Wyvern ransomware - How to remove

Wyvern ransomware virus belongs to the family of BTCWare that already shelters variants like Master and Gryphon. Wyvern does carry many similarities with the preceding members of this family, but several components differ. For instance, an original extension of .wyvern is appended to files which would be the biggest clue for victims. The full extension is [email protected]{id}.wyvern. File-encryption is supported by a common cryptography technique, RSA algorithm. After file-encoding is finished, users will notice HELP.hta file, containing hackers’ instructions. Demands are very similar to the BTCWare ransomware (Ransomware education: BTCWare).

Details about Wyvern crypto-virus

[email protected] is the email address that crooks are insisting victims to contact. The main file with ransom demands does not contain a lot of information as further demands shall be explained during email exchange between victims and extortionists. However, they do indicate that three files are accepted for free decryption.

This option is also offered for those who had become infected with Aleta ransomware: it also belongs to the family of BTCWare variants. According to the analysiss of the payload of Wyvern ransomware, it is classified as Gen:Variant.Ransom.BTCWare (Hybrid analysis). We also have a reason to believe that the payload might be concealed as a part of Acrobat Reader or Adobe Reader as many extracted filenames suggest this.

Since many security programs detect the payload as malicious (45 out of 65), we might suggest that ransomware is not very evasive (VirusTotal analysis). However, the Wyvern ransomware attempt to suppress failures during boot, disables startup repair and deletes Shadow Volume copies (How to use shadow copies?). Additionally, it sets an entry for auto-execution in Windows Registry. This is done for the sake of having the payload run in the background and encrypt files. The identical strategy is exploited by all ransomware infections. It applies to such variants like RedBoot or Mystic.

Victims might have a chance to recover their encoded data after Wyvern attack

Security researchers have expressed a possibility for file-recovery. Victims are encouraged to contact Michael Gillespie before they attempt to decrypt files without supervision. Researchers will attempt to help with the restoration of files. Therefore, writing email letters to [email protected] is a highly discourageable decision. Hackers behind the family of BTCWare have always been greedy, with several of their products requesting over 5000 dollars as the ransom. Such payments should never reach crooks’ bitcoin wallets. If victims of ransomware infections continue to surrender to hackers, generation of crypto-viruses will never cease to an end.

Of course, when a ransomware encrypts majority of users’ digital files, paying the ransom seems like the only way to go. However, we hope that more people will be cautious and take advantage of backup storages. There is a variety of such services; choose the best-suited for you. If this option is not to your liking, we can also suggest a simpler solution. Simply insert copies of valuable digital files in USB flash drives and you will be able to retrieved then anytime. Nevertheless, it is important that you do not keep USBs connected to computer devices. Once a ransomware strikes, the data in the connected drive might also become encoded.

Removal and prevention of ransomware

This family of ransomware is mostly distributed in a very specific way. Its creators look for poorly-protected RDP. Once they are hacked, crooks implant crypto-viruses. Considering this, you should take a look at the password of your remote desktop service. If the selected combination is plain simple, used for multiple accounts, or included into the annual lists of the worst passwords, it is crucial to replace it. However, ransomware viruses also are delivered in malspam. To avoid it, you should simply avoid messages from unknown senders. Do not download attachments or open links (even though they might seem harmless). To keep operating systems malware-free, we suggest you to use Spyhunter.

How to recover Wyvern ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Wyvern ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Wyvern ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Wyvern ransomware. You can check other tools here.  

Step 3. Restore Wyvern ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Wyvern ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Wyvern ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.