What is Imsorry Ransomware?
This ransomware-type infection was discovered at the end of May, 2017. It is still a new threat and definitely not that popular yet. But you should not let your guard down, for cyber criminals might use it more often and it could be developed into a more complicated ransomware. Though new, it is still considered as a dangerous threat since it can encrypt your personal files on your computer, which means you can’t open or run them unless they are decrypted. It is a harmful virus that makes your data unreadable. The first thing it does once it gets in to your computer is to look for MS Office files, photos, videos, music, archives, etc. and starts the encryption procedure with AES (Advanced Encryption Standard) cipher algorithm. The Imsorry ransomware adds .imsorry file extension to the file name of the encrypted data. For example, from importantfiles.docx it renames it to importantfiles.docx.imsorry file. Certain threats like the imsorry virus are classified as ransomware since they do whatever it takes to rip off money from their victims. After it encrypts your files it displays its message on a .txt file like the one illustrated below.
After the files on your computer are encrypted, the Imsorry ransomware will display a pop-up window and create a Read me for help thanks.txt text file on each directories with the encrypted files. You will find demands and instructions on how to pay for the decryption key using bitcoins as well as the given time frame of 3 weeks to pay the ransom. This is what the full message conveys:
“Hello, I hate to inform you but your files have been encrypted.
To get them back you must pay me a small fee.
Instructions are buy btc then pay me then i’ll simply give you, your encryption key.
Make a account here
Use one of the trade centers below to receive bitcoin to pay me off
Send the payment of 500 USD to the BTC address below
then i’ll give you the key.
Places you can read about bitcoin
You have 3 weeks to pay else i might delete the key or i might just give you the key idk
Be sure you put your btc address in the box below as this is how i track payments.
if you f*** around i’ll delete your key.
The Imsorry ransomware’ goal, like any other ransomware, is to force you to pay them. Once the encryption process is done, the ransomware will tell you that there are no other ways to get your data back unless you pay the ransom for approximately $500. After you pay the amount, you are supposed to get the decryption key. But you should know better than to trust cyber criminals. That’s why paying the ransom should never cross your mind for cyber criminals are not to be trusted, since most of the victims who paid the ransom ended up being ignored by the cyber criminals who developed the ransomware. There are other ways in which you can recover the files without paying the demanded ransom, and that will be discussed in this article.
How does the Imsorry ransomware distributed?
Like most ransomware infections, the Imsorry ransomware are distributed as suspicious attachments in spam emails usually sent by unknown senders. A naïve user will be clueless since most spam emails with infected attachments are disguised as important documents like your credit card information and other important data that’s why most users carelessly open these attachments, thus, infecting their computers. The Imsorry ransomware can also be obtained by downloading software from dubious websites. This infection is attached, together with the software the users want to download, as a package, expecting it to be a beneficial software. But unlike most ransomware which modifies the windows registry, the Imsorry ransomware does not make any changes on your computer’s registry, it does not create any copies of itself to make its removal difficult. Nor does it block utilities like the Windows Task Manager making the removal task easier.
Removing the Imsorry Ransomware
METHOD 1: Using the Windows Task Manager:
Step 1: Restart your computer into Safe Mode.
Step 2: Open the Windows Task Manager by pressing Ctrl + Shift + Esc. Go to the Processes tab
Locate the Imsorry Ransomware or any suspicious processes. Right-click on them and select Open File Location then scan them using any up-to-date antivirus. After opening each folder, end the infected processes and delete their folders.
Step 3: Press the Start button + R, then copy + paste:
notepad %windir%/system32/Drivers/etc/hosts. Then click OK.
After that, click the Windows button located at the lower-left corner on your screen and type msconfig on the search box and this window below will show up:
Go to the Startup tab and unmark entries which have an unknown manufacturer.
Step 4: Delete everything under these directories.
Erase everything on the Temp folder.
METHOD 2: Using System Restore on Safe Mode with Command Prompt
Step 1: Reboot your computer into Safe Mode with Command Prompt by pressing F8 a couple of times until the Advanced Options menu appears.
Navigate to Safe Mode with Command Prompt using the arrow keys on your keyboard. After selecting Safe Mode with Command Prompt, hit Enter.
Step 2: After loading the Command Prompt type cd restore and hit Enter.
Step 3: After cd restore, type in rstrui.exe and hit Enter.
Step 4: A new window will appear, and then click Next.
Step 5: Select any of the Restore Points on the list and click Next. This will restore your computer to its previous state before being infiltrated with the Imsorry Ransomware.
Step 6: A dialog box will appear, and then click Next.
Step 7: After the system restore process, download SpyRemover Pro to make sure that all its files are deleted and to secure your computer and prevent the Imsorry Ransomware or other future threats from infecting your computer again.
How to decrypt files encrypted by the Imsorry Ransomware
Restoring your files shouldn’t be hard as long as it still has its shadow volume copies. This method is one of the safest methods you can try in restoring your encrypted data.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.