Cybersecurity professionals this past year have been keeping up with hackers really well, but that was not enough to slow down virtual criminals from releasing new viruses. The beginning of 2019 brought yet another malware discovery, this time Vulston ransomware, which is a cryptovirus. This threat targets Windows operating system and once gets inside the computer locks all data except for the System files, later demanding payment for the decryptor.
Vulston Ransomware quicklinks
- How does Vulston ransomware work
- Why did your PC get infected with Vulston ransomware
- How to get rid of Vulston virus and restore the files
- Automatic Malware removal tools
- How to recover Vulston ransomware encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- 1. Reboot your computer to Safe Mode with Command Prompt:
- 2.Restore System files and settings.
- Step 4. Use Data Recovery programs to recover Vulston ransomware encrypted files
First discovered by malware expert @demonslay335, Vulston virus gave some food for thought because the code seemed similar to another ransomware called Xorist. Even though it is not confirmed whether these two malware are related, without a doubt, immediate action is necessary if any ransomware compromises your PC. Luckily, 2-viruses team has been dealing with tons of ransom-demanding threats and know a few tricks which will help you to remove Vulston ransomware and potentially get your precious virtual information back from the crooks.
How does Vulston ransomware work
The truth is, Vulston ransomware is not that much different than other crypto viruses, for example, Bizer, Tunca, Ransomwared and etc. This cyber threat sneaks into the computer unnoticed, runs background processes and presents itself only after the successful setup. Before Vulston virus can display a ransom note, there are a lot of actions it needs to perform to ensure a smooth installation and encryption. There are a few folders (C:Windows, C:Program Files, Temp) that are immediately targeted by the ransomware so that it would overcome system’s security and antivirus, moreover, improve the persistence if the system gets rebooted.
During the invasion, at the same time Vulston ransomware is looking for personal files, e.g. pictures, videos, documents, and others, recognizing them by their extensions (.jpg, .mp3, .flv, .doc, etc.). When they are found, Vulston cryptovirus runs an Encrypting algorithm and locks the data, later marking each file with a ‘.vulston’ string, so that the victim would know that the virus is responsible for making their valuable content unavailable. After that hackers drop a text format ransom note called ‘mensagem.txt’ on the desktop and ask for 0.18BTC ($678.22) in exchange for the decryptor.
Ransom note ‘mensagem.txt’:
At this moment your files are encrypted
and they can not be decrypted without the key’s that are set for your computer.
To receive the decryption keys you have pay 0.18 BITCOIN
You can get bitcoin very easy on this site: www.localbitcoins.com
You have to create an account and to buy 0.18 BITCOIN from a seller located in your city.
Then you have to send the amount at this BTC adress: 1L4da3SCbo9w3Y1F3HoVxjyn7yTTXcWhUw
After that, contact me at this email adress: [email protected]
With this subject: KEYS FOR ID [redacted 8 numbers]mensagem.
After the payment you will receive the key’s to decrypt your files and a tutorial
The key’s that are older than 3 days will be automaticaly deleted.
If you don’t want to lose your files, please contact me in this 3 days.
Despite Vulston virus ransom note being scary and urging to pay as soon as possible, we do Not recommend it, because it only sponsors crooks to develop more viruses, enables to buy them more addresses from the dark web and keep spreading their malicious creations. The best you can do if Vulston ransomware got into your PC, is to stop using the compromised machine and follow our guides below on how to remove this cryptovirus as soon as possible.
Why did your PC get infected with Vulston ransomware
Vulston ransomware can very easily invade vulnerable systems through RDP (remote desktop protocol), infected hyperlinks, malicious downloads and etc. but just like the majority of ransomware, Vulston cryptovirus mainly spreads via malspam. Socially engineered messages paired with Macros virus installer is a number one dissemination vector for these threats. Macros virus is not detected until it gets launched because it is a legitimate feature of MS Office, in addition to that, if crooks get the databases with victims’ email addresses, it becomes very easy to reach tons of people and increase the chances of them executing Vulston virus.
These hacker-made emails are typically very brief and obscure, yet believable. Although there isn’t much personal information mentioned in the messages, they are made to scare the targeted user by pretending to be an email from a client, attorney, government, employee, police and etc. The person gets stressed and opens such email without noticing grammar mistakes, shady sender and lack of specific data then opens the attached file to see the further explanation. When Macros are enabled Vulston starts its installation process. In order to avoid this type of infection, it is imperative to learn how to Spot a phishing campaign and ensure your online security.
How to get rid of Vulston virus and restore the files
When recovering from Vulston ransomware infection the most important thing is to remove it completely first, only then recover files. The reason why crypto viruses overall are one of the most notorious is that even after their elimination, affected files still stay encrypted, however, if you try unlocking the data when Vulston virus is still in the system, it may double-lock the data, which will be impossible to crack. Fortunately, there are more than one methods to perform the removal of Vulston ransomware.
The best termination method is restoring your Windows from backups as shown in the guide below. Such technique has the greatest chance of not only deleting Vulston cryptovirus but also bringing back most of the locked files with no additional programs. As great as this method is, sadly, it is not for everyone, just those who have proper backups. Mind you, when restoring from a certain point, only files that were backed up will recover. Other data, that was created or altered afterward, will be lost.
If you are not sure about your backups, or, on the contrary, know for sure that you didn’t make them, then there is another solution, which can be effective as well, if followed thoroughly. Firstly, you need to eliminate Vulston ransomware with either Spyhunter or other anti-spyware program. Just run a free system scan and see if the programs picking up the malicious files and then delete them as each tool instructs. Then, once the whole Windows is clean, try recovering data with below-mentioned file restoring programs or running a Xorist ransomware decryptor, from Nomoreransom.org project. Since it is not officially stated whether Vulston virus and Xorist infection are related, this unlocking method cannot promise any results.
Automatic Malware removal tools
How to recover Vulston ransomware encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before Vulston ransomware has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of Vulston ransomwareAfter restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Vulston ransomware. You can check other tools here.
Step 3. Restore Vulston ransomware affected files using Shadow Volume CopiesIf you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Vulston ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover Vulston ransomware encrypted filesThere are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download a data recovery program.
- Install and scan for recently deleted files.