Winsecure ransomware - How to remove

Winsecure is an identified ransomware virus discovered on July 1st, 2018. This malware aims to encrypt personal victim’s files and asks for a 0,05 BTC (the US $335) ransom for a decryptor. Although there is no guarantee that the crooks will unlock your files after your payment, many people fall for this scam and end up not just with a compromised PC but also with a lighter wallet. In order not to have this happen to you, we invite you to read our article and learn more about how to prevent and fix the Winsecure virus infection without spending hundreds of dollars.

Winsecure is not a new creation and its original variants have been spotted in the virtual wild around 2017. There still is no decryptor for this ransomware virus family, yet the positive thing is that it is not as widespread as WannaCry or NotPetya for example. It originates from the very Satan ransomware itself and is similar to the Apollo Locker and Bitshifter that were popular in 2017. AES 256 CBC and RSA 2048 encrypting cryptovirus is a malicious threat can do plenty of damage if not solved on time.

Absurd is, that this malware name sounds like it supposes to provide Windows security, but actually, this does exactly the opposite and only tricks users into thinking that this file is safe to download, may be useful. Winsecure is a typical crypto extortionist that has already infected a reasonable amount of machines and is not planning to stop any time soon.

winsecure main virus ransom note

How to know if you got a Winsecure virus infection

Ransomware type of malware almost always likes to attract the attention and makes sure to display itself to the user. This feature is necessary to gain the attention from the compromised machines owner so that they will get more scared and pay the full fee fast to get their files back. Winsecure developers even added the time limit until what day and time you have to pay the ransom or else the decrypting key will get deleted.

If you do catch the Winsecure malware you can be sure that it will introduce itself in a ransom note and a specific .encrypted extensions to the locked files. Winsecure infection locked, inaccessible files will turn from the ‘original.jpg’ to ‘original.jpg. encrypted’ and etc. This will happen to all the files that are not system files and have the potential to be personal like audio and e-books, documents, pdf files, pictures, media files, music, movies, notes and etc. 

This encryption will most likely happen after you will download some suspicious updates, a bundle of programs and etc. Suddenly the files will become inaccessible and two ransom notes will be presented on the desktop after the sneaky intrusion.

The following ransom_pay.html ransom note explains:

MOST OF YOUR IMPORTANT FILES HAVE BEEN
ENCRYPTED BY AES 256-CBC AND RSA 2048!
well, if you want to restore all your files you should send
0.05000000 BTC to the next bitcoin address as you see below
[1352RtNRpYRdKLWUUDkLBUKP7p4SqMAiTF] until 08-Jul-2018 12:32:08 (UTC).
if you do not have these hundreds of oil – you can say goodbye permanently to your files.
after payment files will be decrypted by himself. otherwise, the key will be deleted.
you can decrypt for test any 3 files not more than 2 mb for each – just drop them to ‘decrypt_folder’ on your desktop. how to:
* turn off any AV
* payment
* keep your PC turned on
* wait for decryption
* get your files back
you’d could use any comfortable methods to make payment.
if cryptor was deleted, find ‘c3cpxEASjsBJw2p8r9aynknfLspM7nFb.GolIum’
file on your desktop. change ‘GolIum’ to ‘exe’ and run that again.
don’t make any changes for files.
good luck and have a nice day.
in code we trust

winsecure ransom note

ransom_note.txt is shorter and more straightforward:

Send 0.05000000 BTC to [1352RtNRpYRdKLWUUDkLBUKP7p4SqMAiTF] bitcoin address to recover files
Files encrypted [21555] total 17004 megabyte

As you can see they demand 0.05 BTC which is not as bad as some other ransomware demanding for a couple thousand dollars. Winsecure is believed to destroy the Shadow volume snapshots and to communicate with the incodewetrusthatwhatwedo.es website and some other domains. Because the Windows security will be damaged already other viruses will find an easier way into your system. After a while, you will start noticing that the PC will start working slower and slower.

The main files of the Winsecure virus can be detected by the names of winsecure.exe, ws.exe, winsecure.exe.bin. These are executable files and just after one click, they compromise the whole system. 

How did the Winsecure virus compromise your machine

Some sources claim that the Winsecure ransomware is mainly spreading with the fake Adobe Flash update installer. It is bundled together with other software but can distribute alone as well. Obviously, it doesn’t have anything to do with an official Adobe Flash, but Windows users are so used to the updates and that they automatically download and run the installation without checking how real is it, just to finish the routine task faster.

In reality, the Fake installer using well-developed hiding techniques sneaks through the firewall, antivirus and initiates the Winsecure virus scripts which help the parasite to copy itself into the Temp folder and then into the registry gaining the control of your machine and files from the local disk. In a couple minutes, you have your most important files locked with the only two available ransom messages that demand you to pay the crooks.

The spreading can also happen via the infected spam email attachments, unsafe P2P connections, removable hardware and etc., but no matter how you got infected this could have been simply avoided by following these security steps or having a legitimate to protect yourself.

How to delete Winsecure ransomware

Ransomware is one of the hardest to solve malware problems at the moment. The removal is pretty easy, especially if you do it with an automatic anti-malware tool, such as Spyhunter or other programs from the list. You simply have to follow the manufacturer’s directions, run a scan and the problem should be gone in no more than several minutes. However, virus elimination does not mean that your files will become unlocked.

Automatic Malware removal tools

Download Spyhunter for Malware detection
(Win)

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection
(Mac)

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,

At the moment there is no decryption software for Winsecure ransomware or any other virus from this family, furthermore, it does have a tendency to delete the Shadow Volume copies, which are essential for file restoring. In this case, you still have some hope to get your data back by doing a system restore (if you have been making the routine backups), or trying out file recovery tools that we will mention below. Lastly, we advise giving a try for the Shadow Copy restore, because sometimes viruses have flaws and not always work as they claim.

How to eliminate Winsecure virus yourself

If you have dealt with other viruses and feel that you would like to remove it manually, we have made a full step-by-step guide which will help you to eliminate the Winsecure threat by performing some actions on your Windows. Some viruses can affect your internet settings which prevent you from downloading anything new to your infected machine, in this case manually deleting methods is irreplaceable.

Nevertheless, after the Winsecure ransomware termination, it is still advisable to run a scan with a sophisticated antivirus/antimalware tool to simply make sure that you got rid of every part of the parasite from the operating system and there are no other secret malicious surprises left.


How to recover Winsecure ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Winsecure virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of Winsecure ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Winsecure virus. You can check other tools here.  

Step 3. Restore Winsecure ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Winsecure virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Winsecure ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Leave a Reply

Your email address will not be published. Required fields are marked *