Wulfric Ransomware (.aef files) - How to remove

Wulfric is a ransomware virus that has been around for a few months but hasn’t got popular enough to attract much attention. This virus is not known to be part of any prominent ransomware families and not much is known about it. Still, it’s ransomware and works a lot like the other ransomware infections, is as dangerous, and abuses the same weaknesses in victims’ security.

Cryptoviruses can be very devastating because they can cost the victims all of their personal files. Sure, you can re-download your music, films, and games, but there is no replacing personal photos, recordings, and projects. That’s why, to get ahead of viruses like Wulfric, you should set up file backups. It can be the cloud, a remote disk, or another storage location that can’t be accessed by an infection. If Wulfric hit you and you had complete backups, you don’t need to worry about anything — just remove the virus and replace your files. Luckily, even if you didn’t have backups, hope is not completely lost.

Wulfric characteristics

Wulfric is recognized by a few very obvious signs:

  • New wallpaper with the picture of a wolf and a ransom note is set.
  • Files are renamed and their types changed to .aef type.
  • “hacked.txt” is placed in a visible location and contains the same ransom note as the wallpaper.

Wulfric goes through your files — documents, pictures, music, text files, etc. — and locks them with a cryptographic algorithm. It renames files to three symbol long names of hexadecimal symbols (0-9 and a-f) and replaces the extension with “.aef”. This can make it difficult to recognize which file each one is supposed to be. But, as strange as that is, the files are not completely corrupted.

In hacked.txt, the extortionist responsible for this virus promises to send you a decrypter for your files from the [email protected] address after they receive a payment of 0.05 Bitcoin — that currently works out to around $500. If Wulfric’s encryption is implemented correctly, it can be reversed and the files can be decrypted after the decryption key and algorithm is known. However, crypto-extortionists don’t have a good record of properly restoring the files that they were paid to restore, so even if you have the money to spare, it’s not a good idea to pay. Besides, each victim’s decryption key being unique means that the decrypter is useless for anyone who doesn’t know their unique key.

The text in hacked.txt:

Attention, your files are encrypted !
the password it is random and itr’s unique to your PC.

Pay the amount of 0.05 BTC to the bitcoin address: 1ERtRjWAKyG2Edm9nKLLCzd8p1CjjdTiF
After payment, send me a letter, attach the file pass.key to [email protected] with payment notification.

Once payment is confirmed, I will send you decrypter for the files.

You can pay bitcoins online in many ways:
https://buy.blockexplorer.com/ – payment by bank card
https://www.buybitcoinworldwide.com/
https://localbitcoins.net

About Bitcoins:
https://en.wikipedia.org/wiki/Bitcoin

If you have any questions, write to me at [email protected]

As a bonus, I will tell you how hacked your computer is and how to protect it in the future.

How to avoid Wulfric ransomware

The main ways that cryptoviruses spread to personal computers are these:

  • Spam messages and emails with malicious attachments or links to malicious websites.
  • The virus shared on peer-to-peer filesharing networks, hidden in or disguised as a wanted file.
  • Malicious ads online automatically download the virus.
  • Remote desktop connection is hacked and the virus is installed by the attacker.

Spam messages, such as social media messages or emails can be used to spread malware like miners, spyware, and ransomware. An urgent but impersonal message is sent out in bulk to thousands of accounts by Wulfric’s distributor, a few recipients fall for the deception and accidentally download the infected file. Or you look for a useful program or file and download something that looks legitimate but, unexpectedly, turns out to be Wulfric (that’s why piracy is dangerous). Avoid cracks and keygens, ignore suspicious messages and don’t open their attachments at all. Before opening a file, scan it with an antivirus program.

If you don’t remember downloading anything before being infected with Wulfric, then the cause might have been automatic downloads or remote installation by the hacker. Malicious ads can’t be avoided but you can update your browser and operating system to get rid of the vulnerabilities that could be exploited. And, if you don’t use Remote Desktop, disable it. If you do, only allow specific IPs, take other measures to secure your RDP according to your needs.

.aef, ransom note, picture of the wolf

How to remove Wulfric ransomware

There is no clear way of restoring the files at the moment. There is hope, though, that some cybersecurity and cryptography experts will develop a free decryptor. It’s not unheard of — just recently, Emsisoft released one for LooCipher. Even the more serious ransomware viruses, such as GandCrab, can get decrypted, even though it’s unlikely to happen. So, you can keep all the locked files and check the news on Wulfric from time to time.

The other ways to restore your files, such as system restore and data recovery, are described below. But before you attempt those, it’s important to make sure that Wulfric can’t reencrypt any files. Any professional antivirus tool should be able to do that (Spyhunter).

Automatic Malware removal tools

Download Spyhunter for Malware detection
(Win)

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection
(Mac)

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,



How to recover Wulfric Ransomware (.aef files) encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Wulfric Ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of Wulfric Ransomware (.aef files)

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Wulfric Ransomware. You can check other tools here.  

Step 3. Restore Wulfric Ransomware (.aef files) affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Wulfric Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Wulfric Ransomware (.aef files) encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Leave a Reply

Your email address will not be published. Required fields are marked *