RansomCuck Ransomware - How To Remove?

 

RansomCuck ransomware is one of the most recent, if not the most recent, ransomware reported to proceed the victimization of poor users. This vile cyber threat is said to bear resemblance to Locky, TeslaCrypt and DetoxCrypto viruses in a way not specified further yet. Though it is already known that RansomCuck crypto-malware uses the popular asymmetric encryption algorithm to turn the victim’s data into unreadable pile of encrypted data files. It is also known that the code of this crypto virus is still to difficult to be cracked by the most experienced cyber security researchers, to the great disappointment of affected users. Nevertheless, keep checking this article regularly because we will update it as soon as the legitimate decryptor is going to be developed.

About RansomCuck Ransomware

RansomCuck ransomware creates two keys during the process of encryption. One is generated for encryption and it is called RSA key, according to the names of the developers of this cryptosystem. And the other is meant for the decryption and it is named AES (Advanced Encryption Standard, also known as Rijndael). The first key is public and the second one is private and kept in the remote servers in charge of the hackers. This key is unique in each case of attack. When the victim’s files, such as documents, audio and video files, images, databases, etc., have been locked, they are appended ‘‘.ransomcuck’’ or ‘‘.cuck’’ extensions. For example, ‘‘Image.jpeg’’ is converted into ‘‘Image.jpeg.ransomcuck’’ or ‘‘Image.jpeg.cuck’’ RANSOMCUCK file, which is impossible to be opened with any kind of program. Then, How_to_Recover_ Files.txt file appears in every folder containing corrupted data. And How_to_Recover_ Files.html redirects to the website which accommodates the following ransom note:

All files including videos, photos, and documents on your computer have been encrypted by this software.
Encryption was produced using a unique key specific to your computer. The only way to obtain your files back is to decrypt them using the unique key specific to your computer.
Your unique key is stored on a TOR server which will automatically destroy itself after 2 weeks. After that, no one will be able to restore your files.
If this program is altered in any way without ransom being payed, your files will be lost forever. A file has been created on the desktop with the exact same instructions.
Your files will be automatically decrypted once the payment is received.
This program automatically communicates with the server and will decrypt your files once the payment has been received.

2 weeks is the time period which is given for the victim to pay the ransom, which can differ in each particular case and its range has not been revealed so far. The developers of RansomCuck cryptomalware use the anonymous TOR network to communicate with victims. They also claim to decrypt one file for free to prove the victim that they can actually restore the damaged data. Even though the hackers may seem quite the literate ones from the ransom message, you cannot rely upon criminals and expect that they will give you your data back, after you have made the payment they blackmailed you for.

How is RansomCuck Ransomware Distributed?

RansomCuck file-encrypting virus is said to be distributed by the e-mails attacks. These e-mail attacks target the spam folder of the victim’s e-mail box. On the day of attack the victim receives a spam e-mail which is disguised as an official letter from some local institution, such as a law enforcement agency, etc., or international organization or company, such as FedEx, for instance. These e-mails declare that the victim has committed some crime or he (she) has received some special delivery package. They enlist the further actions to be taken and, typically, contain malicious links and/or attachments, which infects the user computer’s system with the code of the ransomware.

RansomCuck crypto malware can run a riot on one’s PC, after the user have visited some suspicious or hacked websites and the payload of the malware has been downloaded and installed by such creatures of the virtual world as exploit kits (e.g. Nuclear, Blackhole, etc.), lurking in the dark places sniffing for the vulnerabilities of the systems to be attacked. While you can restrain yourself from visiting such suspicious domains as torrents, etc. There is little you can do about the hacked legitimate websites, which can spread viruses. The only thing you can do is to install and regularly update reliable antivirus software, such as Reimage.

How to Decrypt Files Encrypted by RansomCuck Ransomware?

First and foremost, you must copy your infected drive to have the encrypted files to be utilized on the would-be decryptor. And secondly and most importantly, you need to remove RansomCuck ransomware from your computer’s system until it unleashed World War III on it. Employ professional automatic tools such as Reimage, Spyhunter or Malwarebytes to have this dreadful virus eliminated from your machine The tutorial for the manual removal is right under the article. But we advise to be very careful and perform each step of the removal with deep scrutinity.

You most probably have almost burnt from impatience to know how to get the access to your locked data. As long as the decryptor is under development, use your reserves like some kind of hibernating animal uses the resources of its body to stay alive during the winter season. You can use your portable drives, USB drives, etc. or Shadow Volume Copies (if they remained untouched). You did not expect for the winter to come and haven’t got anything prepared? Then, try professional data recovery tools such as Recuva, PhotoRec, R-Studio, the software by Kaspersky Lab, etc. Good luck and we hope we will be able to introduce you with the decryption tool as soon as possible.

How to recover RansomCuck Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again. CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before RansomCuck Ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of RansomCuck Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to RansomCuck Ransomware. You can check other tools here.


Step 3. Restore RansomCuck Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually RansomCuck Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.


Previous version
b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover RansomCuck Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download Data Recovery Pro (commercial)
  • Install and scan for recently deleted files. Data Recovery Pro

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

       
 

About the author

 - Main Editor
I have started 2-viruses.com in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.
 
September 6, 2016 07:05, January 3, 2017 05:58
 
   
 

Leave a Reply

Your email address will not be published. Required fields are marked *