Tunca ransomware - How to remove

Tunca ransomware is a new cryptovirus infection that has been noticed spreading amongst online users at the end of December 2018. This new virus showed up right before the major holidays with crooks’ high hopes to make some profit from distracted users, yet the analysis of the threat showed that developers may have rushed to release their ransomware too soon because it wasn’t working properly, nor was hard to crack for cyber specialists.

Tunca ransomware might have infected your computer right before or during the holiday weekend. You can recognize this threat by the added .tunca extension, red pop-up ransom note, .Net framework error and [email protected] contact email. If these are the main signs of a virus that has locked your precious virtual memories and now is asking for a payment, please continue reading this article because your Windows is in danger and need an immediate action to be taken in order to solve Tunca malware infection.

What is Tunca ransomware

First discovered and reported by cybersecurity expert Leo, Tunca virus is a new variant of ransomware, developed with Microsoft .Net framework and now fairly widely recognised by various antivirus products, according to the Virustotal.com report. The working principles of this ransomware are just like any other crypto threats – to lock personal files and ask the victim for a ransom in the exchange for a decryptor. Although this is what the Tunca ransomware tries to do, it fails because the mechanisms don’t run properly and the virus seems to still be in development.

Tunca ransomware, just like Ransomwared, Jemd, Mercury and other cryptolockers, once inside the targeted system runs the background processes to ensure persistence, smooth install without being detected and starts looking for potential file-targets that will be encrypted. Here is where the issues occur with Tunca virus – ransomware locks only several types of data, not all personal files. These affected files still get marked with a typical cryptovirus extension, in this case – .tunca. What is more, after such half successful encryption instead of opening the ransom note, the threat pops up a Microsoft .Net framework error window, which reports about a problem with a program. If the user presses continue, already encrypted files are locked again, and double marked with .tunca extension.

Tunca ransomware ransom note error

This failed attempt gives the impression that the Tunca virus is made by amateur hackers. The pop-up ransom note adds fuel to the fire, because of the ridiculous request to spread the virus to victim’s 10 friends in exchange for the free decryptor or else the victim is requested to pay either 115USD or the same amount in other currencies like Euros, Czech crown, British Pound, Polish Zloty and etc. via Paysafecard:

Ooops, it seems like all of your files have been encrypted with AESencryption algorithm.

Can I get my files back? 
-Yes, you can. But you need this following software : 
– Without the software, no one can decrypt your files

How do I pay? 
-Simply buy a 100€ Paysafecard 
-Send message with the Paysafecard PIN to this account : 
[email protected] 
-Wait for us to confirm your payment 
-Get the decryptor

However, there is a way to get a free decryptor!

How to get the free decryptor? 
-Create a link on grabify that will download your victim the ransomware 
-With this, infect at least 10 people 
-Send proof to: [email protected] 
-Get your decryptor

Although the requested amount is not that big compared to https://www.csoonline.com/article/3193981/security/report-average-ransomware-demand-now-over-1000.html, yet it is still not worth paying for hackers. Because the virus seems to be in the developmental stage it means that hackers will use the gathered ransom payments towards making the Tunca ransomware better. Our advice is to continue reading this article and learn how to remove the threat without having to send it to your friends or spend an extra 100USD out of your pocket. Also, take a look at the Ultimate protection guide against ransomware for future safety.

How does Tunca ransomware spread

Judging from Tunca’s ransom note and also popular virus behavior, it is clear that the cryptovirus is disseminating via email and Malspam. Crooks send out various socially engineered messages claiming that for some urgent reason you need to open the attached .docx or .pdf format file, which in reality is a virus installer. Actually, opening file is not that bad, but enabling its Macros is what executes Tunca ransomware set up. This Microsoft feature has been the main cryptovirus spreading vectors for a past few years and despite the awareness campaigns and antivirus alerting about the unknown downloaded file, many users still fall for this crooks’ trick.

Hackers designed messages can sound like something coming from the government, employee/employer, healthcare facilities, lawyers, clients and etc. therefore the scareware-like features ensure the distribution of Tunca virus. But apart from the scary and urgent message the email can be recognized as malicious judging from the shady unofficial sender’s email addresses, mistakes in the text, not much information, and an obvious pushing to open the attachment, moreover, not specified addressee. (How to recognize phishing campaigns)

How to get rid of Tunca virus and recover files

Ransomware viruses are known to be one of the most notorious malware species because of the troubling recovery from their damage. Removing the Tunca virus does not mean that decrypted files will get unlocked, unfortunately. Especially if you managed to lock them twice or more times. However, there are a few tricks to possibly restore your inaccessible data and cleanse the computer, but before talking about any recovery you must delete the ransomware first. In order to do so, you’ll need a sophisticated anti-spyware program such as Spyhunter, Malwarebytes 

These malware eliminating tools are not just for amateurs, on the contrary, they are widely used by many cybersecurity professionals that allow to hunt and delete even the newest threats like Tunca ransomware, saving time for the compromised computer’s owner. Not everyone has Backups that would allow restoring the system to the point before the infection, therefore automatic malware removal is the best option in this case. All that needs to be done is running a free scan and following the provided instructions to completely terminate Tunca ransomware.

Once your Windows is Tunca virus-free only then you can begin locked file recovery. No matter that the ransom note claims that you can get the free decryptor by infecting other computers, that might be just a lie to spread the ransomware later not replying to victims, same as if you pay. Overall, interacting with hackers is never a good option. Below, in the manual removal guide, you can find ways how to restore data from Shadow Copies and also with the assistance of a file recovery tool. Also, a famous malware expert, known as # on Twitter, shared below the original post that Tunca virus is decryptable, therefore you might try requesting help from him before the official decryptor comes out.

Automatic Malware removal tools

Download Spyhunter for Malware detection

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,

How to fix Tunca virus infected computer

Users who regularly make backups are the lucky ones because to solve Tunca ransomware infection all they need to do is to restore their system back to the point right before virus entered their Windows. How to do that, you can find below in our guidelines. Mind you, these instructions are only for people who do have proper backups.

How to recover Tunca ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Tunca ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Tunca ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Tunca ransomware. You can check other tools here.  

Step 3. Restore Tunca ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Tunca ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Tunca ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *