YOUR_LAST_CHANCE Ransomware - How to remove

YOUR_LAST_CHANCE is a cryptovirus based on an older infection called Nemesis. YOUR_LAST_CHANCE has been found on 10 July and is potentially very dangerous, especially to those who don’t have a backup of their data.

YOUR_LAST_CHANCE can be removed with the help of an antivirus program, but that won’t fix the files. These will remain encrypted unless a decryption key is found. And while some choose to just reinstall their operating system (Windows in this case) and start over, there are some file recovery options available to the victims that could restore some data.

YOUR_LAST_CHANCE infection symptoms

Files that won’t open is the first sign of a file locker virus. If it’s YOUR_LAST_CHANCE, then that line, along with the victim’s unique ID, is appended to the file names. This should be visible to you if your extensions are displayed on your computer.

Every folder which had files attacked by YOUR_LAST_CHANCE has the _RESTORE FILES_.txt note put in it. The text looks like this:

*** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***

To decrypt your files you need to buy the special software — “Nemesis decryptor”
You can find out the details/buy decryptor + key/ask questions
by email: [email protected], [email protected] OR [email protected]

IMPORTANT!
DON’T TRY TO RESTORE YOU FILES BY YOUR SELF, YOU CAN DAMAGE FILES!
If within 24 hours you did not receive an answer by email, be sure to write to Jabber: [email protected]

The encrypted files have names like this:

picture.jpg.id_[random]_.YOUR_LAST_CHANCE

The virus, if you can find its executable, is detected by many reputable antivirus tools.

The files encrypted by YOUR_LAST_CHANCE include documents, multimedia, code, other user-created files. Even if some of the files aren’t completely encrypted, they’re corrupted enough to be unusable. But system files and executables are left alone to allow the victim to use their computer and contact the criminals.

Why encryption is used

Ransomware began in 1989 when a floppy with a file name-encrypting virus (it only encrypted file names and the encryption was symmetric) was physically mailed to people. Then, in 1996, the idea to improve cryptovirology by combining symmetric and public-key cryptography was brought up and has been used by successful ransomware viruses since. Hybrid encryption is an algorithm that allows the criminals behind YOUR_LAST_CHANCE to control people’s access to the decryption keys and so, their access to their files.

Bitcoin is widely used by ransomware for how the ransom should be paid (though other cryptocurrencies work, too) because it’s relatively anonymous, electronic, and the transactions are automatable. Bitcoin is also useful because the transactions aren’t controlled by another party, so it can’t be recalled or reversed. Meaning, if you pay YOUR_LAST_CHANCE for the files, you have to hope for the extortionists to be fair and honest and send the decrypted decryption keys to you.

Unlike screen-lockers, file-lockers can result in total loss of data. Backups are used by people to mitigate the risk of ransomware, but some people expose their backups to the internet or to their network. If a cryptovirus with the ability to spread on a local network infects, the backups are encrypted, too. Loss of data can be devastating, especially to a business or another organization. That’s why some of them agree to pay the ransom, even if it’s very high.

To protect the criminals’ privacy further, some extortionists use the Tor network. Nemesis before YOUR_LAST_CHANCE did. Like Bitcoin and cryptography, Tor is legitimate and very useful for protecting users’ privacy. It’s unfortunate that criminals use these technologies and give them a bad name.

How ransomware is distributed

Crypto viruses like YOUR_LAST_CHANCE, Nemesis, and others are distributed in a few different ways, some of which are targeted and totally hands-off form the victim’s point of view and some which require the victim to download and run the virus.

Here are the main ways for YOUR_LAST_CHANCE to get on computers:

  • Hacking the Remote desktop connection is one of the ways that networks of businesses and organizations are attacked. Some have their remote desktop access exposed to anyone on the internet and use a weak password to secure it. Sometimes the hacked account has the privileges to install software and change settings. In cases like that. YOUR_LAST_CHANCE’s distributors could cause an immense amount of harm which wouldn’t end with lost data, but include stolen credentials and information, too.
  • Malspam emails spread ransomware infections by attaching malicious files to generic urgent-sounding emails. Alternatively, they can include a file download link in the email. Anyone is vulnerable to malspam and some very prominent ransomware has used it.
  • Some ransomware targeted more at individuals, like what YOUR_LAST_CHANCE seems to be, is uploaded online disguised as various software products, ranging from well-known programs to illegal stuff like cracks. STOP/DJVU is a very prominent virus family that currently uses this distribution method.
  • Finally, YOUR_LAST_CHANCE could be distributed with the help of malvertising. Exploit kits are used to find vulnerable systems and stealthily download and run the virus, whether it’s Matrix or NRSMiner. Computers and servers with outdated software are especially vulnerable.

With so many ways for ransomware to be distributed, it’s unlikely that you can avoid attacks (though it’s still worth trying), especially if you’re an attractive target. That’s why data backups are so important. If YOUR_LAST_CHANCE encrypts all of your data but you also have your files saved on some offline storage or the cloud, YOUR_LAST_CHANCE only costs you some time and nothing more.

YOUR_LAST_CHANCE ransom text, same as in the quote

How to remove YOUR_LAST_CHANCE

Removing the virus is essential before the infected computer can be used normally again. Repeat encryption is a danger, as is the virus spreading to other media. YOUR_LAST_CHANCE should be detected by most good antivirus programs, like Spyhunter. If removing it doesn’t work, you could scan your disk from another computer, or even reinstall your Windows operating system (YOUR_LAST_CHANCE targets Windows).

Whether you don’t want to pay the ransom (which is commendable) or were scammed by the extortionists, you might be interested in some alternative file recovery options. They’re listed in the guide below. They might not work at all, so put the encrypted files somewhere where they won’t be deleted or edited. Then, check nomoreransom.org from time to time to see if a free decryptor for YOUR_LAST_CHANCE is released.

Automatic Malware removal tools

Download Spyhunter for Malware detection
(Win)

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection
(Mac)

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,


How to recover YOUR_LAST_CHANCE Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before YOUR_LAST_CHANCE has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of YOUR_LAST_CHANCE Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to YOUR_LAST_CHANCE. You can check other tools here.  

Step 3. Restore YOUR_LAST_CHANCE Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually YOUR_LAST_CHANCE tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover YOUR_LAST_CHANCE Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *