Security professionals discovered a new variant of ransomware that called ‘Shariz virus‘. It appends the .shariz file extension to encrypted file names. This blog post will provide you with all the things you need to know about ransomware virus, how to uninstall Shariz crypto malware from your computer and how to recover (decrypt) encrypted documents, photos and music for free.
Files encrypted by .shariz virus
The Shariz virus was developed by scammers to block various files on the user’s PC, using a strong encryption algorithm with long key, which makes it impossible for the user to unlock the encrypted files that have received .shariz extension. Shariz has the ability to encrypt almost all types of files, including common as:
.t12, .wbk, .doc, .ibank, .docm, .wsc, .wbmp, .w3x, .vdf, .wb2, .cer, .iwd, .pdd, .qdf, .gho, .sum, .wpe, .wot, .mdbackup, .sidn, .png, .xwp, .cdr, .wsh, .wpt, .erf, .icxs, .csv, .wpg, .blob, .ysp, .wp6, .pst, .bc7, .apk, .xyp, .sav, .wp5, .xld, .pem, .mov, .fsh, .fpk, .dazip, .epk, .ncf, .svg, .pdf, .wmv, .upk, .vtf, .bc6, .xlgc, .dbf, .tax, .pptm, .zabw, .rb, .sid, .pkpass, .wdb, .itdb, .ztmp, .dcr, .odm, .3ds, .qic, .wpl, .mddata, .css, .wire, .x3f, .pak, .menu, .xx, .wav, .wdp, .kdb, .raw, .vpp_pc, .wps, .xyw, .psk, .rofl, .kdc, .jpeg, .bik, .ods, .der, .eps, .syncdb, .wbz, .zdb, .accdb, .big, .srf, .wsd, .desc, .sie, .ntl, .wp7, .nrw, .xbdoc, .x3f, .3dm, .wmv, .odc, .wpb, .xdl, .wma, .gdb, .py, .wotreplay, .zip, .wm, .lrf, .crw, .wri, .d3dbsp, .mp4, .wbc, .kf, .orf, .esm, .psd, .bsa, .y, .map, .odp, .rwl, .litemod, .zdc, .jpe, .1st, .lvl, .xdb, .ptx, .xls, .cas, .docx, .itm, .arch00, .ppt, .xy3, .m3u, .z, .mdf, .xf, .xll, .wgz, .xml, .wpa, .dwg, .wmd, .xar, .x, .1, .wmf, .srw, .rim, .zi, .yal, .cr2, .r3d, .webdoc, .wcf, .hkx, .dmp, .p7c, .xls, .mpqge, .sidd, .wmo, .dba, .xlsm, .asset, .sis, .wp4, .xmmap, .wpd, .z3d, .wpw, .slm, .2bp, .ybk, .7z, .hvpl, .layout, .zw, .pptx
Upon encryption, all locked files will then be appended with the .shariz extension (e.g., ‘photo.jpg is renamed to ‘photo.jpg.shariz’). Ransomware leaves a ransom message named ‘_readme.txt’ with instructions for extortion and ransom payment.
“shariz virus” – ransomnote
Threat Summary
| Name | Shariz |
| Type | File locker, Crypto malware, Filecoder, Ransomware, Crypto virus |
| Encrypted files extension | .shariz |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch |
| Ransom amount | $980 in Bitcoins |
| Symptoms | Personal files won’t open. Your photos, documents and music now have a different extension. Files called like ‘_readme.txt’, ‘#_README_#’, ‘_DECRYPT_’ or ‘recover’ in each folder with at least one encrypted file. |
| Distribution methods | Phishing Emails that is carefully designed to trick a victim into opening an attachment or clicking on a link that contains a malicious file. Drive-by downloads from a compromised web-site. Social media posts (they can be used to entice users to download malware with a built-in ransomware downloader or click a malicious link). Flash Drives containing malware. |
| Removal | To remove Shariz ransomware use the removal guide |
| Decryption | To decrypt Shariz ransomware use the steps |
We recommend you to remove Shariz ransomware virus sooner, until the presence of the ransomware virus has not led to even worse consequences. You need to follow the steps below that will help you to completely remove Shariz virus from your PC system as well as recover encrypted personal files, using only few free tools.
Quick links
- How to remove Shariz ransomware virus
- How to decrypt .shariz files
- How to restore .shariz files
- How to protect your system from Shariz ransomware virus?
- Finish words
How to remove Shariz ransomware virus
Manual removal does not always allow to completely delete the Shariz crypto malware, as it is not easy to identify and remove components of ransomware and all malicious files from hard disk. Therefore, it is recommended that you run malware removal tool to completely delete Shariz crypto virus off your personal computer. Several free malicious software removal tools are currently available that can be used against the ransomware. The optimum method would be to run Zemana Anti-malware, Malwarebytes Free and Kaspersky Virus Removal Tool.
How to remove Shariz with Zemana AntiMalware (ZAM)
Zemana Free is a program which is used for ransomware virus, trojans, spyware, malicious software, adware, worms and other security threats removal. The program is one of the most efficient antimalware tools. It helps in crypto virus removal and and defends all other types of malware. One of the biggest advantages of using Zemana Anti Malware is that is easy to use and is free. Also, it constantly keeps updating its virus/malware signatures DB. Let’s see how to install and scan your machine with Zemana Free in order to delete Shariz from your computer.
- Visit the following page to download the latest version of Zemana Free for Windows. Save it on your Windows desktop.
Zemana AntiMalware
164034 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- At the download page, click on the Download button. Your internet browser will open the “Save as” dialog box. Please save it onto your Windows desktop.
- When the downloading process is done, please close all programs and open windows on your computer. Next, start a file named Zemana.AntiMalware.Setup.
- This will run the “Setup wizard” of Zemana onto your system. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the Zemana will start and show the main window.
- Further, click the “Scan” button to perform a system scan with this utility for the Shariz ransomware, other malicious software, worms and trojans. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your personal computer and the speed of your system. While the Zemana tool is checking, you can see number of objects it has identified as being affected by malicious software.
- Once the scan get completed, Zemana Free will open a list of found threats.
- Make sure all threats have ‘checkmark’ and click the “Next” button. The utility will remove Shariz ransomware virus, other kinds of potential threats like malware and trojans and add items to the Quarantine. Once the task is finished, you may be prompted to reboot the personal computer.
- Close the Zemana Anti Malware (ZAM) and continue with the next step.
Run MalwareBytes AntiMalware to delete crypto malware
If you are having issues with the Shariz virus removal, then download MalwareBytes Anti-Malware (MBAM). It’s free for home use, and detects and removes various undesired applications that attacks your machine or degrades computer performance. MalwareBytes Anti Malware (MBAM) can uninstall adware software, PUPs as well as malware, including ransomware and trojans.
- Click the link below to download MalwareBytes. Save it to your Desktop.
Malwarebytes Anti-malware
326387 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- When downloading is complete, close all software and windows on your machine. Open a file location. Double-click on the icon that’s named mb3-setup.
- Further, press Next button and follow the prompts.
- Once installation is complete, click the “Scan Now” button to perform a system scan for the Shariz ransomware virus related folders,files and registry keys. A system scan may take anywhere from 5 to 30 minutes, depending on your PC system. While the MalwareBytes Free is scanning, you can see how many objects it has identified either as being malware.
- After the scan is finished, you will be displayed the list of all detected items on your PC. You may remove items (move to Quarantine) by simply click “Quarantine Selected”. When finished, you can be prompted to reboot your system.
The following video offers a steps on how to uninstall browser hijackers, adware and other malicious software with MalwareBytes Free.
Double-check for crypto malware with KVRT
KVRT is a free removal tool that can check your PC for a wide range of security threats such as the Shariz crypto virus, adware, PUPs as well as other malware. It will perform a deep scan of your computer including hard drives and Microsoft Windows registry. When a malicious software is detected, it will help you to remove all detected threats from your machine with a simple click.
Download Kaspersky virus removal tool (KVRT) on your MS Windows Desktop by clicking on the following link.
129057 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When downloading is done, double-click on the KVRT icon. Once initialization process is complete, you will see the KVRT screen as displayed on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button . Kaspersky virus removal tool program will scan through the whole system for the Shariz crypto virus and other malware. This process can take quite a while, so please be patient. While the utility is scanning, you can see how many objects and files has already scanned.
When Kaspersky virus removal tool is done scanning your machine, Kaspersky virus removal tool will show you the results as shown in the following example.
You may delete items (move to Quarantine) by simply click on Continue to start a cleaning task.
How to decrypt .shariz files
You can damage photos, documents and music encrypted by Shariz crypto malware, or make them useless forever if you try to find the private key on your own, which is almost impossible in view of its cryptographic complexity. It is very important to know and understand the level of importance of constantly backing up important files to various media, like an USB flash drive, so that in case of damage to your PC system by malicious software you can always extract a copy of corrupted files.
Never pay the ransom! However, it should be noted that the transferred amount of money to scammers is not yet a guarantee that the victim will receive a private key to unlock the encrypted files. Very often, after receiving the ransom, fraudsters impose new requirements for the transfer of an even larger amount of money. It is impossible to predict unambiguously what will be the actions of online criminals who designed the Shariz ransomware, but it is safe to say that these actions are immoral and illegal.
Files encrypted by .shariz virus
It is not necessary to pay the cyber frauds a ransom, the best option in case of infection of this ransomware virus is to archive the files that were encrypted by it, until the moment of obtaining the Shariz decryption utility. On this blog post below you will find useful steps on how to restore encrypted files for free.
How to restore .shariz files
In some cases, you can recover files encrypted by Shariz ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted personal files.
Use shadow copies to recover .shariz files
A free utility called ShadowExplorer is a simple method to use the ‘Previous Versions’ feature of Microsoft Windows 10 (8, 7 , Vista). You can recover .shariz files encrypted by the Shariz ransomware virus from Shadow Copies for free.
ShadowExplorer can be downloaded from the following link. Save it to your Desktop so that you can access the file easily.
438676 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the downloading process is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder similar to the one below.
Start the ShadowExplorer tool and then choose the disk (1) and the date (2) that you want to restore the shadow copy of file(s) encrypted by the Shariz crypto virus as displayed below.
Now navigate to the file or folder that you want to recover. When ready right-click on it and press ‘Export’ button like below.
Run PhotoRec to recover .shariz files
Before a file is encrypted, the Shariz crypto virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your photos, documents and music using file restore applications such as PhotoRec.
Download PhotoRec from the link below. Save it on your Windows desktop.
After downloading is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the figure below.
Double click on qphotorec_win to run PhotoRec for Windows. It will open a screen like the one below.
Choose a drive to recover as shown on the screen below.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music as shown on the screen below.
Press File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.
Next, press Browse button to choose where restored photos, documents and music should be written, then press Search.
Count of restored files is updated in real time. All recovered photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is finished, click on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as shown on the screen below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your system from Shariz ransomware virus?
Most antivirus programs already have built-in protection system against the crypto virus. Therefore, if your computer does not have an antivirus application, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Use HitmanPro.Alert to protect your PC from Shariz crypto malware
All-in-all, HitmanPro.Alert is a fantastic tool to protect your computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Microsoft Windows OS from MS Windows XP to Windows 10.
Click the link below to download the latest version of HitmanPro Alert for MS Windows. Save it directly to your Microsoft Windows Desktop.
When downloading is finished, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. After the tool is opened, you’ll be shown a window where you can select a level of protection, as displayed on the screen below.
Now press the Install button to activate the protection.
Finish words
Now your computer should be free of the Shariz ransomware. Remove Kaspersky virus removal tool and MalwareBytes. We suggest that you keep Zemana AntiMalware (to periodically scan your system for new malware). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to delete Shariz crypto malware from your PC system, then ask for help here.
