Viagra Ransomware - How to remove

Viagra ransomware is a virus that can cause a lot of harm by encrypting your files in a way that they can’t be used anymore. The criminals ask for a $400 ransom to undo this and don’t offer free decryption as proof. There is a high chance that the encrypted files can’t be recovered at all, which would be quite devastating.

Viagra targets a variety of file types, mostly based on how popular those files are. The developers of this virus cast a wide net that’s bound to catch most people’s precious and important files, such as pictures and photos, movies, songs, documents, text files, spreadsheets; personal and work files are encrypted by Viagra in an attempt to cause the maximum amount of damage.

There are many avenues that ransomware viruses take to infect people’s computers and many of them are closed on the computers of the prepared and ready, but anyone can get infected somehow. No protection is perfect (though it’s still very effective), which is why the most important thing to have is a backup of your files. However powerful Viagra and other ransomware is, backups render it almost harmless.

How to delete Viagra ransomware

Backups or no backups, though, you need to make sure that this virus is gone from your machine. Before you use the infected computer for browsing, creating new files, and before you connect any physical media, make sure that Viagra is deleted by using an anti-malware tool (Spyhunter). It’s obviously a virus and professional anti-malware products definitely recognize it as such.

Automatic Malware removal tools

While ransomware viruses stay away from the files needed by the operating system, you might want to check their integrity and fix them before any errors are caused.

What is Viagra ransomware?

Similar to Spora, TripleM, or Satan, Viagra is a virus that criminals use to extort money from people by locking their files. Viagra’s developers promise the victims to fix the locked files if they’re sent 0.4 Bitcoin, but there is no way to know if they’ll keep the promise — many extortionists just take the money and leave and some are too incompetent to undo the encryption that they did. We just don’t know — Viagra is a new virus that doesn’t have an established reputation.

“Viagra yungthugger (V-0.1.31)” encrypts the files and attaches a new extension to their names — a long string of random characters. (If you don’t see it, make sure that your Windows is set to show extensions by going to the “View: option of the File Explorer and checking if “File name extensions” is checked.) Like with most ransomware, renaming these files will do nothing to uncover their contents — encryption changes the internal bits of the files. Don’t edit them if you hope to decrypt them later. Instead, create a backup of the locked data.

Viagra drops a ransom note called README-VIAGRA-[random].HTML in folders affected by the virus:

YOU BECAME VICTIM OF THE VIAGRA RANSOMWARE!

What happened to my files?
Your files were encrypted with AES-256 and RSA-4096. This combination is cryptographically secure and cannot be cracked. There are no flaws in the encryption method. Tools like Recuva, or Shadow Copies will fail as soon as they are launched. But, your hope is not to lose. Every file with the “.[random]” extension was encrypted (you can verify by yourself that, just, go into your user profile folders, for example, or, into your connected drives).

How do I decrypt my files?
To decrypt your files, you will need to pay a certain amount of money to us, in an anonymous manner.
First step, is to create an Bitcoin account (if you don’t have one), use the following URL:
Crypto Runner guide.
InvestoPedia guide.
Send a payment to the following BitCoin address of 0.4 BTC ~ 403.60 USD, and keep the transaction / payment ID:
1Bqca3tn3Yco6SftgHeyYQUxqb2MPtwFBj

After, contact one of the following e-mail addresses present below. If you do not get a reply from one, send to the other one, until you get a reply (this happens in less than 24 hours, in normal conditions); check also your spam folder. Use your real E-mail address, and use the subject “Decryption”; add as attached file this HTML document, and add to the body the payment ID. We do not give decryption for test service, so, don’t request for free decryption on the e-mail. We will tell the rest of istructions after the e-mail was sent.
Do what you’re told. Don’t try to swear on us, or we will block you and your ID forever. Don’t try to fool us into using 10MinuteMail or similar services,
use them for later.
E-mail addresses:
First address (“youngthug412”)
First address (“hparrockneverstop”)
After decryption, your E-mail address and your ID will be wiped off our servers, don’t fear for your life.

Is there a time limit?
Yes, three months from now (day, month, year; August 22, 2019, 14:25:11). Date was added to the ID, and is not removable from it (will make us ignore you forever). Be quick to pay, after 1,5 months from now, the price will be raised of the 50%, and, after three months, your ID will be blocked, that will happen also to your real e-mail address.

— N—- livin life like vulcano and this only the beginnin’ —
ID: —–

How ransomware is distributed

To know how to avoid ransomware in the future — and who to blame for the Viagra infection — it’s good to figure out how the virus got on your computer. Some developers use a variety of distribution methods, others stick to one. Check your browsing history, your latest emails, and see if you can track down how Viagra got on your computer:

• Files downloaded from the internet.
• Viagra installed by someone using RDP.
• Files sent by email.
• Viagra installed thanks to a malicious website.

Files infected with Viagra could be uploaded online — not as the ransomware, of course, but disguised as something desirable and trusted. Before it’s noticed and taken down, the malware will have infected a lot of people. This is a chilling example of how dangerous piracy can be, but it affects legitimate software, too. Imitators can steal and modify a program, then distribute it on unofficial, spoofed sites.

Emails can carry Viagra as well. The virus might hide in attachments with macro viruses, disguised executables, malicious archives — that’s why it’s so important to scan every suspicious file before opening it, regardless of how urgent or mundane the email seems. Criminals try to manipulate people and some actually do succeed, so don’t underestimate how realistic a malicious spam email can appear.

Remote desktop is used by a lot of ransomware viruses, but it’s usually done in a targeted way by choosing rich and vulnerable targets. So, probably not used by Viagra’s developers who seem more interested in attacking individuals. Still, it’s important to turn RDP off if you’re not using it and to protect it as much as possible if you do need to use it.

Malicious ads are used to automatically distribute ransomware, too. The ads open dangerous websites that can install the virus. Security experts strongly advise people to update all of their software to make their machine safe against malvertising campaigns that use exploit kits to spread malware.

How to recover from Viagra

In case you don’t have backups, there are a few options for recovering your files to look into. After you have removed the infection and made copies of the locked files, check if Shadow Copies still work. Viagra’s developers said that restoring the files using it won’t work but they’re not trustworthy, besides, no software is bug-free, and Viagra could have simply failed to delete the data.

If system restore doesn’t work, there is also the option of using data recovery to recover deleted data. Even if it works, though, it probably won’t uncover all of your files.

Lastly, just be ready next time with backups. The backups could be in the cloud, or in removable physical media — not on the local network, where a virus can often reach and encrypt it, too. The backups should be as complete as you need them and updated regularly.

How to recover Viagra Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Viagra Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Viagra Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Viagra Ransomware. You can check other tools here.  

Step 3. Restore Viagra Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Viagra Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Viagra Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.