Remove PowerShell ransomware virus (Restore encrypted files)

The PowerShell ransomware offers to make a payment in Bitcoins to get a key to decrypt documents, photos and music. Important to know, currently not possible to decrypt your photos, documents and music without the private key and decrypt application. If you choose to pay the ransom, there is no 100% guarantee that you can restore all personal files! If you do not want to pay for a decryption key, then you have a chance to restore encrypted files.

Use the step-by-step guide below to get rid of the ransomware virus itself and try to recover encrypted photos, documents and music.

What is PowerShell virus

PowerShell ransomware is a variant of crypto viruses (malware that encrypt personal files and demand a ransom). It affects all current versions of Microsoft Windows operating systems such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This ransomware infection uses a hybrid AES + RSA encryption mode to eliminate the possibility of brute force a key which will allow to decrypt encrypted personal files.

When the ransomware infection infects a PC, it uses system directories to store own files. To run automatically whenever you turn on your PC, PowerShell ransomware virus creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.

Immediately after the launch, the virus scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware virus uses the file name extension, as a way to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:

.pkpass, .db0, .mp4, .lrf, .xml, .wpg, .odt, .indd, .slm, .wri, .rgss3a, .pst, .fsh, .rim, .zw, .forge, .kdb, .lvl, .raf, .wmf, .sis, .wdp, .snx, .2bp, .wsd, .nrw, .kdc, .wma, .wp5, .rar, .xlsm, .mrwref, .wmd, .t12, .sidn, .ncf, .wps, .hkdb, .zip, .litemod, .tor, .upk, .xld, .3dm, .kf, .pef, .odb, .mlx, .psk, .x3d, .doc, .srw, .dazip, .dbf, .sb, .vpp_pc, .rw2, .ntl, .bkp, .yml, .hvpl, .pem, .7z, .m3u, .cr2, .docx, .re4, .js, .wotreplay, .wgz, .wsc, .xlsb, .yal, .wp7, .wn, .wbd, .odm, .xlgc, .pdf, .xf, .jpeg, .ybk, .xdb, .wp4, .xls, .ods, .wmv, .r3d, .xpm, .x3f, .m2, .fpk, .raw, .qdf, .wbmp, .pptm, .1, .wpl, .csv, .xlsx, .sql, .xar, .bsa, .itdb, .erf, .xmmap, .mpqge, .das, .layout, .css, .wpd, .z3d, .tax, .xdl, .webdoc, .orf, .dxg, .sid, .xyw, .hkx, .ptx, .wpw, .iwi, .bik, .wma, .eps, .dmp, .w3x, .xxx, .xx, .wbc, .xls, .srf, .wire, .3ds, .bay, .xmind, .cdr, .p12, .m4a, .wps, .wpt, .wav, .wdb, .mdb, .1st, .vcf, .webp, .esm, .der, .pak, .docm, .bar, .xlsx, .x, .dng, .pdd, .dcr, .lbf, .mef, .rofl, .ppt, .ff, .vdf, .dba, .ws, .arch00, .bc7, .d3dbsp, .vpk, .itl, .hplg, .asset, .desc, .wsh, .ztmp, .xll, .accdb, .cfr, .pfx, .dwg, .map, .py, wallet, .fos, .vtf, .itm, .blob, .wpd, .0, .rb, .wmv, .vfs0, .pptx, .zip, .apk, .xbplate, .wbk, .x3f, .xlsm, .psd, .rtf, .bc6, .ysp, .jpe, .xwp, .arw, .gdb, .mddata, .gho, .z, .png, .flv, .xy3, .wpb, .wot, .zabw, .xbdoc, .avi, .odp, .wpe, .svg, .mdf, .cer, .zi, .wp6, .qic, .cas, .t13, .syncdb, .big, .xyp, .sie, .wmo, .rwl, .wcf, .wbz, .p7b, .sum, .menu, .wbm

Once all files are encrypted, the ransomware creates a file named “_README-Encrypted-Files.html”. This file contain guidance on how to decrypt all encrypted photos, documents and music. An example of the guidance is:

!!! IMPORTANT INFORMATION !!!!

All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
hxxp://en.wikipedia.org/wiki/RSA_(cryptosystem)
hxxp://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Decrypting of your files is ONLY possible with the private key and decrypt program, which is on our secret server.
To receive your private key follow this link:
1. hxxp://5zzfhzftspadlgje.onion.to

If the address is not available, follow these steps:
1. Download and install Tor Browser: hxxps://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: xxx.onion
4. Follow the instructions on the site.

!!! Your Personal identification ID:

The PowerShell ransomware infection actively uses scare tactics by giving the victim a brief description of the encryption algorithm and showing a threatening message on the desktop. It is trying to force the user of the infected computer, do not hesitate to pay a ransom, in an attempt to restore their documents, photos and music.

How to decrypt your files

Currently there is no available solution to decrypt random few letters files. The ransomware infection repeatedly tells the victim that uses RSA-2048 key (AES 256-bit encryption method). What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a way because of the big length of the key. Therefore, unfortunately, the only payment to the developers of the PowerShell ransomware virus entire amount requested – the only way to try to get the decryption key and decrypt all your files.

There is absolutely no guarantee that after pay a ransom to the creators of the PowerShell ransomware virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.

How to remove PowerShell virus

The following instructions will help you to get rid of PowerShell virus and other malware. Before doing it, you need to know that starting to remove the ransomware, you may block the ability to decrypt photos, documents and music by paying developers of the virus requested ransom. Zemana Anti-malware, Kaspersky virus removal tool and Malwarebytes Anti-malware can detect different types of active viruses and easily get rid of it from your PC, but they can not restore encrypted documents, photos and music.

How to remove PowerShell ransomware with Zemana

We suggest you to run the Zemana Anti-malware that are completely clean your PC of this ransomware infection. Moreover, the utility will help you to get rid of potentially unwanted software, malicious software, toolbars and adware that your machine can be infected too.

Download Zemana anti-malware from the link below. Save it on your Desktop.

Once the download is done, close all software and windows on your computer. Open a directory in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup as displayed below.

When the install starts, you will see the “Setup wizard” which will help you install Zemana antimalware on your PC system.

Once setup is done, you will see window as displayed on the screen below.

Now click the “Scan” button to perform a system scan with this tool for the PowerShell ransomware . This task can take some time, so please be patient.

When it completes the scan, it’ll open a scan report. Review the report and then press “Next” button.

The Zemana Anti-malware will begin removing PowerShell ransomware virus related files, folders and registry keys.

Delete PowerShell ransomware with Malwarebytes

We advise using the Malwarebytes Free. You can download and install Malwarebytes to find and delete PowerShell ransomware virus from your personal computer. When installed and updated, the free malware remover will automatically scan and detect all threats present on the computer.

Download Malwarebytes Free on your Windows Desktop from the link below.

After the download is finished, run it and follow the prompts. Once installed, the Malwarebytes will try to update itself and when this process is done, click the “Scan Now” button for scanning your system for the PowerShell virus and other trojans and dangerous software. A scan may take anywhere from 10 to 30 minutes, depending on the number of files on your PC and the speed of your PC system. When a threat is detected, the number of the security threats will change accordingly. When you are ready, click “Quarantine Selected” button.

The Malwarebytes is a free program that you can use to delete all detected folders, files, services, registry entries and so on. To learn more about this malware removal utility, we recommend you to read and follow the steps or the video guide below.

Use KVRT to remove PowerShell ransomware

KVRT is a free portable program that scans your PC for ‘ad supported’ software, potentially unwanted applications and viruss such as PowerShell and allows delete them easily. Moreover, it will also allow you get rid of any dangerous browser extensions and add-ons.

Download Kaspersky virus removal tool (KVRT) on your PC system by clicking on the following link.

When the download is finished, double-click on the KVRT icon. Once initialization procedure is finished, you will see the KVRT screen as on the image below.

Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan for the PowerShell ransomware and other trojans and dangerous applications. A system scan can take anywhere from 5 to 30 minutes, depending on your system. During the scan it’ll detect all threats exist on your computer.

Once the scan is done, a list of all threats found is produced as displayed on the screen below.

Make sure all harmful entries are ‘selected’ and click on Continue to begin a cleaning process.

Recovering files encrypted with PowerShell ransomware infection

In some cases, you can recover files encrypted by PowerShell ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted files.

Use shadow copies to recover your files

If automated backup (System Restore) is enabled, then you can use it to restore all encrypted files to previous versions.

Download ShadowExplorer from the following link and save it directly to your MS Windows Desktop. This utility is available for Windows Vista, Windows 7, Windows 8 and Windows 10.

Once the downloading process is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and choose Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown on the image below.

Launch ShadowExplorerPortable. You will see the a window as displayed in the following example.

From the first drop down list you can select a drive which contains encrypted personal files, from the second drop down list you can choose the date that you wish to recover from. 1 – drive, 2 – restore point, as displayed on the image below.

Righ-click entire folder or any one encrypted file and select Export, as displayed in the following example.

It will open a prompt which asking whether you would like to restore a file or the contents of the folder to.

Recover your files with PhotoRec

Before a file is encrypted, the PowerShell ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your files using file recover programs like PhotoRec.

Download PhotoRec from the link below.

Once the download is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the following example.

Double click on qphotorec_win to run PhotoRec for Windows. It will show a screen like below.

Choose a drive to recover as shown below.

You will see a list of available partitions. Select a partition that holds encrypted files as shown on the screen below.

Press File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.

Next, press Browse button to select where restored personal files should be written, then click Search.

Count of restored files is updated in real time. All restored documents, photos and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.

When the recovery is complete, click on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents like below.

All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your restored files by extension and/or date/time.

How to prevent your personal computer from becoming infected by PowerShell ransomware virus?

Most antivirus programs already have built-in protection system against the virus. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, use the CryptoPrevent.

Use CryptoPrevent to protect your computer from PowerShell virus

Download CryptoPrevent by clicking on the following link. Save it on your Desktop.

www.foolishit.com/download/cryptoprevent/

Run it and follow the setup wizard. Once the install is finished, you will be shown a window where you can choose a level of protection, as shown below.

Now press the Apply button to activate the protection.

How does your personal computer get infected with PowerShell ransomware infection

The PowerShell ransomware virus is distributed through the use of spam emails. Below is an email that is infected with a virus like PowerShell ransomware virus.

Once this attachment has been opened, this ransomware virus will be opened automatically as you do not even notice that. The PowerShell ransomware will begin the encryption process. When this task is finished, it’ll display the usual ransom instructions like above on _README-Encrypted-Files.html.

To sum up

Once you have finished the guidance outlined above, your computer should be clean from PowerShell ransomware and other malware. Your machine will no longer encrypt your documents, photos and music. Unfortunately, if the tutorial does not help you, then you have caught a new variant of ransomware, and then the best way – ask for help.

1. Download HijackThis by clicking on the link below and save it to your Desktop.
   
   

   HijackThis download
   4692 downloads
   Version: 2.0.5
   Author: OpenSource
   Category: Security tools
   Update: November 7, 2015
   
2. Double-click on the HijackThis icon. Next press “Do a system scan only” button.
3. When this tool has finished scanning, the scan button will read “Save log”, click it. Save this log to your desktop.
4. Create a Myantispyware account here. Once you’ve registered, check your e-mail for a confirmation link, and confirm your account. After that, login.
5. Copy and paste the contents of the HijackThis log into your post. If you are posting for the first time, please start a new thread by using the “New Topic” button in the Spyware Removal forum. When posting your HJT log, try to give us some details about your problems, so we can try to help you more accurately.
6. Wait for one of our trained “Security Team” or Site Administrator to provide you with knowledgeable assistance tailored to your problem with the PowerShell ransomware infection.