This week, cyber threat analysts has received reports of yet another ransomware named ‘Todar file virus‘. This crypto virus spreads via spam emails and malware files and appends the .todar file extension to encrypted files. Read below a brief summary of information related to this ransomware and how to restore or decrypt .todar files for free.
Files encrypted by .todar ransomware
Getting to the user’s computer, the Todar ransomware starts searching for files in all folders and recursively, and after their detection, encrypts each of them using complex digital algorithm that completely blocks them and leads to their dysfunction. This crypto malware is capable of blocking various files such as database, drawings, web application-related files, documents, photos, video materials and archives, as well as its destructive effects can be subjected to backups. Todar virus encrypts almost of files, including common as:
.ai, .xyp, .jpg, .vcf, .iwd, .mlx, .indd, .wbz, .raw, .wpa, .xls, .wdb, .fpk, .pst, .t13, .kdc, .xmind, .zw, .2bp, .upk, .webdoc, .xar, .das, .sav, .pef, .cr2, .mp4, .ztmp, .accdb, .apk, .zdc, .fsh, .bsa, .crt, .dxg, .jpe, .blob, .asset, .x3f, .wpt, .wdp, .sb, .eps, .txt, .xll, .arw, .wmd, .rar, .wsh, .rb, .rw2, .mpqge, .xx, .3fr, .layout, .zabw, .fos, .pkpass, .wri, .wps, .ppt, .epk, .pdd, .re4, .0, .wn, .sum, .docx, .esm, .xlk, .1st, wallet, .yml, .lrf, .raf, .pptm, .xbplate, .p12, .ybk, .wav, .m2, .gdb, .wot, .cfr, .hvpl, .xxx, .dba, .m3u, .xmmap, .ptx, .bar, .mef, .wm, .psd, .w3x, .big, .wps, .t12, .doc, .odc, .bkf, .dazip, .mdf, .cer, .wpb, .rofl, .vpp_pc, .csv, .odb, .tor, .itm, .wsc, .ws, .sid, .sr2, .wmv, .tax, .bc7, .wmf, .pdf, .vfs0, .3ds, .wbmp, .yal, .png, .wsd, .wpd, .xwp, .pptx, .iwi, .odm, .wmv, .der, .ff, .mov, .xml, .pfx, .slm, .wpw, .7z, .xlsb, .xls, .arch00, .cdr, .sie, .rim, .desc, .x, .z3d, .avi, .odt, .wire, .p7b, .kf, .vpk, .zdb, .rwl, .x3f, .mdb, .wp5, .p7c, .wbc, .bik, .orf, .srf, .syncdb, .1, .lbf, .dbf, .kdb, .xlgc, .dcr, .ntl, .crw, .docm, .svg, .hplg, .webp, .py, .qdf, .itdb, .mcmeta, .xf, .psk, .xpm, .zif, .cas, .xlsm, .vtf, .icxs, .itl
Documents, archives, database, music, videos, web application-related files and images and other files which are affected by Todar ransomware become unusable and the victim has no choice but to pay cyber frauds the amount of money they indicate in the ransomnote called ‘_readme.txt’. After the transfer of this amount, the fraudsters promise to send the user an unique Todar decryption utility for unlocking files, which is a private key.
Todar virus ransom note
Threat Summary
| Name | Todar |
| Type | Crypto virus, File locker, Filecoder, Crypto malware, Ransomware |
| Encrypted files extension | .todar |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch |
| Ransom amount | $3980 in Bitcoins |
| Symptoms | Your personal files fail to open. Windows Explorer displays a blank icon for the file type. Files named like ‘_readme.txt’, ‘#_README_#’, ‘_DECRYPT_’ or ‘recover’ in each folder with at least one encrypted file. |
| Distribution methods | Malicious email attachments. Malicious downloads that happen without a user’s knowledge when they visit a compromised web site. Social media posts (they can be used to trick users to download malware with a built-in ransomware downloader or click a suspicious link). USB sticks containing malware. |
| Removal | To remove Todar ransomware use the removal guide |
| Decryption | To decrypt Todar ransomware use the steps |
After reading this post, you will know how to deal with the Todar virus. It is important for you to remember that we also cannot guarantee you an absolute solution to all your Todar virus problems. We can offer you a method that might help. Nevertheless, this method is worth your attention because there is still a possibility that it will allow you remove Todar virus and decrypt files that have been encrypted with crypto malware.
Quick links
- How to remove Todar virus
- How to decrypt .todar files
- Todar decryption tool
- How to restore .todar files
- How to protect your computer from Todar ransomware virus?
How to remove Todar virus
Manual removal does not always allow to completely remove the Todar crypto virus, as it’s not easy to identify and remove components of ransomware and all malicious files from hard disk. Therefore, it’s recommended that you use malicious software removal utility to completely delete Todar ransomware virus off your computer. Several free malware removal tools are currently available that can be used against the crypto malware. The optimum solution would be to run Zemana Anti-malware, Malwarebytes Free and Kaspersky Virus Removal Tool.
Remove Todar ransomware virus with Zemana AntiMalware (ZAM)
Zemana AntiMalware (ZAM) is a free malware removal utility. Currently, there are two versions of the program, one of them is free and second is paid (premium). The principle difference between the free and paid version of the tool is real-time protection module. If you just need to check your PC system for malicious software and uninstall Todar crypto malware related files, folders and registry keys, then the free version will be enough for you.
- Download Zemana Free on your Windows Desktop from the following link.
Zemana AntiMalware
164028 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- Once you have downloaded the setup file, make sure to double click on the Zemana.AntiMalware.Setup. This would start the Zemana Anti Malware install on your machine.
- Select installation language and click ‘OK’ button.
- On the next screen ‘Setup Wizard’ simply press the ‘Next’ button and follow the prompts.
- Finally, once the installation is finished, Zemana Free will launch automatically. Else, if does not then double-click on the Zemana Free icon on your desktop.
- Now that you have successfully install Zemana, let’s see How to use Zemana Anti Malware (ZAM) to delete Todar from your computer.
- After you have started the Zemana Anti Malware (ZAM), you’ll see a window similar to the one below, just click ‘Scan’ button to perform a system scan for the crypto malware.
- Now pay attention to the screen while Zemana scans your PC.
- Once the scan get completed, you may check all threats detected on your PC. All found threats will be marked. You can remove them all by simply click ‘Next’ button.
- Zemana may require a restart computer in order to complete the Todar virus removal process.
- If you want to fully remove crypto malware from your PC system, then click ‘Quarantine’ icon, select all malware, adware, potentially unwanted applications and other items and click Delete.
- Restart your PC to complete the ransomware virus removal procedure.
Use MalwareBytes AntiMalware (MBAM) to remove Todar virus
If you’re having problems with the Todar removal, then download MalwareBytes Free. It’s free for home use, and detects and removes various malware that attacks your PC or degrades system performance. MalwareBytes Anti-Malware can remove spyware, adware, ad well as other malicious software, including ransomware and trojans.
MalwareBytes can be downloaded from the following link. Save it on your MS Windows desktop or in any other place.
326379 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once downloading is finished, close all applications and windows on your computer. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup as shown in the following example.
When the install starts, you’ll see the “Setup wizard” which will help you set up Malwarebytes on your computer.
Once installation is finished, you’ll see window as displayed in the following example.
Now click the “Scan Now” button to begin checking your computer for the Todar ransomware virus and other security threats. This task can take quite a while, so please be patient. While the MalwareBytes Free program is scanning, you can see count of objects it has identified as threat.
Once the scan get completed, MalwareBytes Anti-Malware will produce a list of unwanted apps and crypto virus. Make sure to check mark the items which are unsafe and then press “Quarantine Selected” button.
The Malwarebytes will now remove Todar ransomware virus, other kinds of potential threats like malware and trojans and move items to the program’s quarantine. Once disinfection is complete, you may be prompted to restart your personal computer.
The following video explains guidance on how to delete hijacker infection, adware and other malware with MalwareBytes Free.
Remove Todar file virus with KVRT
The KVRT tool is free and easy to use. It can scan and remove ransomware virus such as Todar file virus, malicious software, spyware and adware. KVRT is powerful enough to find and remove malicious registry entries and files that are hidden on the system.
Download Kaspersky virus removal tool (KVRT) by clicking on the link below. Save it to your Desktop so that you can access the file easily.
129054 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the download is done, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is done, you’ll see the KVRT screen as shown on the image below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next press Start scan button for checking your personal computer for the Todar ransomware virus . A scan can take anywhere from 10 to 30 minutes, depending on the count of files on your computer and the speed of your PC. While the KVRT is scanning, you can see number of objects it has identified either as being malicious software.
Once that process is complete, Kaspersky virus removal tool will open a screen which contains a list of malware that has been detected as displayed in the figure below.
In order to delete all threats, simply click on Continue to begin a cleaning process.
How to decrypt .todar files
As mentioned earlier, the ransom payment is the only way to recover .todar files, unfortunately. After the user transfers the specified amount of money (usually $490 or $980 in Bitcoins) to the scammers, they provide a special code key to decrypt the affected data.
Never pay the ransom! The victim who will pay the ransom payment to scammers cannot be completely sure of obtaining an unique key, because he is dealing with unscrupulous and dishonest people who are ready to commit any immoral actions, including hiding after receiving the ransom payment from the user, and not providing a decryption utility (key) to decrypt locked files.
Files encrypted by .todar ransomware
It is not necessary to pay the attackers a ransom, the best option in case of infection of this crypto malware is to archive the files that were affected by it, until the moment of obtaining the Todar decryption utility. On this article below you will find useful tutorial on how to restore encrypted documents, photos and music for free.
Todar decryption tool
With some variants of Todar file virus, it is possible to decrypt encrypted files using free tools listed below.
Michael Gillespie (@) released the Todar decryption tool named STOPDecrypter. It can decrypt .Todar files if they were locked by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.
Todar decryption tool
STOPDecrypter is a program that can be used for Todar files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .Todar files using this free tool.
- Installing the STOPDecrypter is simple. First you will need to download STOPDecrypter on your Windows Desktop from the following link.
download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip - After the downloading process is done, close all applications and windows on your machine. Open a file location. Right-click on the icon that’s named STOPDecrypter.zip.
- Further, select ‘Extract all’ and follow the prompts.
- Once the extraction process is finished, run STOPDecrypter. Select Directory and press Decrypt button.
If STOPDecrypter does not help you to decrypt .Todar files, in some cases, you have a chance to restore your files, which were encrypted by ransomware. This is possible due to the use of the tools named ShadowExplorer and PhotoRec. An example of recovering encrypted files is given below.
How to restore .todar files
In some cases, you can restore files encrypted by Todar crypto virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted personal files.
Run ShadowExplorer to recover .todar files
A free utility called ShadowExplorer is a simple way to use the ‘Previous Versions’ feature of Windows 10 (8, 7 , Vista). You can restore .todar files encrypted by the Todar crypto malware from Shadow Copies for free.
ShadowExplorer can be downloaded from the following link. Save it directly to your Windows Desktop.
438657 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once the downloading process is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown below.
Double click ShadowExplorerPortable to launch it. You will see the a window as shown below.
In top left corner, choose a Drive where encrypted documents, photos and music are stored and a latest restore point as on the image below (1 – drive, 2 – restore point).
On right panel look for a file that you want to recover, right click to it and select Export as displayed on the screen below.
Restore .todar files with PhotoRec
Before a file is encrypted, the Todar crypto virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file recover apps like PhotoRec.
Download PhotoRec on your Microsoft Windows Desktop by clicking on the link below.
After downloading is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder similar to the one below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll show a screen as displayed below.
Select a drive to recover like the one below.
You will see a list of available partitions. Choose a partition that holds encrypted documents, photos and music as displayed on the screen below.
Click File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is done, click OK button.
Next, click Browse button to choose where restored documents, photos and music should be written, then click Search.
Count of recovered files is updated in real time. All recovered photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is finished, press on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as on the image below.
All recovered personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your computer from Todar ransomware virus?
Most antivirus apps already have built-in protection system against the crypto malware. Therefore, if your system does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Use HitmanPro.Alert to protect your computer from Todar crypto malware
All-in-all, HitmanPro.Alert is a fantastic utility to protect your personal computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of MS Windows operating system from Microsoft Windows XP to Windows 10.
Please go to the link below to download HitmanPro Alert. Save it directly to your Windows Desktop.
When the downloading process is done, open the file location. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. When the utility is started, you’ll be shown a window where you can choose a level of protection, like the one below.
Now click the Install button to activate the protection.
dear sir
i am replace my infected pc with new pc and install new windows 7 64bit
please help me my data infected by .todar & .Lopai
please help me
i am using STOPDecrypter but he did not recovered
please help me
If STOPDecrypter does not help you to decrypt .todar & .Lopai files, then try ShadowExplorer and PhotoRec.
sir
i used shadowexplorer and photorec but data not recovered
please help me sir
dear sir
i chang my pc with new pc my data was not decrypt
i am using that software but not recover my data
Update to STOPDecrypter v2.1.0.20 with more OFFLINE keys.
OFFLINE ID: ZivCxija0GBwtwtwD0q4JRy80spT6lUyybPYhot1
Extensions: .lapoi
OFFLINE ID: Q2fNGjIEoR7J8UnURFiIH13JGa23UqaNUDz4ret1
Extensions: .todar
i check my files in ID Ransomware – Identify What Ransomware Encrypted Your Files
result
This ransomware may be decryptable under certain circumstances.
Please refer to the appropriate guide for more information.
Identified by
ransomnote_email: gorentos2@firemail.cc
sample_extension: .todar
sample_bytes: [0xC8B5 – 0xC8CF] 0x7B33364136393842392D443637432D344530372D424538322D3045433542313442344446357D
Click here for more information about STOP (Djvu)
please help me please
please
my data is not Decrypter
i chang my pc with new pc my data was not decrypt
please help me
It looks like you are using an old version of STOPDecrypter. I advise you to download the latest version of STOPDecrypter from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip, and then try to decrypt .todar files again.
dear sir
i am using new version of stopdecrypter but he did not decryptors my data
please help me sir
dear sir
i am using old & new version of stop decrypter but he did not decryptors my data
please help me sir please help me