Shariz File Locker - How to remove

Shariz is the name of a ransom infection. Personal files, projects, job files that weren’t properly backed all can be completely corrupted by this virus with the help cryptography which makes them nearly impossible to recover. The virus continues to encrypt newly created files and spy on the victim, making it unsafe to use the infected computer until it’s cleaned of all malware.

Shariz is a little more than just a file-encrypter. On top of installing the password-stealing trojan AZORult, it also disables the antivirus program, deletes shadow volume copies, system restore points, and encrypts files on connected storage. Finally, it asks for almost $1000 to be paid in exchange for the decryption key and software. It works mostly the same as older cryptoviruses of the same Djvu family, like Adobe and Mogranos. However, Shariz is an improved, more dangerous iteration.

While there are some ways to get some of the files back even if you didn’t have any backups, the chances of success are very low and most of your data will probably remain locked. But, at least, if you know how Shariz infected you, you can use that knowledge to secure your computer and avoid future infections.

Most of the time, we hear about ransomware in the context of large businesses, institutions, government facilities being infected. The ransom amounts range in hundreds of thousands.

However, Shariz targets normal PC users. The methods for how it spreads and the small ransom amount show that. The creators are obviously successful in making a living off of this criminal activity, which means that the victims are numerous and desperate to get their files back.

Rather than paying, it’s better to remove the malware and avoid being re-infected:

Features of Shariz ransomware	.shariz file extension _readme ransom text $980 ransom Email addresses — [email protected], [email protected] No free decrypter
Damage caused	Spyware is likely installed Important files corrupted Time lost to fixing the situation
Distribution	Pirated files Bundled software Hacked software Malicious ads
Avoid future encryption	Don’t pay the ransom Remove Shariz and the spyware (Spyhunter) Update all software Avoid pirating and unreliable software distributors

Shariz ransom note, email, extension

Shariz is named after the extension that it gives the files it locks. You can see that the encrypted files have the naming pattern like [original name].[original type].shariz and the type of the file is listed as SHARIZ. This is hardly a real file type but it serves as a marker for the ransomware to know what files it’s already locked.

To get the victims to contact them, the developers of Shariz leave ransom notes called _readme lying around. These notes are meant to send the victim into panic and get them to send the money to the criminals as quickly as possible.

ATTENTION!

Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

Considering that the Shariz virus also installs a password-stealing trojan, anyone who so much as tries to log in to their online bank account to check their balance risk exposing their credentials to criminals. And with the way that Shariz blocks certain websites from being accessed, they can’t even use the computer to check if they’re infected and what their options are.

How to avoid ransomware

Of all the ways that ransomware can use to spread, Shariz and other contemporary Djvu versions use ones that are most likely to affect individual people and, possibly, small businesses. If you want to avoid any more ransomware (as well as trojans and miner infections), you might need to change your browsing habits a bit:

• Stop pirating programs, downloading “free” versions of expensive commercial software, downloading activators and cracks. Malware likes to hide in such files, according to research. In fact, this is the most likely way that Shariz infected your computer. There are many free programs, such as open-source software, that don’t cost anything and don’t require you to use shady, malicious websites to access them.
• Don’t open links and files that you got from unexpected senders. Whether it’s an email, a private message, or something else, be suspicious of having to open a file that you didn’t expect because spam is how a lot of ransomware is distributed, including predecessors of Shariz.
• Turn off your remote access software, such as RDP, if you’re not using it, and if you are, make sure it’s protected with a strong password and doesn’t allow just anyone to try to connect. Unprotected Remote Desktop is automatically hacked by online bots, so anyone is vulnerable.
• Update all of your programs because using out-of-date (including cracked) software makes you very vulnerable to some attacks that exploit known security bugs.
• Finally, maintain backups of your files. Make sure the backups can’t be infected by a virus on your computer. If you have backups, you can get infected by Shariz or any other file-encrypting ransomware, but the damage will be minimal, the recovery — swift.

How to remove Shariz and restore the files

If the attack happened recently, you might be able to restore your lost data using various methods like system restore and data recovery. These methods don’t offer guaranteed file recovery but some people have successfully got back a lot of their data.

You can also try to experiment with some of the locked files (just save them on a backup in case things go wrong). Who knows, maybe Shariz failed to work properly and didn’t encrypt the files despite renaming them. Check the audio files especially.

Depending on how Shariz is developed, it’s possible that some of the files could be decrypted by a free decryption tool in the future. For now, the Shariz files are undecryptable using free and publicly available methods. Still, read all of this post — if you read it in its entirety, it explains the possibilities of Djvu decryption and the limitations. If any of your Shariz files are ever to be decrypted, this researcher will probably deserve the thanks for that.

You can also pay the extortionists to get your files back, but that’s a terrible, risky idea. There’s no guarantee that the criminals won’t just take the money and ignore you. Even if they try to help you restore your files with their tool and a decryption key, some file types might not be restored properly due to technical difficulties. Plus, the criminals might use their decryption tool to install more malware on your computer that could later infect it again. and paying does nothing to get rid of the malware already on your machine.

So, however you choose to restore your files, remember to scan for and remove all the malware. You can use Spyhunter or another professional anti-malware application. If it doesn’t work, you can try ending malicious processes, using safe mode, or scanning your disk form another computer.

Automatic Malware removal tools

How to recover Shariz File Locker encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Shariz File Locker has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Shariz File Locker

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Shariz File Locker. You can check other tools here.  

Step 3. Restore Shariz File Locker affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Shariz File Locker tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Shariz File Locker encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.