This week, security researchers has received reports of yet another ransomware named “Metan ransomware“. This ransomware spreads via spam emails and malware files and appends the .metan file extension to encrypted files.
“.Metan ransomware” – ransom note
Metan ransomware virus uses a hybrid encryption mode. The ransomware will encrypt almost all types of files, including common as:
.wsd, .sidn, .srf, .mdf, .yal, .xy3, .wpa, .sb, .wbk, .xbplate, .arch00, .x3f, .rim, .x, .xlsx, .wbd, .rwl, .wdp, .3dm, .wpt, .xlgc, .bsa, .mddata, .txt, .jpeg, .cdr, .pef, .epk, .m2, .doc, .ybk, .wpg, .zip, .pptx, .crt, .syncdb, .psk, .wm, .rofl, .p12, .wpd, .wmv, .rgss3a, .ws, .kdb, .wps, .wma, .mdb, .wpe, .rw2, .z, .forge, .jpg, .arw, .der, .xdb, .erf, .m4a, .itm, .wp, .xbdoc, .lbf, .wmv, .wp4, .vcf, .xx, .apk, .wbmp, .xlsx, .ibank, .orf, .mdbackup, .sidd, .wsh, .wpl, .ltx, .bik, .kf, .sql, .xlsb, .bc6, .itdb, .2bp, .iwi, .pst, .rar, .cas, .docx, .zi, .docm, .sav, .pak, .esm, .mrwref, .dmp, .accdb, .dba, .wgz, .iwd, .dng, .upk, .wmd, .dbf, .fsh, .ai, .bar, .wav, .csv, .t12, .indd, .blob, .kdc, .yml, .xpm, .x3d, .webdoc, .vpk, .webp, .pkpass, .wot, .snx, .dcr, .zabw, .sid, .pfx, .raf, .r3d, .menu, .3ds, .wp6, .flv, .zw, .eps, .7z, .mp4, .qdf, .xld, .w3x, .wbc, .map, .desc, .1st, .zip, .sie, .db0, .ods, .cer, .0, .wpd, .xlsm, .odt, .gho, .wsc, .ntl, .wpb, .asset, .ff, .lrf, .d3dbsp, .ztmp, .nrw, .ncf, .wotreplay, .wcf, .mov, .wmo, .vpp_pc, .tax, .wb2, .xll, .bay, .3fr, .srw, .wdb, .jpe, .mlx, .ppt, .lvl, .ptx, .xxx, .pdf, .re4, .wp7, .mpqge, .z3d, .pem, .hkdb, .css, .gdb, .wpw, .vfs0, .cr2, .xf, .odc, .xyw, .m3u, .bc7, .pptm, .cfr, .odb, .xlk, .slm, .py, .rb, .icxs, .xwp, .wps, .pdd, .layout, .crw, .p7c, .vtf, .rtf, .wp5, .x3f, .raw, .xdl, .wn, .xls, .tor, .wbz, .odm
When encrypting a file it will append the .metan extension to each encrypted file name to identify that the file has been encrypted. For example, a file called sample.doc would be encrypted and renamed to sample.doc.metan. Once the procedure is done, it will create a file named ‘#HOW TO DECRYPT FILES#.txt’ with ransom instructions. It includes instructions on how to purchase a private key to decrypt all documents, photos and music. You can see an one of the variants of the ransom demanding message below:
!!! ATTENTION, YOUR FILES WERE ENCRYPTED !!! Please follow few steps below: 1.Send us your ID. 2.Then you'll get payment instruction and after payment you will get your decryption tool! Only we can decrypt all your data! Contact us us: metan19@mail2tor.com And tell us your unique ID
Instructions that is shown below, will help you to remove .Metan ransomware virus as well as restore encrypted files stored on your PC system drives.
Quick links:
- How to remove .Metan ransomware
- How to decrypt .metan files
- How to restore .metan files
- How to protect your machine from .Metan ransomware virus?
- To sum up
How to remove .Metan ransomware
There are a few methods that can be used to remove .Metan ransomware. But, not all ransomware such as this virus can be completely removed utilizing only manual solutions. In most cases you are not able to uninstall any ransomware virus utilizing standard Windows options. In order to remove .Metan ransomware you need use reliable removal tools. Most IT security professionals states that Zemana Anti-malware, Malwarebytes or KVRT utilities are a right choice. These free programs are able to detect and remove .Metan ransomware from your machine for free.
Automatically remove .Metan ransomware with Zemana Anti-malware
You can remove .Metan ransomware automatically with a help of Zemana Anti-malware. We advise this malware removal tool because it can easily remove viruses, trojans, ransomware and other malware with all their components such as folders, files and registry entries.
Zemana Free can be downloaded from the following link. Save it on your Microsoft Windows desktop.
164030 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When the download is done, close all software and windows on your machine. Double-click the install file named Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as displayed in the figure below, click the “Yes” button.
It will open the “Setup wizard” which will help you setup Zemana Free on your computer. Follow the prompts and don’t make any changes to default settings.
Once installation is finished successfully, Zemana Free will automatically start and you can see its main screen as shown in the figure below.
Now click the “Scan” button . Zemana Free utility will begin scanning the whole computer to find out .Metan ransomware and other security threats. A scan may take anywhere from 10 to 30 minutes, depending on the number of files on your computer and the speed of your computer. When a threat is found, the count of the security threats will change accordingly. Wait until the the scanning is finished.
After finished, Zemana will show a screen which contains a list of malware that has been detected. You may remove items (move to Quarantine) by simply click “Next” button. The Zemana Free will start to remove .Metan ransomware virus and other kinds of potential threats like malicious software and PUPs. When the process is done, you may be prompted to reboot the PC system.
Remove Metan ransomware virus with MalwareBytes Free
We recommend using the MalwareBytes. You can download and install MalwareBytes to scan for and remove Metan ransomware from your computer. When installed and updated, this free malicious software remover automatically scans for and deletes all threats exist on the system.
- Installing the MalwareBytes Anti Malware (MBAM) is simple. First you will need to download MalwareBytes Anti Malware (MBAM) by clicking on the following link.
Malwarebytes Anti-malware
326382 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- At the download page, click on the Download button. Your browser will show the “Save as” dialog box. Please save it onto your Windows desktop.
- When the download is finished, please close all apps and open windows on your PC system. Double-click on the icon that’s named mb3-setup.
- This will launch the “Setup wizard” of MalwareBytes Anti Malware (MBAM) onto your system. Follow the prompts and don’t make any changes to default settings.
- When the Setup wizard has finished installing, the MalwareBytes Free will run and show the main window.
- Further, click the “Scan Now” button to perform a system scan with this tool for the Metan ransomware virus and other kinds of potential threats such as malicious software. This task can take quite a while, so please be patient. When a malware, adware or PUPs are found, the count of the security threats will change accordingly. Wait until the the checking is finished.
- When that process is complete, MalwareBytes Free will display you the results.
- Review the report and then press the “Quarantine Selected” button. After disinfection is done, you may be prompted to restart the personal computer.
- Close the Anti-Malware and continue with the next step.
Video instruction, which reveals in detail the steps above.
Run KVRT to remove .Metan ransomware virus
If MalwareBytes antimalware or Zemana antimalware cannot remove this ransomware virus, then we suggests to run the KVRT. KVRT is a free removal tool for viruses, ransomware, malware and other security threats.
Download Kaspersky virus removal tool (KVRT) on your Windows Desktop by clicking on the following link.
129055 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When downloading is finished, double-click on the KVRT icon. Once initialization process is finished, you’ll see the Kaspersky virus removal tool screen as displayed in the figure below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button to detect .Metan ransomware virus and other malicious software. This task can take some time, so please be patient. While the KVRT is checking, you can see number of objects it has identified either as being malware.
As the scanning ends, Kaspersky virus removal tool will display a list of all items detected by the scan as shown below.
You may delete threats (move to Quarantine) by simply press on Continue to begin a cleaning procedure.
How to decrypt .metan files
The .Metan ransomware encourages to make a payment in Bitcoins to get a key to decrypt personal files. Important to know, currently not possible to decrypt .metan files without the private key and decrypt application.
Should you pay the ransom? A majority of IT security researchers will reply immediately that you should never pay a ransom if infected by ransomware! If you choose to pay the ransom, there is no 100% guarantee that you can decrypt all documents, photos and music!
Currently there is no available solution to decrypt .metan files, but you have a chance to recover encrypted files for free.
How to restore .metan files
In some cases, you can recover files encrypted by .Metan ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted files.
Restore .metan files with ShadowExplorer
If automated backup (System Restore) is enabled, then you can use it to recover all encrypted files to previous versions.
ShadowExplorer can be downloaded from the following link. Save it to your Desktop.
438663 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After the downloading process is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown in the figure below.
Run the ShadowExplorer tool and then select the disk (1) and the date (2) that you wish to restore the shadow copy of file(s) encrypted by the .Metan ransomware as shown on the image below.
Now navigate to the file or folder that you want to recover. When ready right-click on it and press ‘Export’ button like below.
Restore .metan files with PhotoRec
Before a file is encrypted, the .Metan ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your personal files using file recover programs like PhotoRec.
Download PhotoRec on your PC system from the link below.
After the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for Windows. It will open a screen like below.
Choose a drive to recover as shown in the figure below.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music like below.
Click File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is complete, click OK button.
Next, click Browse button to select where restored personal files should be written, then click Search.
Count of restored files is updated in real time. All restored documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is complete, click on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as shown on the image below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your machine from .Metan ransomware virus?
Most antivirus programs already have built-in protection system against the virus. Therefore, if your machine does not have an antivirus application, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Use HitmanPro.Alert to protect your machine from .Metan ransomware
HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Installing the HitmanPro Alert is simple. First you’ll need to download HitmanPro.Alert from the link below.
When downloading is complete, open the file location. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. Once the tool is launched, you’ll be shown a window where you can choose a level of protection, as on the image below.
Now press the Install button to activate the protection.
To sum up
Now your personal computer should be clean of the .Metan ransomware virus. Delete MalwareBytes Anti-Malware (MBAM) and Kaspersky virus removal tool. We recommend that you keep Zemana Anti-Malware (ZAM) (to periodically scan your computer for new malware). Moreover, to prevent virus, please stay clear of unknown and third party programs, make sure that your antivirus application, turn on the option to stop or locate ransomware.
If you need more help with .Metan ransomware virus related issues, go to here.
