Computer security professionals discovered a new variant of crypto-virus that named ‘Boston ransomware‘. It appends the .boston file extension to encrypted file names. This article will provide you a brief summary of information related to this ransomware and how to restore (decrypt) encrypted photos, documents and music for free.
Files encrypted by .boston ransomware
Boston ransomware is a malware which prevents you from viewing your photos, documents and music. It forces you to pay the ransom through certain online payment methods in order to get your files back. It is able to encrypt almost all types of files, including common as:
.raw, .p7b, .mlx, .kdc, .bar, .pptm, .jpg, .itl, .zif, .snx, .y, .dcr, .dbf, .itdb, .rb, .wcf, .wpw, .hkdb, .docx, .webdoc, .mcmeta, .jpe, .sid, .2bp, .wsh, .wot, .crt, .pdd, .wps, .mddata, .xy3, .wp4, .cer, .ods, .xlsx, .bik, .wmd, .yal, .mdbackup, .orf, .wps, .lvl, .cas, .dwg, .t12, .xwp, .bc7, .arch00, .p12, .sis, .bay, .x3f, .xlgc, .d3dbsp, .pptx, .t13, .big, .xyw, .zdc, .wn, .lrf, .epk, .m2, .sum, .wp, .arw, .qdf, .pfx, .eps, .map, .mpqge, .wdb, .dxg, .txt, .x3d, .wsc, .ncf, .dazip, .mdb, .wmv, .wmf, .bc6, .fos, .srw, .1st, .wpd, .wbm, .wp5, .wbd, .xx, .x3f, .cfr, .db0, .sie, .css, .blob, .zip, .bkp, .das, .m4a, .fsh, .ybk, .ai, .3fr, wallet, .rgss3a, .srf, .hplg, .zip, .3dm, .wp6, .sql, .tor, .icxs, .wav, .litemod, .wp7, .xlk, .mov, .js, .yml, .wpa, .bkf, .psk, .esm, .iwd, .p7c, .sidn, .png, .wmo, .1, .ibank, .xlsm, .wbz, .xbplate, .der, .ntl, .wgz, .z, .wpg, .desc, .wpe, .zabw, .svg, .hkx, .wma, .ltx, .menu, .rtf, .webp, .wb2, .odc, .wdp, .sr2, .apk, .xdl, .dba, .crw, .flv, .wpd, .ppt, .pef, .xpm, .bsa, .vdf, .xll, .rwl, .xar, .iwi, .pst, .itm, .xml, .upk, .pak, .z3d, .dng, .ysp, .xdb, .wri, .sidd, .avi, .doc, .layout, .odb, .x, .pdf, .zw, .xlsm, .zdb, .3ds, .wbmp, .vtf, .tax, .wbk, .cdr, .dmp, .pkpass, .slm, .ff, .zi, .xf, .kdb, .gdb, .xxx, .odp, .wbc, .mef, .rofl, .lbf, .wire, .m3u, .re4, .fpk, .wsd, .ztmp, .syncdb, .xlsx, .py, .wpt, .psd, .odt, .jpeg, .rim, .xmmap, .rw2, .mdf, .cr2, .sb, .vpp_pc, .wpb, .xld, .vfs0, .r3d, .sav, .mp4, .ws, .accdb, .hvpl, .raf, .wma, .kf, .pem, .gho, .odm, .xls, .indd, .vcf, .ptx, .qic, .0, .xls, .wpl, .forge, .csv, .vpk, .asset, .xlsb, .erf, .w3x, .wotreplay
Once the encryption procedure is done, it will create a ransom demanding message named ‘_readme.txt’ offering decrypt all users files if a payment is made. An example of the ransom instructions is:
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-BTtULebL7F Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
| Name | Boston |
| Type | Filecoder, Ransomware, Crypto virus, Crypto malware, File locker |
| Encrypted files extension | .boston |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch, stoneland@firemail.cc, @datarestore (telegram) |
| Ransom amount | $980, $480 in Bitcoins |
| Symptoms | Files won’t open. Your documents, photos and music now have odd extensions that end with something like .boston, .locked, .crypted or .cryptor. Your file directories contain a ‘ransom note’ file that is usually a .html, .jpg or .txt file. New files on your desktop, with name variants of: ‘_readme.txt’, ‘HOW_TO_DECRYPT.txt’, ‘DECRYPT.txt’ or ‘README.txt’. |
| Distribution methods | Spam mails that contain malicious links. Drive-by downloading (when a user unknowingly visits an infected webpage and then malware is installed without the user’s knowledge). Social media, such as web-based instant messaging applications. Malicious websites. |
| Removal | To remove Boston ransomware use the removal guide |
| Decryption | To decrypt Boston ransomware use the steps |
Therefore it’s very important to follow the steps below immediately. The step-by-step guide will allow you to remove Boston ransomware virus. What is more, the few simple steps below will help you restore encrypted documents, photos and music for free.
Quick links
- How to remove Boston ransomware
- How to decrypt .boston files
- Use STOPDecrypter to decrypt .boston files
- How to restore .boston files
- How to protect your personal computer from Boston ransomware?
- To sum up
How to remove Boston ransomware
The Boston crypto malware can hide its components which are difficult for you to find out and remove completely. This can lead to the fact that after some time, the ransomware again infect your computer and encrypt your photos, documents and music. Moreover, I want to note that it is not always safe to delete crypto malware manually, if you do not have much experience in setting up and configuring the Microsoft Windows operating system. The best solution to detect and remove Boston crypto virus is to run free malicious software removal software that are listed below.
Remove Boston ransomware with Zemana Anti-malware
Zemana Anti-Malware can locate all kinds of malware, including ransomware, as well as a variety of Trojans, viruses and rootkits. After the detection of the Boston crypto virus, you can easily and quickly get rid of it.
- Visit the page linked below to download Zemana. Save it to your Desktop so that you can access the file easily.
Zemana AntiMalware
164032 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- When downloading is complete, close all software and windows on your system. Open a file location. Double-click on the icon that’s named Zemana.AntiMalware.Setup.
- Further, click Next button and follow the prompts.
- Once installation is complete, press the “Scan” button to start scanning your computer for the Boston ransomware virus and other security threats. This procedure may take quite a while, so please be patient. While the Zemana program is scanning, you can see how many objects it has identified as threat.
- After finished, the results are displayed in the scan report. Review the results once the tool has complete the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click “Next”. Once disinfection is finished, you may be prompted to restart your machine.
Remove .Boston virus with MalwareBytes Free
If you are having problems with the Boston ransomware virus removal, then download MalwareBytes Anti-Malware. It’s free for home use, and scans for and deletes various unwanted programs that attacks your machine or degrades system performance. MalwareBytes Free can remove spyware, adware software, worms as well as other malware, including ransomware and trojans.
MalwareBytes Anti-Malware can be downloaded from the following link. Save it on your Windows desktop or in any other place.
326385 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
After the download is complete, run it and follow the prompts. Once installed, the MalwareBytes Free will try to update itself and when this procedure is done, press the “Scan Now” button for checking your PC for the Boston crypto virus and other security threats. A scan can take anywhere from 10 to 30 minutes, depending on the count of files on your computer and the speed of your computer. When a threat is found, the count of the security threats will change accordingly. Wait until the the scanning is finished. Next, you need to click “Quarantine Selected” button.
The MalwareBytes AntiMalware is a free program that you can use to delete all detected folders, files, services, registry entries and so on. To learn more about this malicious software removal tool, we advise you to read and follow the step-by-step guidance or the video guide below.
Double-check for crypto virus with KVRT
The KVRT utility is free and easy to use. It may scan and remove crypto malware such as Boston, malware, trojans and adware and thereby revert back system settings. KVRT is powerful enough to find and delete malicious registry entries and files that are hidden on the machine.
Download Kaspersky virus removal tool (KVRT) from the following link. Save it on your Windows desktop.
129056 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the downloading process is complete, double-click on the Kaspersky virus removal tool icon. Once initialization process is finished, you’ll see the Kaspersky virus removal tool screen as on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button . Kaspersky virus removal tool tool will start scanning the whole PC to find out Boston ransomware . This task can take quite a while, so please be patient.
After finished, Kaspersky virus removal tool will show a scan report like below.
Make sure all items have ‘checkmark’ and click on Continue to begin a cleaning process.
How to decrypt .boston files
The Boston ransomware offers victim to contact it’s authors in order to decrypt all files. These persons will require to pay a ransom (usually demand for $980, $490 in Bitcoins).
We don’t recommend paying a ransom, as there is no guarantee that you will be able to decrypt your photos, documents and music. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new crypto malware.
Files encrypted by .boston ransomware
With some variants of the Boston ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .boston files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos, .dotmap. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.boston).
Please check the twitter post for more info.
How to restore .boston files
In some cases, you can restore files encrypted by Boston crypto malware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted personal files.
Restore .boston encrypted files using Shadow Explorer
In order to restore .boston photos, documents and music encrypted by the Boston crypto virus from Shadow Volume Copies you can run a tool named ShadowExplorer. We recommend to use this way as it is easier to find and recover the previous versions of the encrypted files you need in an easy-to-use interface.
ShadowExplorer can be downloaded from the following link. Save it to your Desktop so that you can access the file easily.
438668 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once downloading is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder like below.
Start the ShadowExplorer utility and then select the disk (1) and the date (2) that you want to restore the shadow copy of file(s) encrypted by the Boston crypto malware as displayed in the figure below.
Now navigate to the file or folder that you wish to restore. When ready right-click on it and press ‘Export’ button as shown on the screen below.
Run PhotoRec to recover .boston files
Before a file is encrypted, the Boston ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your photos, documents and music using file restore apps like PhotoRec.
Download PhotoRec from the following link.
When downloading is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the image below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll open a screen as on the image below.
Select a drive to recover as on the image below.
You will see a list of available partitions. Choose a partition that holds encrypted photos, documents and music as displayed on the screen below.
Click File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is done, click OK button.
Next, click Browse button to choose where restored files should be written, then click Search.
Count of restored files is updated in real time. All restored files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is finished, press on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents as on the image below.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your personal computer from Boston ransomware?
Most antivirus software already have built-in protection system against the ransomware. Therefore, if your PC system does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Run HitmanPro.Alert to protect your machine from Boston ransomware virus
HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
HitmanPro Alert can be downloaded from the following link. Save it on your Microsoft Windows desktop.
After downloading is complete, open the file location. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. Once the tool is launched, you’ll be displayed a window where you can choose a level of protection, as on the image below.
Now press the Install button to activate the protection.
To sum up
Now your system should be clean of the Boston ransomware. Uninstall MalwareBytes Anti-Malware and KVRT. We suggest that you keep Zemana Anti Malware (ZAM) (to periodically scan your computer for new malicious software). Make sure that you have all the Critical Updates recommended for MS Windows OS. Without regular updates you WILL NOT be protected when new crypto malware, harmful apps and adware software are released.
If you are still having problems while trying to delete Boston ransomware from your system, then ask for help here.
