Shark ransomware virus belongs to a specific family of file-encoders: CryptoMix. The latter virus was exploited as an example for the generation of EMPTY, Zayka and many other crypto-malware threats. According to the technical analysis of this infection, it exploits a strong RSA-2048 algorithm for encryption. As you would guess, .SHARK extension is appended to encoded digital data and this feature is exactly the reason for its main title.
Facts about Shark crypto-virus
Security researchers noticed a few payloads of Shark crypto-virus. One of them is explorer.exe file which is indicated as a product, called “Admin” (AntiVirus). In its description section, the tool is indicated as “Funny Text Hill Disadvantage Cmpsitins Stars”. The language code of explorer.exe is Danish and the legal copyright is assigned to KG and its Licensors qip.ru. Furthermore, the payload is evasive, malicious and extracts a number of different files, including ransom notes of _HELP_INSTRUCTION.txt and _HELP_INSTRUCTION.html. Also, it could be hiding in %ALLUSERSPROFILE%, a folder of Adobe Acrobat.
Also, the authors of Shark ransomware urge people to contact the following email addresses: [email protected], [email protected] or [email protected]. Users might actually consider this option, especially when they notice that their digital files are completely unrecognizable. This is because file-encoder will not only append its original extension, but will also replace filenames. For some background information, CryptoMix first emerged in 2016, was transmitted in malicious spam campaigns and also used RSA encoding (CryptoMix).
Shark crypto-virus is related with a bunch of other ransomware infections. Azer and Error infections are all generated by the same hackers, hoping to intimidate people into paying ransoms. To complicate this situation, Shark malware also interrupts regular proceedings of an operating system and victims might not even be able to fully launch systems. To prevent free file-decryption, crooks also design ransomware to initiate a command, deleting all Shadow Volume Copies (CryptoMix).
The ransom note that the ransomware (Ransomware) implants into victims’ computers will not provide a lot of information. Instead, people are instructed to contact the enumerated emails. This is not advisable and we hope that people will be able to remain strong. However, if some people pay the demanded ransoms and receive functioning decrypters, we hope that they will be eager to share them with security researchers to ease the lives of other people, currently struggling with Shark virus.
In our blog, we have another Shark ransomware, but it is completely different from the one we are discussing in this new article. The preceding version is probably developed by different crooks and it was distributed as a product of a RaaS. In appended .locked extension and was available for purchase in 30 languages. Basically, cyber criminals would have had a chance to control ransomware viruses without having to create actual malware samples.
Decryption of files that have been marked with .SHARK extension
Currently, there is no way of recovering files. Security researchers are working on a free software for decryption, but no good news are announced yet. The fact that volume copies are deleted makes decryption more complex. You could try universal file-recovery tools, but there are no promises that they will work.
Of course, the best solution would be to retrieve files from backup storages. However, not all people can exploit this opportunity. To protect your digital files, we hope you will upload them into backup storages to prevent any damage. Therefore, you will be able to retrieve data anytime
Removal and prevention of ransomware
If you are interested in removing ransomware manually, we have provided guidelines below. Furthermore, in these instructions, you will also find tips on data-recovery. To keep operating systems malware-free, devices have to be protected with anti-malware tools like Spyhunter. This does not give you a free pass to visit every suspicious website and download useless applications.
To protect operating systems from ransomware, you should properly protect RDPs. This means creating complicated passwords. Additionally, campaigns of malicious spam could also be used for the purpose of transmitting ransomware and Trojans. Please do not open letters from unknown source. Do not download attachments or visit recommended websites. All of these actions can end with your operating system becoming compromised by crypto-malware samples.
Shark Ransomware 2 quicklinks
- Facts about Shark crypto-virus
- Decryption of files that have been marked with .SHARK extension
- Removal and prevention of ransomware
- Automatic Malware removal tools
- How to recover Shark ransomware V2 encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- 1. Reboot your computer to Safe Mode with Command Prompt:
- 2.Restore System files and settings.
- Step 4. Use Data Recovery programs to recover Shark ransomware V2 encrypted files
Automatic Malware removal tools
How to recover Shark ransomware V2 encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before Shark ransomware has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of Shark ransomware V2After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Shark ransomware. You can check other tools here.
Step 3. Restore Shark ransomware V2 affected files using Shadow Volume CopiesIf you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Shark ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover Shark ransomware V2 encrypted filesThere are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download a data recovery program.
- Install and scan for recently deleted files.