Predator ransomware - How to remove

Predator ransomware is one of these crypto viruses that give cybersecurity professionals additional work on top of plenty other malware they have to deal with. It just like the rest of crypto-extortionists but no less malicious or intrusive. Predator lives up to its name and targets unsuspecting users by distributing via email as .doc or .pdf documents, which actually are executable files, that after opening start the process of automatic computer invasion.

Permanently locked personal data (no decryptor yet), ruined computer’s security, slower OS, annoying ransom message are just a few signs of notorious Predator ransomware. This virus will give you a real headache and might drive to desperation when trying to get rid of it, therefore, keep reading this article further and learn, how 2-viruses.com can help you avoid all this unnecessary malware and fix everything quick.

How to recognize Predator ransomware

The Predator The Cipher v1.0 or simply Predator ransomware is just another type of typical crypto demanding virus, like Donut ransomware, PedCont, Cryptgh0st. By using socially engineered emails it will sneak into your computer, compromise the antivirus or any security tool that you have, will lock some personal files and in the end will try to sell the decryption key for the cryptocurrency.

Since this virus can be just another copy of open source ransomware sample from the DeepWeb or Github it does not contain any unique abilities than the majority Hidden Tear project viruses. On the other hand, there are some basic differences that separate Predator from others and allow you to recognize it. (Three components that malware needs to thrive)

Predator malware after infection scans and encrypts files that are in pdf., .doc, .jpg, .png, .mp3, . mp4, .flv and etc. formats because they are most valuable to the user and so that the system files would not be corrupt and the victim could use his compromised, but still working PC to get and send virtual coins for the hackers. For this encryption Predator, the Cipher ransomware uses AES asymmetrical encryption. (How fast ransomware encrypts files)

Once files are encrypted and are unable to open, virus marks them by adding .predator extension to their names. Locked ‘Vacation.mp4’ file becomes ‘Vacation.mp4.predator’. The added string does not have any function apart from esthetical, creating more tension and stress to the user by seeing that virus now owns his files.

At the same time malware drops the text file on the desktop explaining the infection and that now if the user wants to access his encrypted files he must pay $100 in BTC to the crooks address. And also provides victims with an email where they can send a message that they paid.

README.txt ransom note says:

Your files were encrypted with Predator The Cipher!

Predator The Cipher v1.0
To decrypt your files:
1. Send 100 $ to this bitcoin wallet: 1Pe9zG5uZFj4bGxPs98VbReXrnFayuoGf.

2. Send us email with your machine ID (xxxxxxxxxxxx) and bitcoin wallet ID: [email protected]
   Then we would send you back our decipher tool.
   ATTENTION!

DO NOT TRY TO DECRYPT OR DELETE YOUR FILES. YOU WILL ONLY MAKE IT WORSE!

Each hacker is different and we can’t say for sure if he does give the decryption key if you will send him Bitcoin, but we suggest to not even try, because you may become a victim twice and lose your $100, and still not get a reply from the crooks.

How Predator ransomware spreads

There are many ways how malware can introduce itself to your PC but Predator virus spreads mostly just using two techniques: spam email attachments, spam email links. Socially engineered messages, which say that you got an invoice, resume application, government note, bill or something else, convince the targeted victims to open the attachment or press on the link to see the sent document. But actually, that link or file initiates the download and setup of a crypto malware Predator. ( Analysis how does ransomware spread)

Crooks send thousands of emails that they buy off DarkNet or collect online themselves to distribute the ransomware. The biggest one so far was Locky ransomware, whose creators sent more than 23 million emails. While Predator the Cipher is still not even close to these numbers you still should consider taking precaution and learning how to prevent it. Securing the browser, filtering the traffic and using anti-malware software for protection are the main steps that should help you to not catch any virus and not just Predator. Read more about online security and mentioned steps in our other article.

How to eliminate Predator virus infection

Firstly, as you may know ransomware viruses are one of the worst and hard-to-fix computer infections. The removal can be done without much problem, but it doesn’t solve the locked data. For some ransom demanding viruses’ cybersecurity professionals have made decryptors, which help when it comes to getting the access to encrypted files. Unfortunately, Predator The Cipher doesn’t have one released yet. But just give up yet. Better remove the virus so it would not cause more damage and invade system with additional parasites and keep these locked files safely stored, because sooner or later the decrypting tool will be released.

In order to delete Predator ransomware, we suggest using Spyhunter. These are the anti-spyware and malware removal professional software that are used even by many cybersecurity enthusiasts. They have large virus databases, reliable detection techniques, and elimination means. Also, Spyhunter hunts down the newest viruses better than most other security products on the market.

Automatic Malware removal tools

How can you delete Predator ransomware without any software

Unlike the quick fix anti-malware programs, manual removal does take time and some computer knowledge in order to get rid of the virtual parasite completely. We have made special removal guide on how to eliminate Predator virus and if you follow every step correctly then you should be able to have a ransomware free computer in the end. Unfortunately, there is no manual way to restore the unlocked files, if this crypto – extortionist has gotten rid of the Shadow Volume Copies, but you should give it a try anyway.

How to recover Predator ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Predator has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Predator the Cipher

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Predator the Cipher v1. You can check other tools here.  

Step 3. Restore Predator ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Predator tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Predator the Cipher encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.