Serpent virus - How to remove

Hackers will never yield: they have once again manufactured a cutting-edge ransomware infection: Serpent virus. Its creators express a great deal of attention to potential victims’ demographic location: they do not wish to compromise Russian-speaking users and that could be understood as a hint to where the hackers themselves could be from. Internet surfers, sitting next to computers in countries like Tajikistan, Turkmenistan, Kazakhstan, Moldova, Russia, Belarus, Georgia, Azerbaijan or Armenia, can exhale with relief because if a payload of Serpent enters their devices, malicious executable will self-destruct. Sadly, every other country is a fair game and this ransomware infection will encrypt those users’ files with no remorse. Before this action reaches a point of culmination, ransomware will generate an original ID for victims’ hard drive, and will send it together with the victims’ geographical location, IP address and a campaign ID. C&C server will then provide Serpent virus with the necessary information to continue with the virus, giving it the RSA code for encryption which will not be used straighaway. This fearsome variant seems to be distributed in campaigns of malicious spam, for this reason, if you are not from the latter indicated countries, your shields should be up.

Full report about Serpent virus and its road to success

There is almost no doubt that Serpent crypto-virus is distributed as an attachment in spam letters. The ones that are indicated to feature a Word file with malicious macros are written in the Danish language, meaning that people from the country of Denmark might be one of the audience that is expected to become the first victims of the Serpent ransomware. Victims are strongly encouraged to download files with alleged notifications for payments/bill/expirations dates and then, they are further stimulated to enable Macros in the Word document that opens up. Then the ransomware is going to go on to check the location of the user, and if it fits the requirements, user becomes a victim of Serpent ransomware.

The payload is assumed to be hiding as a completely ordinary folder in AppData. It will also disable a bunch of procedures in your computer and encrypt the files that are related with them. In order to execute encryption properly, from this point, Serpent virus will initiate a series of scans to determine which files are can be harmed by encryption. Since nearly 900 file types are targeted, we doubt that the ransomware will have any issues with finding files to encode with AES-256. But wait, why did we mention RSA at the beginning of our article? Well, AES encryption is not the only one to be executed: RSA-2048 algorithm is meant to further complicate things for the victims.

RSA is applied to encode the decryption key. The title for this variant is taken from the extension it appends to corrupted data: .serpent. But that is not all: cipher.exe will be used to strengthen the encryption even more and make the decryption process even less likely to be possible. After all of the necessary objectives are concluded, the ransomware is prepared to append two additional files that will lead to the ransom note: HOW_TO_DECRYPT_YOUR_FILES_[random-3-char].html and HOW_TO_DECRYPT_YOUR_FILES_[random-3-char].txt. These files will contain links to a website which will inform users about Serpent ransomware and possible ways to decrypt the files it made inaccessible. More about decryption read in the section entitled ‘Enigma of the decryption of files that Serpent has spoiled’.

Enigma of the decryption of files that Serpent virus has spoiled

Currently, there is no tool to use for decryption of files. However, you should not pay 0.75 BTC( approximately 736.50 US Dollar) to receive a special software called ‘Serpent Decrypter’. This amount will remain to be the required fee if victims succeed in paying it during the first 7 days from the moment this ransomware nightmare began. If user takes more time than a ransomware gives, the sum increases to 2.25 BTC (about 2209.50 Dollars). Wasting money on decryption tools that have been generated by hackers is definitely a risky business. It might be that they are viciously deceive you and they do not even have the software which is supposed to restore your data. Be patient until security researchers can provide you with a reliable file-recovery tool. If you are infected with this variant, words ‘backup storages’ should flash in your mind.

Serpent virus embarks on a journey to your device

Serpent ransomware has selected to poison Microsoft Word documents with vile macro scripts. As soon as you download the payload and allow those macros to be enabled, you are going to be infected with Serpent ransomware and it its processes won’t take long to be concluded. If you are reading this article simply for reasons of prevention, we can surely recommend you to clean your inboxes regularly since malicious spam campaigns might fill your inbox with malware sources. In other cases of ransomware infection, various exploit kits help these threats reach computer devices. In order to remove Serpent ransomware from your system, you are strongly encouraged to take advantage out of reliable anti-malware tools. Spyhunter or Malwarebytes will remove malware threats from your system and keep it running without any glitches. Shadow Volume Copies seemed to be deleted by Serpent virus, but other information below can turn out to be helpful to you.

Update of the 18th of April, 2017. A new variant of Serpent has been detected. Instead of appending .serpent extension to the encrypted data, it adds a shorter version: .serp. README_TO_RESTORE_FILES.txt is the ransom note of the newly detected variant.

How to recover Serpent virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Serpent ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Serpent virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Serpent ransomware. You can check other tools here.  

Step 3. Restore Serpent virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Serpent ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Serpent virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *