What is ViiperWare ransomware? And how does it execute its attack?
ViiperWare ransomware is another malicious program designed to encrypt files and is coded using the open source platform – HiddenTear. According to researchers, this new ransomware seems to be an independent cyber threat which aims at targeting regular PC users. Infected users claimed that they got infected with this ransomware right after they opened an attachment they’ve downloaded from their emails which brings the conclusion that this malicious program spreads using malicious spam email campaigns. As soon as it gets a hold of the compromised computer, it immediately looks for the following file formats to encrypt:
.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, ,doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks,.jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2.
During the encryption, the ransomware is said to be using an encryption method which is used for military-grade encryption. Meaning to say, it can be really hard to recover the encrypted files without a decryption key. It also appends the .viiper extension on each of them. After it is done with the encryption process, it displays a program window labeled “ViiperWare Ransomware” which offers a selection of different languages used for ransom notification. Aside from that, it also displays the following ransom message:
“1.) What Happened to my files?
- Your Files has been encrypted, what means you’re not able to use them anymore until you decrypt them.
2.) Can I recover my FIles?
- yes of course you can recover them. It’s pretty easy to do that but of course it is not free. Just Pay the Price wich is shown below and you will recive your Decryption Key after we received the Payment!
3.) How I got infected with this?
- Probably you tried to download something illegal from the Internet or you got scammed by someone.
[Enter Decryption|BUTTON] [Pay the Price|BUTTON] Price: 20,00 €”
No matter how hopeless you get, paying the ransom should not be a part of your options as these crooks can’t be trusted for they might only deceive you once they get what they want which is the money without giving you the decryption key. Your only saving grace for now would be backup copies of your files or at least try recovering them using their Shadow Volume Copies.
How does ViiperWare ransomware multiply its infection?
According to users who reported getting the ViiperWare ransomware infection, they had been infected with the ransomware after they open an attachment from their email. This means that ViiperWare ransomware proliferates using the most common ransomware distribution method: spam emails. The infected attachment is said to be a document file that contains macro scripts responsible for initiating the attack on the affected computer.
Below are the instructions you must follow to eliminate ViiperWare ransomware.
Step 1: Tap Ctrl + Shift + Esc to open the Task Manger.
Step 2: Once you’ve opened the Task Manager, go to the Processes tab and look for ViiperWare Ransomware.exe and end its process by clicking on End Task or End Process.
Step 3: Open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Look for ViiperWare Ransomware or any suspicious program and then Uninstall it/them.
Step 5: Tap Win + E keys to launch File Explorer.
Step 6: Navigate to the following locations below and look for ViiperWare ransomware’s malicious components such as ViiperWare Ransomware.exe and other suspicious files and then delete all of them.
Step 7: Close the File Explorer. Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 8: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 9: Navigate to the following path:
Step 10: Delete the registry keys and sub-keys created by ViiperWare ransomware.
Step 11: Close the Registry Editor and empty your Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if ViiperWare ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
To make sure that nothing is left behind and that the ViiperWare is completely removed, use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOSscreen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Optionuse the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Boxwill show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.