Random6 virus - How to remove

Random6 ransomware virus (also referred to as Johnnie) is presumed to be designed to pursue attacks against users from Malaysia. Appearantly, this specific sample has already been successful in attacking companies and their computer networks. For quite some time, there was no significant information, regarding this variant, but today, we are able to answer a couple of concerning questions about this.

What is more, we are even able to suggest an efficient technique of recovering data. Security researchers did not slack off and they were able to figure out a method that would help victims decrypt their digital data. Contact Michael Gillespie for more information about file-decryption.

This ransomware is decryptable: do not pay the ransom

This crypto-virus exploits a strategy of adding random extensions to each individual victim. For one, encrypted data could feature .llawex extension, and for another: .pmxkab or .upzbrf. Despite the differing extensions, the variant is the same and there should no longer be anymore confusion.

While the first victims were unable to find results when attempting to find more information about the virus that attacked them, now the situation has significantly improved. The file-encoding process also affected filenames that digital data originally had. After their content and names become encrypted, there was no way of telling which executable was which.

Random6 virus

Random6 infection has incorporated a frequent but effective method of file-encryption. Both AES and RSA algorithms are applied to the selected executables which should make the file-decryption a very complicated task. Nevertheless, as we have already stated in the first paragraph: there is no need to pay the ransom as security researchers can help you recover files without hackers’ interference.

In the RESTORE-.[random extension]-FILES.txt file, [email protected] email address is explained to belong to hackers that created Johnnie ransomware and victims have to contact them. In the sent email, it is necessary a personal ID number would be included. We have our suspicions that the ransom fee will differ for individual victims, depending on the amount of files that have been encoded by a deadly-combination of RSA and AES algorithms. Once again we stress out that you are not to pay the ransom! There is a free way of recovering files!

Since there is way of recovering your data without having to pay the ransom, we will only briefly mention the alternative methods that could be applied. For instance, victims of ransomware could be able to restore Shadow Volume Copies or examine their encrypted data with file-recovery tools. However, the best thing is not to relay on any of these options or free decryptors: the most beneficial thing to do is to create an additional source of your files. Upload important digital files into USB flash drives if you do not feel like signing up for an online storage service.

Before you will be properly assisted with the decryption-process, you will probably have to delete the infection. This step is crucial as even though you might succeed in recovering your files, but a still active ransomware virus might be designed to re-encrypt files. To avoid this, it is better to scan your operating device for viruses. Spyhunter or Malwarebytes will provide guidance and peace.

How did this infection arrive in victims’ devices? We do not have a lot of information on this topic but we have our predictions. For instance, misleading emails, containing malicious attachments, could be sent around. If you happen to be one of the people to receive a questionable letter, remember that you have to examine it before you can react to its actual message. Look at the senders’ address to determine whether it matches the legitimate contact information. In addition to this, messages from hackers usually contain illogical details and grammatical errors.

How to recover Random6 virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Johnnie virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Random6 virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Johnnie virus. You can check other tools here.  

Step 3. Restore Random6 virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Johnnie virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Random6 virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *