Remove Serpent ransomware virus (Restore .srpx files)

The ransomnote encourages victim to contact Serpent’s creators in order to buy the “Serpent Decrypter”. These persons will require to pay a ransom (usually demand for €587 – €1762 in Bitcoins). We don’t recommend paying a ransom, as there is no guarantee that you will be able to decrypt your files. Especially since you have a chance to restore your personal files for free, without the “Serpent Decrypter”, using free utilities such as ShadowExplorer and PhotoRec.

Instructions which is shown below, will allow you to remove Serpent ransomware virus as well as restore encrypted photos, documents and music stored on your computer drives.

What is Serpent virus

Serpent is a variant of crypto viruses (malicious software that encrypt personal files and demand a ransom). It affects all current versions of MS Windows OS such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This ransomware infection uses a strong encryption algorithm with 2048-bit key to eliminate the possibility of brute force a key which will allow to decrypt encrypted files.

When the ransomware infection infects a computer, it uses system directories to store own files. To run automatically whenever you turn on your system, Serpent ransomware virus creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.

Immediately after the launch, the ransomware scans all available drives, including network and cloud storage, to determine which files will be encrypted. The virus uses the file name extension, as a method to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:

.indd, .ppt, .xy3, .pst, .zi, .bkf, .2bp, .ncf, .odp, .cer, .mpqge, .r3d, .xbplate, .wbc, .pem, .yal, .map, .doc, .wbk, .wma, .wbmp, .layout, .wdb, .rofl, .7z, .x3f, .zdb, .x3d, .xdl, .re4, .wpe, .xf, .sidd, .xll, .xlk, .forge, .wpd, .menu, .cas, .webp, .wbd, .epk, .der, .fsh, .wbm, .db0, .rwl, .fos, .icxs, .pef, .xlgc, .cdr, .psd, .xyp, .vfs0, .xpm, .bc7, .dazip, .csv, .css, .xyw, .wdp, .wps, .xwp, .vcf, .jpe, .mdf, .dbf, .lvl, .sie, .wpa, .ptx, .pdd, .wpt, .mp4, .arw, .das, .bar, .wps, .slm, .wgz, .wmv, .xlsm, .lbf, .pak, .hkx, .wp7, .wmf, .d3dbsp, .xls, .bsa, .sum, .dwg, .eps, .xlsx, .m3u, .itdb, .1st, .mef, .xxx, .docx, .mov, .sql, .t13, .t12, .wcf, .zip, .psk, .syncdb, .qdf, .svg, .upk, .wpb, .odb, .xmmap, .kdb, .cfr, .js, .x3f, .mdbackup, .wmo, .m4a, .dng, .pfx, .ibank, .wma, .x, .wot, .zw, .rim, .itl, .wp, .raw, .bkp, .ai, .wsh, .xbdoc, .wp6, .wav, .bay, .rgss3a, .w3x, .ff, .apk, .gho, .vpk, .1, .pptm, .py, .xml, .pkpass, .odt, .zif, .raf, .ybk, .pdf, .snx, .mrwref, .wotreplay, .xlsm, .odm, .mddata, .lrf, .wsd, .txt, .vdf, .xls, .pptx, .esm, .xar, .p7c, .orf, .p12, .srw, .wpw, .dcr, .3dm, .ntl, .sr2, .sav, .xx, .xmind, .wn, .ods, .m2, .wb2, .big, .rw2, .wp5, .qic, .wbz, .mdb, .kdc, .ztmp, .tor, wallet, .nrw, .fpk, .wsc, .crw, .ws, .itm, .bc6, .sidn, .hvpl, .zdc, .xlsx, .odc, .bik, .rb, .mcmeta, .litemod, .xld, .jpeg, .ysp, .rtf, .iwd, .arch00, .kf, .gdb, .zabw, .rar, .sb, .dba, .yml, .crt, .cr2, .vpp_pc, .accdb, .mlx, .xdb, .xlsb, .avi, .0, .desc, .asset, .wpl, .z, .wpg, .p7b, .y, .z3d, .tax, .wmv, .sid, .wm, .zip, .erf, .3fr, .dmp, .jpg, .blob, .srf, .3ds, .hplg, .dxg, .sis, .wp4, .docm

Once a file is encrypted, its extension modified to .srpx. Next, the ransomware creates a file called “README_TO_RESTORE_FILES_.html”. This file contain guide on how to decrypt all encrypted photos, documents and music. An example of the instructions is:

==== NEED HELP WITH TRANSLATE? USE https://translate.google.com ====
================ PLEASE READ THIS MESSAGE CAREFULLY ================

Your documents, photos, videos, databases and other important files have been encrypted!
The files have been encrypted using AES256 and RSA2048 encryption (unbreakable)
To decrypt your files you need to buy the special software ‘Serpent Decrypter’.
You can buy this software on one of the websites below.
hxxp://hmkwegza.pw/xxx
hxxp://pwmhgfhm.pw/xxx
If the websites above do not work you can use a special website on the TOR network. Follow the steps below
1. Download the TOR browser https://www.torproject.org/projects/torbrowser.html.en#downloads
2. Inside the TOR browser brower navigate to : 3o4kqe6khkfgx25g.onion/xxx
3. Follow the instructions to buy ‘Serpent Decrypter’

================ PLEASE READ THIS MESSAGE CAREFULLY ================

The Serpent ransomware actively uses scare tactics by giving the victim a brief description of the encryption algorithm and showing a ransom note on the desktop. It is trying to force the user of the infected PC, do not hesitate to pay a ransom, in an attempt to restore their photos, documents and music.

How to decrypt .srpx files

Currently there is no available method to decrypt srpx files, but you have a chance to recover encrypted personal files for free. The ransomware infection repeatedly tells the victim that uses very strong hybrid encryption with a large key. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a solution because of the big length of the key. Therefore, unfortunately, the only payment to the creators of the Serpent ransomware virus entire amount requested – the only way to try to get the decryption key and decrypt all your files.

There is absolutely no guarantee that after pay a ransom to the creators of the Serpent ransomware, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware.

How to remove Serpent ransomware virus

The following instructions will help you to remove Serpent ransomware and other malware. Before doing it, you need to know that starting to remove the ransomware, you may block the ability to decrypt files by paying authors of the ransomware infection requested ransom. Zemana Anti-malware, Kaspersky virus removal tool and Malwarebytes Anti-malware can detect different types of active viruses and easily remove it from your system, but they can not restore encrypted personal files.

Remove Serpent ransomware with Zemana Anti-malware

Zemana Anti-malware highly recommended, because it can find security threats such Serpent ransomware, ad supported software and other malicious software that most ‘classic’ antivirus programs fail to pick up on. Moreover, if you have any Serpent removal problems which cannot be fixed by this utility automatically, then Zemana Anti-malware provides 24X7 online assistance from the highly experienced support staff.

1. Please download Zemana anti-malware from the link below. Save it on your MS Windows desktop or in any other place.
   
   

   Zemana AntiMalware
   164031 downloads
   Author: Zemana Ltd
   Category: Security tools
   Update: July 16, 2019
   
2. At the download page, click on the Download button. Your web-browser will show the “Save as” dialog box. Please save it onto your Windows desktop.
3. Once downloading is done, please close all programs and open windows on your machine. Next, start a file named Zemana.AntiMalware.Setup.
4. This will run the “Setup wizard” of Zemana anti-malware onto your system. Follow the prompts and do not make any changes to default settings.
5. When the Setup wizard has finished installing, the antimalware will open and show the main window.
6. Further, press the “Scan” button for scanning your PC system for the Serpent ransomware virus and other trojans and malicious programs. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your machine and the speed of your personal computer. When a malicious software, adware or potentially unwanted programs are detected, the number of the security threats will change accordingly. Wait until the the scanning is finished.
7. After the scan get finished, you may check all items detected on your machine.
8. When you’re ready, click the “Next” button to start cleaning your machine. Once the task is finished, you may be prompted to reboot the PC.
9. Close the Zemana Anti-Malware and continue with the next step.

Automatically remove Serpent virus with Malwarebytes

We recommend using the Malwarebytes Free. You may download and install Malwarebytes to detect and delete Serpent ransomware from your computer. When installed and updated, the free malware remover will automatically scan and detect all threats present on the PC.

Download Malwarebytes by clicking on the link below. Save it on your Microsoft Windows desktop.

After the download is complete, close all software and windows on your computer. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup as shown on the image below.

When the install starts, you will see the “Setup wizard” that will help you install Malwarebytes on your system.

Once install is finished, you will see window as displayed below.

Now press the “Scan Now” button . This will start scanning the whole PC system to find out Serpent virus . This process can take some time, so please be patient. While the utility is checking, you may see how many objects and files has already scanned.

When it completes the scan, it’ll open a scan report. When you are ready, click “Quarantine Selected” button.

The Malwarebytes will begin removing Serpent ransomware related files, folders, registry keys. Once disinfection is finished, you may be prompted to restart your personal computer.

The following video explains steps on how to remove virus and other malware with Malwarebytes Anti-malware.

Remove Serpent ransomware virus with KVRT

KVRT is a free removal tool which can check your computer for a wide range of security threats like the Serpent ransomware infection, ‘ad supported’ software, PUPs as well as other malicious software. It will perform a deep scan of your machine including hard drives and MS Windows registry. When a malware is detected, it will help you to delete all detected threats from your computer with a simple click.

Download Kaspersky virus removal tool (KVRT) on your MS Windows Desktop from the link below.

When the download is finished, double-click on the KVRT icon. Once initialization process is finished, you’ll see the Kaspersky virus removal tool screen as shown in the figure below.

Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan with this tool for the Serpent ransomware infection and other trojans and harmful programs. A scan may take anywhere from 10 to 30 minutes, depending on the number of files on your computer and the speed of your personal computer. While the utility is scanning, you can see count of objects it has identified as being infected by malware.

When it has completed scanning, it will show a scan report as shown in the following example.

Next, you need to press on Continue to start a cleaning task.

How to restore .srpx files

In some cases, you can restore files encrypted by Serpent ransomware infection. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted photos, documents and music.

Use ShadowExplorer to recover .srpx files

If automated backup (System Restore) is enabled, then you can use it to recover all encrypted files to previous versions.

Download ShadowExplorer on your Microsoft Windows Desktop by clicking on the link below. This utility is available for Windows Vista, Windows 7, Windows 8 and Windows 10.

After the downloading process is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and choose Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown on the screen below.

Start ShadowExplorerPortable. You will see the a window like below.

From the first drop down list you can select a drive that contains encrypted documents, photos and music, from the second drop down list you can select the date that you wish to restore from. 1 – drive, 2 – restore point, as displayed on the screen below.

Righ-click entire folder or any one encrypted file and choose Export, as shown below.

It will show a prompt which asking whether you’d like to recover a file or the contents of the folder to.

Use PhotoRec to recover .srpx files

Before a file is encrypted, the Serpent virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your documents, photos and music using file restore software such as PhotoRec.

Download PhotoRec from the following link. Save it on your Desktop.

When downloading is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the screen below.

Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will display a screen as displayed in the following example.

Choose a drive to recover like below.

You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music as displayed on the image below.

Click File Formats button and select file types to restore. You can to enable or disable the recovery of certain file types. When this is complete, press OK button.

Next, click Browse button to select where restored photos, documents and music should be written, then click Search.

Count of restored files is updated in real time. All restored photos, documents and music are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.

When the recovery is finished, click on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as displayed on the screen below.

All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your recovered files by extension and/or date/time.

How to prevent your PC from becoming infected by Serpent ransomware infection?

Most antivirus software already have built-in protection system against the ransomware infection. Therefore, if your PC system does not have an antivirus program, make sure you install it. As an extra protection, run the CryptoPrevent.

Use CryptoPrevent to protect your PC system from Serpent ransomware

Download CryptoPrevent by clicking on the following link.

www.foolishit.com/download/cryptoprevent/

Run it and follow the setup wizard. Once the setup is finished, you will be displayed a window where you can select a level of protection, as on the image below.

Now press the Apply button to activate the protection.

How does your system get infected with Serpent ransomware infection

The Serpent virus is distributed through the use of spam emails. Below is an email that is infected with a ransomware virus like Serpent ransomware infection.

Once this attachment has been opened, this virus will be opened automatically as you do not even notice that. The Serpent ransomware virus will begin the encryption process. When this procedure is complete, it’ll display the usual ransomnote like above on README_TO_RESTORE_FILES_.html.

Finish words

Once you’ve complete the steps shown above, your PC should be clean from Serpent virus and other malware. Your personal computer will no longer encrypt your personal files. Unfortunately, if the instructions does not help you, then you have caught a new variant of ransomware infection, and then the best way – ask for help.

1. Download HijackThis from the link below and save it to your Desktop.
   
   

   HijackThis download
   4691 downloads
   Version: 2.0.5
   Author: OpenSource
   Category: Security tools
   Update: November 7, 2015
   
2. Double-click on the HijackThis icon. Next press “Do a system scan only” button.
3. Once it has finished scanning, the scan button will read “Save log”, press it. Save this log to your desktop.
4. Create a Myantispyware account here. Once you’ve registered, check your e-mail for a confirmation link, and confirm your account. After that, login.
5. Copy and paste the contents of the HijackThis log into your post. If you are posting for the first time, please start a new thread by using the “New Topic” button in the Spyware Removal forum. When posting your HJT log, try to give us some details about your problems, so we can try to help you more accurately.
6. Wait for one of our trained “Security Team” or Site Administrator to provide you with knowledgeable assistance tailored to your problem with the Serpent ransomware virus.