UnlockMePlease virus - How to remove

UnlockMePlease is a new file-encrypting virus, which has been noticed rapidly spreading since late July 2018. It has been discovered recently that this threat is a part of Hermes ransomware family, and depending from the behavior Unlockmeplease virus demonstrates typical crypto-extortionist features that will encrypt your personal files and ask you to pay the ransom.

At the moment the Unlock Me Please virus is spreading mainly in the western part of Europe – Belgium, France, Portugal, but of course is potentially dangerous to anyone around the globe. It most likely is distributed via Socially engineered emails with malicious links and attachments that end up sending this malware to anyone who will click on them.

While this ransomware needs to be researched more, the basic knowledge of the working principles that we know at the moment is enough to help anyone who might have accidentally fallen into the well-prepared hacker traps and actually downloaded the Unlockmeplease virus. At the end of this article, you will find a detailed description on how to remove the virus with and without the antivirus software.

What is [email protected] virus

Unlockmeplease ransomware or [email protected] as mentioned before is a ransomware virus, which means that it maliciously enters victim’s computer, stops the antivirus from detecting it, finds all personal files like pictures, videos, documents and etc. and encrypts these files with AES and RSA ciphers, later marks them with .[[email protected]].HRM extension and drops the ransom note asking for money in cryptocurrency (usually Bitcoins) sent to the crooks for a decryption key.

Our readers have noticed, that in some cases, Unlockmeplease virus only encrypted their music, like .mp3, .wma and .wav, together with some other random files (e.g. .acf), but has left their pictures, documents and videos untouched. This could be happening because the Lazarus group ransomware did not install in the system properly, therefore couldn’t fully lock everything.

Hackers specifically target not the System files but personal because they have more worth for the user, who doesn’t want to lose his digital memories or important data, therefore, will be more willing to pay, and since ransomware is not doing great these days, crooks have to push victims in all possible ways to make some coins. Also the appendix to the file’s name [[email protected]].HRM adds more stress to the user seeing all the inaccessible files marked with it. Another reason why UnlockMePlease will encrypt only certain files is that if the computer will be compromised completely the user will not be able to make a payment and see the email and wallet address of malware engineers.

After the encryption, the [[email protected]].HRMransomware will place DECRYPT_INFORMATION.HTML text ransom note, which will give information on what to do later:

All your important files are encrypted
Your files has been encrypted using RSA2048 algorithm with unique public-key stored on your PC.
There is only one way to get your files back: contact with us, pay, and get decryptor software.
We accept Bitcoin, and other cryptocurrencies, you can find exchangers on bestbitcoinexchange.io
You have unique idkey (in a yellow frame), write it in letter when contact with us.
Also you can decrypt 1 file for test, its guarantee what we can decrypt your files.
Contact information:
primary email: [email protected]
reserve email: [email protected]

We presume that [[email protected]].HRM file extension can indicate that this ransomware may belong to the Hermes family, which adds .HRM file extension to its encrypted files, and yet the beginning of the added name string and the email domain looks very similar to Dharma virus suffix, which includes a long string of personal ID, crooks’ email (from the same Vulgar @cock.li domain) and the .dharma/.arrow/.java and other names of its variants.

Although we can’t be sure who is behind the [email protected], it is believed that crooks may ask for a ransom that ranges from a couple hundred dollars to a few thousand dollars in Bitcoins. However, don’t rush paying hackers just yet, because most of the ransomware developers are known to just take the ransom and ignore the victim, without giving them the promised decryption key. What is more, you ought to try our removal/decryption methods below, because they can help you save money and locked data.

How did I get [email protected] ransomware

Most ransomware creators prefer to distribute their ransomware through Socially engineered emails that are very realistic fooling even the most careful online surfers. The emails can be made to look like invoices, receipts, resumes, government documents, reports, tickets and etc. It all depends on whether the hackers are really targeting certain institutions like banks and send them infected job applications, or just regular people trying to get attention with fake unpaid bills or free tickets.

2-viruses.com team has prepared an ultimate guide on How to protect yourself against the ransomware viruses like UnlockMePlease, because they can also spread in other ways too, like exploit kits, ads, unsafe P2P connections, torrents, fake updates, freeware bundles, redirects, Trojans and etc. Another important thing when dealing with malware or any cybercrime is to Report it to IC3 agency because it causes awareness and helps FBI find the crooks faster.

How to get rid of [email protected] virus and decrypt the files

Firstly, in order to solve UnlockMePlease virus caused problems you have to start with virus removal and only when you are completely sure that your system doesn’t contain any malicious files anymore you can move on the file decryption part. [email protected] virus elimination is crucial so that your security could be restored, crooks won’t have the chance to encrypt your files the second time and everything in your PC would start working properly and you could restore your captured data successfully.

One of our readers mentioned int he comments, that for him, removing the extension ‘.[[email protected] ].hrm’ from encrypted file’s name worked just fine and unlocked the data, however, this might also be just because the UnlockMePlease virus did not install properly. 

The easiest and most efficient way to get rid of [[email protected]].HRM virus is to use an automatic tool like Spyhunter. It is one of the strongest on the market and has the most updated malware database which would be very helpful in this case because UnlockMePlease is a fairly new threat. The benefits of using an anti-spyware tool is that not only it does the whole hard work for you by hunting and removing the virtual parasites but also it assures a decent protection in the future and can eliminate viruses not only based on names but their behavior, so everything that you miss, Spyhunter will take care of.

Automatic Malware removal tools

As for the file decryption, once you have your system ready and clean from viruses, your files will still be encrypted because the cipher hasn’t gone anywhere. Right now there is no official decryptor for [[email protected]].HRM ransomware. Since we are guessing that UnlockMePlease crypto-virus can be related to  Hermes, it doesn’t hurt to try the same unlocking tools. You can find Hermes decrypt here. If this decryptor doesn’t work, scroll below to see the possible recovery methods from Shadow Volume Copies and etc.

How to delete UnlockMePlease ransomware without any software

For those who do prefer the manual [[email protected]].HRM removal we have made a guide which will show step-by-step how to delete this notorious virus yourself. If you succeed in getting rid of the ransomware we still advise to later scan the system with some reliable antivirus/anti-malware tool.

How to recover UnlockMePlease virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Unlock Me Please has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of [[email protected]].HRM

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to UnlockMePlease virus. You can check other tools here.  

Step 3. Restore Unlock Me Please affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually [[email protected]].HRM tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover UnlockMePlease virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.