Shark ransomware V2 - How to remove

Shark ransomware virus belongs to a specific family of file-encoders: CryptoMix. The latter virus was exploited as an example for the generation of EMPTY, Zayka and many other crypto-malware threats. According to the technical analysis of this infection, it exploits a strong RSA-2048 algorithm for encryption. As you would guess, .SHARK extension is appended to encoded digital data and this feature is exactly the reason for its main title.

Facts about Shark crypto-virus

Security researchers noticed a few payloads of Shark crypto-virus. One of them is explorer.exe file which is indicated as a product, called “Admin” (AntiVirus). In its description section, the tool is indicated as “Funny Text Hill Disadvantage Cmpsitins Stars”. The language code of explorer.exe is Danish and the legal copyright is assigned to KG and its Licensors Furthermore, the payload is evasive, malicious and extracts a number of different files, including ransom notes of _HELP_INSTRUCTION.txt and _HELP_INSTRUCTION.html. Also, it could be hiding in %ALLUSERSPROFILE%, a folder of Adobe Acrobat.

Shark ransomware virus

Also, the authors of Shark ransomware urge people to contact the following email addresses: [email protected], [email protected] or [email protected]. Users might actually consider this option, especially when they notice that their digital files are completely unrecognizable. This is because file-encoder will not only append its original extension, but will also replace filenames. For some background information, CryptoMix first emerged in 2016, was transmitted in malicious spam campaigns and also used RSA encoding (CryptoMix).

Shark crypto-virus is related with a bunch of other ransomware infections. Azer and Error infections are all generated by the same hackers, hoping to intimidate people into paying ransoms. To complicate this situation, Shark malware also interrupts regular proceedings of an operating system and victims might not even be able to fully launch systems. To prevent free file-decryption, crooks also design ransomware to initiate a command, deleting all Shadow Volume Copies (CryptoMix).

The ransom note that the ransomware (Ransomware) implants into victims’ computers will not provide a lot of information. Instead, people are instructed to contact the enumerated emails. This is not advisable and we hope that people will be able to remain strong. However, if some people pay the demanded ransoms and receive functioning decrypters, we hope that they will be eager to share them with security researchers to ease the lives of other people, currently struggling with Shark virus.

In our blog, we have another Shark ransomware, but it is completely different from the one we are discussing in this new article. The preceding version is probably developed by different crooks and it was distributed as a product of a RaaS. In appended .locked extension and was available for purchase in 30 languages. Basically, cyber criminals would have had a chance to control ransomware viruses without having to create actual malware samples.

Decryption of files that have been marked with .SHARK extension

Currently, there is no way of recovering files. Security researchers are working on a free software for decryption, but no good news are announced yet. The fact that volume copies are deleted makes decryption more complex. You could try universal file-recovery tools, but there are no promises that they will work.

Of course, the best solution would be to retrieve files from backup storages. However, not all people can exploit this opportunity. To protect your digital files, we hope you will upload them into backup storages to prevent any damage. Therefore, you will be able to retrieve data anytime

Removal and prevention of ransomware

If you are interested in removing ransomware manually, we have provided guidelines below. Furthermore, in these instructions, you will also find tips on data-recovery. To keep operating systems malware-free, devices have to be protected with anti-malware tools like Spyhunter. This does not give you a free pass to visit every suspicious website and download useless applications.

To protect operating systems from ransomware, you should properly protect RDPs. This means creating complicated passwords. Additionally, campaigns of malicious spam could also be used for the purpose of transmitting ransomware and Trojans. Please do not open letters from unknown source. Do not download attachments or visit recommended websites. All of these actions can end with your operating system becoming compromised by crypto-malware samples.

How to recover Shark ransomware V2 encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Shark ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Shark ransomware V2

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Shark ransomware. You can check other tools here.  

Step 3. Restore Shark ransomware V2 affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Shark ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Shark ransomware V2 encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.


Removal guides in other languages

Leave a Reply

Your email address will not be published. Required fields are marked *