. This discovery doesn’t change much the way Pottieq cryptovirus behaves in the eyes of the victim, yet it gives a better understanding for cybersecurity specialists about the features of Pottieq ransomware, which will come in handy when developing a decryption software.
Pottieq Ransomware quicklinks
- What is known about Pottieq Ransomware
- How is Pottieq virus spreading
- How to deal with Pottieq Ransomware
- Automatic Malware removal tools
- How to remove Pottieq virus manually and restore files
- How to recover Pottieq ransomware encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- 1. Reboot your computer to Safe Mode with Command Prompt:
- 2.Restore System files and settings.
- Step 4. Use Data Recovery programs to recover Pottieq ransomware encrypted files
Like a typical ransom demanding virus Pottieq uses sneaky ways to enter targeted victim’s system and lock all data except for System files, so the computer would still run, but precious photos, videos, documents, projects and etc. would be unavailable until the user contacts the crooks with the ransom payment. This makes Pottieq virus one of the most notorious types of malware because only developers know the decryption key, and even after the removal of the threat data stays locked. However, do not rush making the payment yet and read this article to find out alternative methods to solve Pottieq ransomware caused damage without spending a dime.
What is known about Pottieq Ransomware
Like we said in the introduction, Pottieq ransomware is a new version of BandarChor infection but also has close relations to CryptoLocker ransomware. It uses various tricks to infect unsuspecting users’ computers by making them open malicious exe file (one of them is called ‘SkyTel.exe’; see full VirusTotal) and then silently runs malevolent processes in the background, modifying Windows registry keys and adding itself into AppData and Temp folders for persistence, stopping current antivirus in order not to get detected and interrupted and looking for potential files to encrypt like .pdf, .doc, .jpg, .mp3 and other formats. Pottieq cryptovirus uses AES-256 algorithm to lock discovered personal data and it takes Less than a minute to finish the encryption.
What you need to know about ransomware viruses is that they are also very dramatic and are supposed to scare you, so you’d be willing to pay the ransom sooner. This is why Pottieq ransomware appends a long extension ‘.id-%ID%-[[email protected]].pip’ to files that it encrypted, so the victim could visually see the damage hackers made and how their very personal data is no longer available. No one would be happy to see their precious ‘family_photo.jpg’ turning into a ruined file called ‘family_photo.jpg.id-[your-case-ID]-[[email protected]].pip’. On top of that, Pottieq crypto infection drops ransom note explaining the situation and requiring the victim to contact developers urgently to get their files back. This is what the ransom note says:
Attention! Your computer has been attacked by a virus-encoder!
All your files are now encrypted using cryptographically strong algorithm.
Without the original key recovery is impossible. To get the decoder and the original key, you need to email us at [email protected]
Our assistance is not free, so expect to pay a reasonable price for our decrypting services.
No exceptions will be made. In the subject line of your email include the id number, which can be found in the file name of all encrypted files.
It is in your interest to respond as soon as possible to ensure the restoration of your files.
P.S. only in case you do not receive a response from the first email address within 48 hours, please use this alternative email: [email protected]
This Pottieq’s ransom note doesn’t specify how much money does the victim need to send, yet it mentions that decrypting key is not free. Ransom amount can range usually between a few hundred up to few thousand dollars in cryptocurrency (it can be BTC, ETH for anonymity). Malware researchers also noticed that earlier version of Pottieq virus had a different email ‘[email protected]’. But, it is imperative that you Do not pay the ransom, because the Pottieq virus infection can be solved without supporting hackers and because no one can guarantee that you will indeed reply with the unlocking key.
How is Pottieq virus spreading
Right now Pottieq ransomware can sneak into your PC by pretending to be necessary updates for Java, Adobe Flash or antivirus security products, as well as through bogus emails. This just proves how careful and aware you have to be on the World Wide Web because there is malware like Pottieq virus waiting around almost every corner. To help our readers avoid any future infections, we prepared best tips on how to protect yourself from ransomware threats. However, the prevention mostly depends on your common sense and being able to Recognize malspam is already a great step towards secure browsing.
More skilled hackers are using Fake updates (or exploit kits) to spread by masking the malicious file as a required new version of some important program. These operating system programs are meant to update automatically and only from the official sites, but took care of that too. Crooks create the illusion after the victim enters a bait site, which says that if you want to watch a video, you need to update your Flash or Java, and this seems legitimate, since that software indeed needed to play media files, therefore victim ends up downloading the fake executable file, which is actually a Pottieq ransomware itself.
On the other hand, ransomware creators, that want to infect corporations rather than regular people’s computers and overcome the strict security rules of not allowing any downloads from the web without admin rights, use another technique – Malspam campaign. This as well is used by ransomware developers that do not have enough technical knowledge to use other distribution methods. Crooks, behind Pottieq virus, come up with believable fake message saying that you need to click on the link to confirm your details for bank or hospital, sending Resumes to apply for jobs which require opening attached file which is a Pottieq ransomware too, convincing that you got a new invoice or unpaid bill which needs urgent attention and etc. This tricks so many people because the malicious link or file looks very normal and allows Pottieq virus to spread well.
How to deal with Pottieq Ransomware
The recovery from Pottieq ransomware virus should be done in two steps: removal and file restore. You cannot restore the files, unless you delete the virus first, because the crypto threat will keep locking files despite you decrypting them and can actually make them unrecoverable. So the first removal part can be done with either the help of a special security tool or manually following our provided instructions.
Without any discussion, the most recommended method is automatic removal with an anti-malware program, preferably SpyHunter These spyware removal tools are very useful not only for users that don’t have much computer knowledge but also are often used by professionals because they are really easy to understand and have trustworthy detection/removal features. All you have to do is to run the program and scan the system as directed and Pottieq ransomware will be hunted down in all possible directories, thus deleted with the roots.
Automatic Malware removal tools
How to remove Pottieq virus manually and restore files
Other technique to get rid of Pottieq ransomware requires more time and focus, because there is no special program to help you and do work for you, so your every step must be rational and well-thought because if you delete some important files from Windows registry, you can forget about restoring files, because you will need to restore the whole system. Fortunately, 2-viruses.com team prepared step-by-step instructions on how to uninstall Pottieq virus, so please follow them carefully.
After the virus is long gone from your system, you can consider restoring your locked files. Pottieq ransomware is a new virus, therefore the official decryptor is still not available, yet you are encouraged to try below mentioned encrypted file recovery guidelines either trying to restore them from Shadow Copies (if they have not been deleted by malware) or using some file recovery tools. If none of it works just keep encrypted files somewhere in your PC, and keep checking updates for the Decryptor, which we are sure, that cyber specialists will release very soon.
How to recover Pottieq ransomware encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before Pottieq has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of BandarChorAfter restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Pottieq ransomware. You can check other tools here.
Step 3. Restore Pottieq affected files using Shadow Volume CopiesIf you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually BandarChor tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover Pottieq ransomware encrypted filesThere are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download a data recovery program.
- Install and scan for recently deleted files.