Usam file extension
.Usam file extension is an extension that is used by a new variant of STOP ransomware. The ‘Usam’ variant is very similar in its characteristics to other variants of this ransomware. It also encrypts files, and then renames them, giving them a new filename consisting of their old and ‘.usam’ appended at the end. Criminals demand a ransom for a key-decryptor pair, which is necessary to unlock encrypted data. Fortunately, there is a free decryptor. It allows everyone to decrypt files that have been affected with any version of STOP (Djvu) ransomware, including ‘Usam’ variant. Scroll down to find out more about the decryptor, where to download it and how to use it to decrypt .usam files.
Screenshot of files encrypted by Usam virus (‘.usam’ file extension)
What is Usam ransomware virus
Usam ransomware is the 233th version of STOP (Djvu) ransomware. The behavior of this variant and the methods of its distribution are similar to other variants of STOP (Djvu). As before, for the spread of this ransomware, criminals use adware, crack, activators and torrents web-sites. Upon execution, Usam virus encrypts all files on the victim’s computer. This means that files on all drives connected to the computer will be encrypted. Files located on external devices, such as files on a flash drive and cloud storage, can also be encrypted.
Each file is encrypted using a strong encryption algorithm and a long key. The key that the virus uses can be of two types: online key and offline key. The security researchers found that if Usam virus could establish a connection to its command-and-control (C&C) server before encrypting the files, then the key obtained from it is used, this key is called ‘online key’. Such a key is unique for each infection, which means that the key for decrypting files from one victim is not suitable for decrypting files from another victim. If Usam could not establish a connection with the C&C server, then it uses an encryption key, which is the same for all cases of infection. This type of key is called ‘offline key’.
The authors of Usam virus created it so that it encrypts as many files as possible. Therefore, the virus does not encrypt the entire file, but only its initial part, in the amount of 154kb. Thanks to this, the contents of some types of files (for example, zip archives) can be restored by simply returning the old filename to them, that is, removing the extension ‘.usam’. In the process of encryption, the virus skips files, that is, leaves them in their original state if:
- files are located in the Windows system directories
- files have the extension .bat, .sys, .dll, .lnk, .ini
- files are named ‘_readme.txt’
All other files will be encrypted. That is, the contents of the following common file types can be encrypted:
.sum, .psd, .jpg, .zdc, .css, .pkpass, .rofl, .hvpl, .epk, .w3x, .xld, .xmmap, .wpa, .bay, .xll, .xwp, .qdf, .wpd, .svg, .lrf, .wp, .xar, .ibank, .xbdoc, .wav, .zif, .slm, .forge, .wpw, .bc7, .itl, .xml, .pptm, .sid, .crw, .yml, .db0, .jpeg, .syncdb, .wsh, .cfr, .gdb, .1st, .wbc, .wsd, .wp6, .kf, .arch00, .fsh, .wpd, .cer, .wmv, .png, .rgss3a, .wire, .big, .ppt, .layout, .dcr, .1, .xlsm, .dba, .avi, .wbmp, .d3dbsp, .pdf, .lbf, .odm, .vpk, .webdoc, .gho, .kdc, .mcmeta, .nrw, .xdb, .z, .js, .zw, .ncf, .srw, .xxx, .t13, .sidn, .xpm, .m4a, .txt, .fpk, .mef, .icxs, .ptx, .p12, .zip, .rwl, .rtf, .pem, .pfx, .sql, .accdb, .blob, .srf, .odb, .rim, .wbm, .xx, .erf, .wbz, .ff, .zip, .pef, .wsc, .xlgc, .wmf, .wpe, .ysp, .webp, .dng, .dxg, .rb, .wmo, .apk, .pst, .xls, .wdp, .xlsx, .py, .0, .mdb, .raw, .dazip, .litemod, .m2, .sr2, .cas, .wn, .xdl, .m3u, .sidd, .kdb, .ods, .3fr, .xlsb, .bsa, .ai, .vfs0, .p7c, .p7b, .7z, .wot, .bik, .mdf, .hkx, .y, .wp5, .esm, .t12, .dmp, .3dm, .vpp_pc, .cr2, .wpt, .pdd, .dbf, .crt, .menu, .mlx, .ltx, .bar, .zabw, .jpe, .pptx, .r3d, .wbd, .asset, .3ds, .eps, .mov, .wps, .bc6, .wm, .x3f, .sb, .ztmp, .xy3, .vtf, .xlsx, .odt, .wp7, .sie, .cdr, .x, .mdbackup, .docx, .xls, .wp4, .das, .xbplate, .arw, .odp, .wotreplay, .wbk, .fos, .rar, .zi, .wgz, .orf, .doc, .wri, .psk, .lvl, .wcf, .sis, .xlk, .wma, .snx, .hplg, wallet, .wps, .wdb, .mpqge, .2bp, .wb2, .xlsm, .mrwref
After Usam virus encrypts the file, it renames this file. Thus, each encrypted file gets a new filename. For example, the file ‘image.jpg’, after it is encrypted, will be renamed to ‘image.jpg.usam’. In all directories where there is at least one encrypted file, the virus drops a file with the name ‘_readme.txt’. A sample of the contents of this file is shown in the figure below.
Screenshot of the contents of ‘_readme.txt’ file (ransom note)
Criminals use this file to demand ransom from victims of Usam virus. The message said that the victim’s files were encrypted with a strong algorithm and a key. The authors of the virus demand a ransom in exchange for a key and a decryptor. The ransom is $490 and must be paid within 72 hours. If the victim does not pay it during this time, the ransom increases to $980. Attackers offer to decrypt one file for free, but this file should be small in size and not contain any important information. Of course, decryption of one file cannot guarantee that after paying the ransom the victim will be able to recover files affected with the virus.
Threat Summary
| Name | Usam ransomware |
| Type | Crypto virus, Filecoder, Crypto malware, Ransomware, File locker |
| Encrypted files extension | .usam |
| Ransom note | _readme.txt |
| Contact | helpmanager@mail.ch, restoremanager@airmail.cc |
| Ransom amount | $490,$980 in Bitcoins |
| Detection Names | TR/Crypt.XPACK.Gen3, Win32/Kryptik.HEBU, Trojan.Glupteba, BehavesLike.Win32.TrojanAitInject.bc, HEUR/QVM10.1.ED1F.Malware.Gen, Ransom:Win32/STOP.BS!MTB, Artemis!941A50A60DFE, Generic.mg.941a50a60dfe1627 |
| Symptoms | When you try to open your file, Windows notifies that you do not have permission to open this file. Your personal files now have a different extension. Your file directories contain a ‘ransom note’ file that is usually a .html, .jpg or .txt file. Ransom note displayed on your desktop. |
| Distribution ways | Phishing emails that contain malicious attachments. Drive-by downloading (when a user unknowingly visits an infected web-site and then malicious software is installed without the user’s knowledge). Social media, such as web-based instant messaging programs. Cybercriminals use suspicious advertisements to distribute malware with no user interaction required. |
| Removal | Usam ransomware removal guide |
| Decryption | Usam File Decrypt Tool |
Security researchers confirm that Usam virus does indeed encrypt files, and also that a decryptor and a key are required to decrypt them. Fortunately for all victims of this virus, as well as other variants of STOP (Djvu) ransomware, EmsiSoft developed a free decryptor. Thus, it is possible to decrypt .usam files. This decryptor has only one limitation, so far it can decrypt files that were encrypted with an offline key. If the victim’s files were encrypted with an online key, then they cannot be decrypted. But even in this case, not everything is lost. Each Usam victim has a chance to restore some or all of the encrypted files to their original state using alternative methods, which are described below.
How to remove Usam ransomware virus; Recover, Decrypt .usam files
If your files were encrypted with .usam extension, then we recommend using the following steps. These steps will help you remove the ransomware and decrypt (restore) the encrypted files. Read the entire manual carefully. To make it easier for you to follow the instructions, we recommend that you print it or open it on your smartphone.
- How to remove Usam ransomware virus
- How to decrypt .usam files
- How to restore .usam files
- How to protect your system from Usam ransomware
How to remove Usam ransomware virus
First you need to remove the Usam ransomware autostart entries before decrypting and recovering encrypted files. Another option is to perform a full scan of the computer using antivirus software capable of detecting and removing ransomware infection.
It is very important to scan the computer for malware, as security researchers found that spyware could be installed on the infected computer along with the Usam ransomware. Spyware is a very dangerous security threat as it is designed to steal the user’s personal information such as passwords, logins, contact details, etc. If you have any difficulty removing the Usam ransomware, then let us know in the comments, we will try to help you.
To remove Usam ransomware, use the steps below:
- Kill the Usam ransomware process
- Disable the Usam ransomware Start-Up
- Delete the Usam ransomware Task
- Scan computer for malware
Kill the Usam ransomware process
Press CTRL, ALT, DEL keys together.
Click Task Manager. Select the “Processes” tab, look for something suspicious that is the Usam ransomware then right-click it and select “End Task” or “End Process” option.
A process is particularly suspicious: it is taking up a lot of memory (despite the fact that you closed all of your programs, its name is not familiar to you (if you are in doubt, you can always check the program by doing a search for its name in Google, Yahoo or Bing).
Disable the Usam ransomware Start-Up
Select the “Start-Up” tab, look for something similar to the one shown in the example below, right click to it and select Disable.
Close Task Manager.
Delete the Usam ransomware Task
Type “Task Scheduler” in the search bar. Click Task Scheduler app in the search results. Click “Task Scheduler Library” in the left panel. On the right panel, right-click to “Time Trigger Task” and select Delete.
Close Task Scheduler.
Scan computer for malware
Zemana AntiMalware (ZAM) is a complete package of anti-malware tools that can help you delete Usam . It can remove almost all the forms of ransomware, trojans, worms, adware, hijackers, PUPs and other malicious software. Zemana has real-time protection that can defeat most malicious software and ransomware. You can use this malware removal tool with any other antivirus software without any conflicts.
- Download Zemana Free on your PC system from the following link.
Zemana AntiMalware
164033 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- After the download is complete, close all software and windows on your PC system. Open a directory in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup.
- Further, click Next button and follow the prompts.
- Once installation is finished, click the “Scan” button to perform a system scan with this tool for the Usam ransomware related folders,files and registry keys. A scan can take anywhere from 10 to 30 minutes, depending on the count of files on your computer and the speed of your personal computer. While the Zemana tool is checking, you can see number of objects it has identified as being affected by malware.
- After the scanning is finished, Zemana Anti Malware (ZAM) will display a list of found items. Make sure all items have ‘checkmark’ and press “Next”. After the cleaning procedure is done, you may be prompted to reboot your computer.
If you have problems removing removing the Usam ransomware, then we recommends to use Kaspersky virus removal tool (KVRT). It is a free portable program that scans your system for spyware, ransomware, adware software, PUPs, trojans, worms, malware and helps uninstall them easily. Moreover, it will also allow you delete any other security threats for free.
Download Kaspersky virus removal tool (KVRT) on your machine from the following link.
129057 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After downloading is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is complete, you will see the KVRT screen as shown in the figure below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan for the Usam ransomware and other trojans and harmful applications. A system scan can take anywhere from 5 to 30 minutes, depending on your system. While the Kaspersky virus removal tool tool is scanning, you may see count of objects it has identified as being affected by malicious software.
When finished, Kaspersky virus removal tool will display a list of found threats similar to the one below.
All detected items will be marked. You can remove them all by simply press on Continue to start a cleaning task.
How to decrypt .usam files
Files with the extension ‘.usam’ are encrypted files. In other words, the contents of these files are locked. Their contents cannot be read even if you rename files or change their extension. As we reported above, there is a free decryptor, which was created by Emsisoft. This decryptor allows everyone to decrypt .usam files.
Usam File Decrypt Tool (STOP Djvu decryptor)
To decrypt .usam files, use Usam File Decrypt Tool
- Download Usam File Decrypt Tool from the following link.
STOP Djvu decryptor - Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the ‘decrypt_STOPDjvu.exe’ file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
Usam File Decrypt Tool is a free software that is able to decrypt files encrypted with an offline key. Files encrypted with an online key cannot yet be decrypted. The online key is unique to each infected computer, and at the moment there is no way to obtain this key. Of course, the authors of Usam virus own this key, but we do not think that paying a ransom is the right way to decrypt .usam files. In the case when the files are encrypted with an online key, there is a chance to restore the encrypted files using alternative methods, which are described below.
This video step-by-step guide will demonstrate How to remove Usam ransomware, Decrypt/Recover .Usam files.
How to find out which key was used to encrypt files
Since Usam File Decrypt Tool only decrypts files encrypted with the offline key, each Usam’s victim needs to find out which key was used to encrypt the files. Determining the type of key used is not difficult. Below we give two ways. Use any of them.
Personal ID is highlighted here
Find out the type of key using ‘_readme.txt’ file
- Open the ransom demand message (‘_readme.txt’ file).
- Scroll down to the end of the file.
- There you will see a line with the text ‘Your personal ID’.
- Below is a line of characters that starts with ‘0233’ – this is your personal id.
Find out the type of key using ‘PersonalID.txt’ file
- Open disk C.
- Open directory ‘SystemID’.
- Open file named ‘PersonalID.txt’. This file lists ‘Personal ID’s that match the keys that the virus used to encrypt files.
The ‘Personal ID’ is not a key, it is an identifier related to a key that was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, Usam ransomware virus used an online key. If you could not figure out how to determine which key was used to encrypt files, then we can help. Just write a request here or in the comments below.
Usam File Decrypt Tool : “No key for New Variant online ID”
If, when you try to decrypt .usam files, Usam File Decrypt Tool reports:
No key for New Variant online ID: *
Notice: this ID appears to be an online ID, decryption is impossible
It means that your files are encrypted with an ‘online key’ and their decryption is impossible, since only the Usam authors have the key necessary for decryption. In this case, you need to use alternative methods listed below to restore the contents of encrypted files.
Usam File Decrypt Tool : “No key for New Variant offline ID”
If, during decryption of .usam files, Usam File Decrypt Tool reports:
No key for New Variant offline ID: *t1
Notice: this ID appears be an offline ID, decryption MAY be possible in the future.
It means the following: your files are encrypted with an ‘offline key’, but the key itself has not yet been obtained by security researchers, in this case, you need to be patient and wait a while, in addition, you can also use alternative ways for recovering encrypted data.
If for some reason you were unable to decrypt the encrypted files, then We recommend to follow the news on our Facebook or YouTube channels. So you ‘ll know right away that it ‘s possible to decrypt .usam files.
How to restore .usam files
If all your files are encrypted with an online key, or the Usam File Decrypt Tool cannot decrypt the encrypted files, then you only have one thing left, use alternative methods to restore the contents of the encrypted files. There are several alternative methods that may allow you to restore the contents of encrypted files. However, if you have not tried the free decryptor, then try it first by following step 2 of this instruction, and then return here.
Alternative methods of file recovery do not use decryption, so there is no need for a key and decryptor. Before you begin, you must be 100% sure that the computer does not have active ransomware. Therefore, if you have not yet checked your computer for ransomware, do it right now, use free malware removal tools or return to step 1 above.
Use ShadowExplorer to restore .usam files
A free tool named ShadowExplorer is a simple solution to use the ‘Previous Versions’ feature of MS Windows 10 (8, 7 , Vista). You can recover your documents, photos, and music encrypted by Usam ransomware from Shadow Copies for free. Unfortunately, this method does not always work due to the fact that the ransomware almost always deletes all Shadow copies.
First, please go to the link below, then press the ‘Download’ button in order to download the latest version of ShadowExplorer.
438670 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When downloading is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown below.
Start the ShadowExplorer tool and then select the disk (1) and the date (2) that you want to restore the shadow copy of file(s) encrypted by the Usam ransomware as shown in the following example.
Now navigate to the file or folder that you wish to restore. When ready right-click on it and click ‘Export’ button as shown on the image below.
This video step-by-step guide will demonstrate How to recover encrypted files using Shadow Explorer.
Recover .usam files with PhotoRec
There is another, unfortunately the last, way to recover the contents of encrypted files. This method is based on using data recovery tools. We recommend using a tool called PhotoRec. It has all the necessary functions and is completely free.
Download PhotoRec by clicking on the link below.
Once the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll show a window as displayed in the following example.
Choose a drive to recover as shown in the figure below.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music as displayed on the image below.
Press File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is complete, click OK button.
Next, click Browse button to choose where restored personal files should be written, then press Search.
Count of restored files is updated in real time. All restored documents, photos and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is done, click on Quit button. Next, open the directory where restored documents, photos and music are stored. You will see a contents as shown on the screen below.
All restored personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.
This video step-by-step guide will demonstrate How to recover encrypted files using PhotoRec.
How to protect your system from Usam ransomware
Most antivirus apps already have built-in protection system against the crypto virus. Therefore, if your personal computer does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert. All-in-all, HitmanPro.Alert is a fantastic tool to protect your system from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Windows operating system from MS Windows XP to Windows 10.
Installing the HitmanPro.Alert is simple. First you’ll need to download HitmanPro Alert by clicking on the following link. Save it on your MS Windows desktop or in any other place.
Once downloading is complete, open the file location. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. Once the utility is started, you will be displayed a window where you can select a level of protection, as displayed in the figure below.
Now press the Install button to activate the protection.
To sum up
This guide was created to help all victims of Usam ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .usam files; how to recover files, if STOP (Usam) decryptor does not help; what is an online key and what is an offline key. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Usam related issues, go to here.
Hi,
My PC got ransomware malware, has an extension .usam. I have followed the steps mentioned above but failed to remove ransomware malware and recover the files. I have tried with Emsisoft’s decrypt tools for.usam but results error.
Please help me with.
In readme.text
My personal ID is starting with 0233…. and ending with …..H7V6om
The id that ends in ‘H7V6om’ is related to an online key, so files cannot be decrypted. Try to restore the contents of encrypted files using the steps linked below: How to recover encrypted files.
Tks for All
The Best Article about this.
Thank You Very Much
Hola mi personal ID termina en … k9tzq.
y emsisoft no da este error: Notice: this ID appears to be an online ID, decryption is impossible
Que puedo hacer. para recuperar mis archivos.
Use ShadowExplorer and PhotoRec to recover encrypted files.
My laptop also been infected with same
my ID ends with t1 means offline key
Please suggest how to recover my all files which are infected by .usam ransomware
Just scroll down to section “How to decrypt .usam files” and follow the instructions outlined there.
my computer got infected with an mpal virus and it says that this ID appears to be an online ID, decryption is impossible. any solution to it?
try ShadowExplorer and PhotoRec