Vapor ransomware - How to remove

Vapor ransomware is a cryptovirus developed by Ghosty, DeaDHackS, that started threatening Windows users actively since November 2018. According to cyber researchers, this ransom-requesting virus demonstrates typical ransomware behavior, however, it also possesses another very dangerous quality that other threats are usually just bluffing with, and that is – deleting encrypted files after the set time runs out. While it’s not probable to stop this mechanism by removing the virus and your files are truly in danger, there actually is a solution which, if taken soon enough, will help you save your Vapor virus affected data.

First reported on Twitter by https://twitter.com/malwrhunterteam/status/1063782215195246592, Vapor ransomware has been actively analyzed by tons of malware experts and enthusiasts, and eventually, the decryptor was found, which you can read more about further in this article, just like the features and working principles of the virus. It is imperative to take the right action and make no mistakes when dealing with Vapor ransomware because, although looking like a copy of any other crypto infections, e.g.Crypted034 orDataWait, this variant can honestly be very damaging. 

What is Vapor ransomware

Vapor ransomware is the name of a cryptovirus, that encrypts victim’s files and then demands the payment in exchange for the unlocking key. The unique part is that it does not just post the ransom note but also sends an email to the victim with the same message. Although the exact price is unknown, the ransom can range from a few hundred to a few thousand dollars. The average is usually Around $1000 but judging from the remorseless file elimination after 48 hours, it can be much higher, yet paying is never an option, because you can easily get tricked again. But before the Vapor virus can even state its conditions to the victim, it has to perform lots of technical processes to settle in successfully.

One of the very first things that Vapor virus needs to do, once it is inside the susceptible system is to modify the Windows registry keys and add its files into the Temp folder so that the installation wouldn’t be interrupted and that the ransomware would always start when the system is turned on. Around the same time, the malware also uses Obfuscation techniques to stay undetected from antivirus.

When the Vapor virus is sure that the installation is successful it can instantly look for personal files like pictures, documents, videos, music and etc., pretty much everything apart from the system files, and encrypt them using AES algorithm, so that the computer would still be running and could display the ransom note. To make sure that the victim knows why his data is inaccessible, Vapor ransomware adds .Vapor extension at the end of each file’s name. It takes only seconds to perform this, so the user has no chances to stop the malicious processes. (VirusTotal report on Vapor ransomware)

The ransom note of Vapor ransomware is displayed not in a typical note but in GUI, which has the working 48-hour timer and allows the victim to enter the decryption key and unlock the files. The file’s name is Vapor Ransomwarev1.exe.

Vapor Ransomware
You Have Been Caught.

What Happened To Me?
All your private data, files, cookies, application and much more as been encrypted into a strong encryption! The only way to get it back is by sending a support email at this email:
[email protected]

Please make sure your Client ID is included so we can recognise you and send back the key.
When its done, enter the key into the key box and enjoy your day / night.

You have 48 hours to send the email, if the timer runs out your files will be deleted.
If you restart the PC or kill the program, you will never be able to get your files back since they will be re-encrypted if you re-launch the program.
Basically closing the program in anyway will result in loosing the key.

-Good Luck, Good Time.
-DeaDHackS Team!

It is important not to press on any button of the ransom note because, when you click ‘I Give up’ the malicious software will instantly delete all your files without even asking twice, later putting up a message saying: “Your Files Are Now Deleted! Good job!”. But waiting is also not an option because the same terrible consequence of permanently eliminated .vapor-marked files will occur when the time runs out. Crooks will let you know what happened, again, through the ransom interface: “Timer ran out! Your files are being deleted! Bye-Bye!”.

Because of such limited time you need at quick and precise. Simply removing Vapor ransomware is not an option, unlike other viruses. So what to do? Jump to the removal part to figure out the proper actions in this case.

How Vapor virus is spreading

Dissemination of ransomware threats, like the Vapor virus, doesn’t vary that much, and it does not have to because the currently used methods work well enough. Despite the continuous efforts of cybersecurity professionals warning people about the Malspam campaigns that spread viruses, socially engineered emails with infected attachments is still one of the most popular ransomware distributing techniques. The worst part is that such emails are very easy to make and crooks are getting smarter with their messages.

Victims of Vapor ransomware can get very short emails supposedly from the government, bank, hospital, attorney, customer, applicant or even someone from the contact list, stating some fact or message, which to be fully understood needs you to open the word file that is attached with it. For example, the targeted user can get a message saying that there is an issue with their data at the healthcare facility and it needs to be altered or double-checked in the send Word file. Without much thinking, the worried user will open the .docx file to follow the instructions, will enable the Macros, where the Vapor ransomware is actually hiding and will be really surprised to see nothing. That is because this message was fake and the virus used Macros to initiate the setup.

How to delete Vapor virus and restore encrypted files

The unusual part about Vapor virus is that it can very easily delete your locked files when you’ll be trying to get rid of it. Unlike other ransomware, removing this threat is not an option and you have to begin solving the Vapor cryptovirus infection from a different angle and decrypt it first, and only then run a full system scan with an anti-malware to make sure the other possible threats are gone.

Victims of Vapor ransomware are very fortunate because, even though, there is no official release of the Vapor ransomware decrypting software, yet the malware expert, known as Demonslay335 on Twitter, has already found a way to crack the code, unlock the files that have been affected by Vapor virus and is willing to help anyone that will contact him. This cybersecurity professional has already helped so many users when solving other threat encryptions, therefore you shouldn’t wait any longer and contact him if you got hit by Vapor ransomware.

When you enter the right decryption key, the ransom note will congratulate you with a short message: “Your Files Were Successfully Decrypted With Key: [decrypting code]
Good Luck and Good Night!”. Only after you get your files back, then we recommend running a scan with security programs Spyhunter These tools will be useful for the overall state of your Windows and will show any additional infections if they happened when the system’s protection was down.

How to remove Vapor ransomware manually

If you want to avoid all the confusion with anti-spyware software, decrypting and etc., there is a way to solve the Vapor virus infection but it is available only for some people. This method is a simple recovery of your system to the restore point made before the malware invasion. You may wonder why, then, not all victims can use it, and the answer is – because not everyone makes regular backups. It is possible to recover your system to a state that once was copied, meaning that the virus will be automatically deleted and the files, that you had when making the restore point, will be recovered. On the other hand, if you were working with some important information right before Vapor ransomware got in, and the backups were made days ago, the newest files will not be recovered.

In order to prevent the loss of data, it is best to trust the automatic Vapor elimination as mentioned above and if the files don’t matter to you, it is recommended to perform the clean system restore, where you start your Windows fresh.

How to recover Vapor ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Vapor ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Vapor ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Vapor ransomware. You can check other tools here.  

Step 3. Restore Vapor ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Vapor ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Vapor ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.