Today, cyber security experts has received reports of yet another crypto virus called ‘Todarius ransomware‘. This ransomware virus spreads via spam emails and malware files and appends the .todarius file extension to encrypted files. Here’s everything you need to know about this ransomware, how to remove .Todarius ransomware and how to restore (decrypt) encrypted personal files for free.
Files encrypted by “.todarius ransomware”
The Todarius ransomware is a variant of crypto viruses. It affects all current versions of Windows OS such as the Windows 10, Windows 8, Windows 7, Windows Vista and Windows XP. This ransomware uses very strong hybrid encryption with a large key to eliminate the possibility of brute force a key that will allow to decrypt encrypted photos, documents and music. The Todarius ransomware encrypts almost of files, including common as:
.gho, .sum, .rar, .kdc, .lvl, .xlsx, .dcr, .itm, .litemod, .wpe, .t13, .rim, .wmv, .bik, .xlsx, .y, .kdb, .kf, .ztmp, .ppt, .zip, .slm, .png, .wp, .cdr, .ws, .wp6, .vpp_pc, .orf, .cer, .dxg, .wpt, .mp4, .odm, .webdoc, .map, .tor, .wcf, .pfx, .accdb, .docm, .apk, .psk, .bar, .1st, .hkx, .cfr, .odc, .svg, .wsc, .x3f, .wma, .raw, .m2, .wsh, .wmd, .wps, .srw, .pem, .wbd, .pdd, .ods, .wbc, .xll, .ibank, .sb, .sie, .xls, .asset, .2bp, .odb, .d3dbsp, .xyp, .xdl, .xyw, .zabw, .wire, .desc, .rgss3a, .z3d, .xdb, .dmp, .pkpass, .mpqge, .vfs0, .xmind, .arch00, .r3d, .wgz, .mlx, .wmf, .icxs, .sidd, .hkdb, wallet, .nrw, .wp5, .zdb, .1, .xlgc, .x, .sis, .dng, .mcmeta, .itl, .mdbackup, .zif, .bay, .xld, .rofl, .wpb, .fpk, .avi, .t12, .wps, .wmv, .lbf, .fos, .rb, .3fr, .re4, .webp, .wbz, .xbplate, .wav, .p12, .cr2, .pptx, .wdb, .big, .das, .dbf, .mov, .epk, .xlsm, .wotreplay, .xlk, .pef, .tax, .jpg, .xml, .arw, .vtf, .wma, .wpd, .0, .ncf, .raf, .ysp, .crw, .ybk, .mdb, .layout, .eps, .wsd, .m4a, .wm, .wpa, .sidn, .wn, .ltx, .wri, .xy3, .zi, .py, .qic, .hvpl, .flv, .iwi, .txt, .x3f, .3ds, .pak, .xf, .jpeg, .wpw, .qdf, .wot, .gdb, .mddata, .p7c, .w3x, .yal, .7z, .dwg, .bc7, .css, .syncdb, .srf, .xar, .pptm, .psd, .forge, .mrwref, .wp7, .wp4, .csv, .dba, .xpm, .sql, .blob, .ai, .odt, .p7b, .bkp, .sr2, .zip, .wbmp, .3dm, .pdf, .z, .upk, .mef, .rw2, .zdc, .pst, .dazip, .itdb, .iwd, .docx, .xmmap, .fsh, .der, .wpl, .ptx, .hplg, .bsa, .vdf, .wpd, .menu, .wb2, .wmo, .ff, .yml, .indd, .sav, .sid, .xls, .wdp, .wpg, .xlsb, .xlsm, .vpk, .doc, .odp, .jpe, .erf, .xwp, .zw, .snx, .mdf, .xxx, .db0, .wbk, .xbdoc, .lrf
When the ransomware virus encrypts a file, it will add the .todarius extension to every encrypted file. This means that a document file named ‘example.doc‘, when encrypted, becomes ‘example.doc.todarius‘.
Once the ransomware virus finished enciphering of all photos, documents and music, it will create a file called “_readme.txt” with ransom note on how to decrypt all files. You can see an one of the variants of the ransom demanding message below:
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-oEUEuysYiZ Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
| Name | .Todarius ransomware |
| Type | Ransomware, Filecoder, Crypto virus, File locker |
| Contact Email | gorentos@bitmessage.ch |
| Ransom note | _readme.txt |
| Symptoms |
|
| Removal | To remove .Todarius ransomware use the removal guide |
| Decryption | To decrypt .Todarius ransomware use the steps |
Instructions that is shown below, will help you to remove .Todarius ransomware as well as recover (decrypt) encrypted personal files stored on your machine drives.
Quick links
- How to remove .Todarius ransomware
- How to decrypt .todarius files
- Use STOPDecrypter to decrypt .todarius files
- How to restore .todarius files
- How to protect your PC from .Todarius ransomware virus?
- Finish words
How to remove .Todarius ransomware
Manual removal does not always help to completely remove the .Todarius ransomware, as it’s not easy to identify and remove components of ransomware and all malicious files from hard disk. Therefore, it is recommended that you use malware removal tool to completely remove .Todarius ransomware virus off your machine. Several free malware removal utilities are currently available that can be used against the ransomware. The optimum method would be to use Zemana Anti-malware, Malwarebytes Free and Kaspersky Virus Removal Tool.
Use Zemana Anti-malware to remove .Todarius ransomware
We advise you to run the Zemana Anti-malware that are completely clean your PC system of this ransomware. Moreover, the utility will help you to remove trojans, malicious software, worms and adware that your computer can be infected too.
Download Zemana Free on your personal computer from the link below.
164032 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After the download is done, close all windows on your machine. Further, run the install file called Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as shown on the screen below, press the “Yes” button.
It will display the “Setup wizard” that will assist you install Zemana on the machine. Follow the prompts and do not make any changes to default settings.
Once install is finished successfully, Zemana AntiMalware will automatically run and you can see its main window as displayed on the image below.
Next, click the “Scan” button to detect .Todarius ransomware virus and other security threats. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your machine and the speed of your machine. When a threat is detected, the count of the security threats will change accordingly.
When Zemana Free completes the scan, Zemana AntiMalware will display a scan report. Review the report and then click “Next” button.
The Zemana Free will remove .Todarius ransomware related files, folders and registry keys. After the cleaning procedure is finished, you can be prompted to reboot your PC system.
How to remove Todarius ransomware with MalwareBytes AntiMalware (MBAM)
We recommend using the MalwareBytes that are fully clean your PC system of this ransomware virus. This free utility is an advanced malware removal application created by (c) Malwarebytes lab. This program uses the world’s most popular anti-malware technology. It’s able to help you remove ransomware virus, potentially unwanted programs, malicious software, adware software, trojans, and other security threats from your PC for free.
Please go to the following link to download the latest version of MalwareBytes Anti Malware for MS Windows. Save it to your Desktop.
326385 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
After downloading is done, run it and follow the prompts. Once installed, the MalwareBytes will try to update itself and when this process is complete, click the “Scan Now” button to start scanning your machine for the Todarius ransomware virus and other malicious software. This task can take quite a while, so please be patient. When a threat is detected, the number of the security threats will change accordingly. Make sure all items have ‘checkmark’ and click “Quarantine Selected” button.
The MalwareBytes Anti-Malware is a free application that you can use to remove all detected folders, files, services, registry entries and so on. To learn more about this malicious software removal utility, we advise you to read and follow the few simple steps or the video guide below.
Scan your personal computer and delete .Todarius ransomware virus with KVRT
KVRT is a free removal utility that can be downloaded and use to remove ransomware, adware software, malicious software, PUPs, worms and other threats from your computer. You can run this tool to detect threats even if you have an antivirus or any other security program.
Download Kaspersky virus removal tool (KVRT) on your Windows Desktop by clicking on the following link.
129056 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the downloading process is finished, double-click on the KVRT icon. Once initialization procedure is complete, you’ll see the Kaspersky virus removal tool screen as shown in the following example.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to find .Todarius ransomware virus . A scan may take anywhere from 10 to 30 minutes, depending on the number of files on your system and the speed of your system. During the scan KVRT will find threats present on your PC system.
Once KVRT has finished scanning, KVRT will create a list of undesired programs adware software as shown in the figure below.
Review the report and then click on Continue to begin a cleaning task.
How to decrypt .todarius files
The .Todarius ransomware offers victim to contact it’s developers in order to decrypt all files. These persons will require to pay a ransom (usually demand for $490-$980 in Bitcoins).
There is absolutely no guarantee that after pay a ransom to the authors of the .Todarius ransomware virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware.
Files encrypted by “.todarius ransomware”
With some variants of Todarius ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .todarius files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.todarius).
Please check the twitter post for more info.
How to restore .todarius files
In some cases, you can recover files encrypted by .Todarius ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted photos, documents and music.
Recover .todarius files with ShadowExplorer
A free utility named ShadowExplorer is a simple method to use the ‘Previous Versions’ feature of MS Windows 10 (8, 7 , Vista). You can restore .todarius files encrypted by the .Todarius ransomware from Shadow Copies for free.
Visit the page linked below to download the latest version of ShadowExplorer for MS Windows. Save it to your Desktop so that you can access the file easily.
438668 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When downloading is complete, extract the downloaded file to a folder on your PC system. This will create the necessary files as shown in the figure below.
Run the ShadowExplorerPortable program. Now select the date (2) that you wish to restore from and the drive (1) you want to restore files (folders) from as displayed in the following example.
On right panel navigate to the file (folder) you want to recover. Right-click to the file or folder and click the Export button as shown on the image below.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and press ‘OK’ button.
Run PhotoRec to recover .todarius files
Before a file is encrypted, the .Todarius ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file restore apps like PhotoRec.
Download PhotoRec by clicking on the link below.
Once the download is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll display a screen as shown on the image below.
Choose a drive to recover as shown on the screen below.
You will see a list of available partitions. Choose a partition that holds encrypted documents, photos and music as shown on the screen below.
Click File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is finished, click OK button.
Next, click Browse button to choose where restored files should be written, then press Search.
Count of recovered files is updated in real time. All recovered files are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is finished, click on Quit button. Next, open the directory where restored personal files are stored. You will see a contents like below.
All restored personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your PC from .Todarius ransomware virus?
Most antivirus software already have built-in protection system against the ransomware virus. Therefore, if your PC does not have an antivirus application, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Use HitmanPro.Alert to protect your computer from .Todarius ransomware virus
HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Download HitmanPro Alert from the following link. Save it on your Desktop.
When the download is finished, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. After the tool is started, you will be shown a window where you can choose a level of protection, as shown on the screen below.
Now press the Install button to activate the protection.
Finish words
Now your system should be clean of the .Todarius ransomware virus. Delete Kaspersky virus removal tool and MalwareBytes AntiMalware. We advise that you keep Zemana Anti-Malware (ZAM) (to periodically scan your computer for new malicious software). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to remove .Todarius ransomware virus from your computer, then ask for help here.
