vCrypt ransomware stops access to personal data
Contents
vCrypt ransomware is a file-locking computer virus which uses 7Zip to store files in password-protected folders. The virus creates separate zip files per file folder, naming them as username_foldername.vcrypt. For example, a folder called Pictures would become User_MyPictures.vcrypt. The original files then get deleted by the virus. The virus also creates a ransom note, which it stores in help.html file. This file is automatically opened when the data-locking procedure takes place. The said ransomware is known to target French victims mainly.
The ransom note left in help.html file opens in the default web browser and contains some question-answer sentences in French language.
Oooopppssss… Q: Qu’ai t’il arrivé à mes fichiers ?
A: Tous vos fichiers ont étés chiffrés et placés dans une zone de sécurité.
Q: Comment récupérez mes documents !! ?
A: Suivez les instructions disponibles via cette page web. Si la page ne s’ouvre pas, veuillez vérifier votre connexion internet.
A rough translation of the given note in English is provided below.
Q: What happened to my files?
A: All your files were encrypted and placed in a secure zone.
Q: How to recover my documents !! ?
A: Follow the instructions available on this web page. If the page does not open, please check your Internet connection.
The password for each file folder is the same. It has also been noticed that the ransomware doesn’t go deeper into the computer system to search for specific file types to encrypt/lock. Instead, vCrypt ransomware targets specific default data folders in %userprofile% and %public%. To be precise, it locks Desktop, Documents, Downloads, Music, Pictures and Videos both from public and user’s locations.
It is currently unknown how much the attackers want for a ransom. The help.html ransom note includes a link to the attackers website, which is currently unreachable. What is more, it is impossible to contact the criminals regarding data recovery options.
If you have been attacked by the said virus, we strongly encourage you to remove vCrypt ransomware and protect your system now. For that, you may want to use a reliable anti-malware. For virus damage repair, consider using RESTORO.
Threat Summary
Name | vCrypt ransomware |
Type | Ransomware virus |
Detection names | Troj/Ransom-FXO (Sophos), |
Encryption | Doesn’t encrypt; store files in password-protected 7zip folders. |
Folders affected | Desktop, Documents, Downloads, Music, Pictures and Videos |
Extension used | .vcrypt file extension |
Ransom note | help.html |
Targetting | French-speaking computer users |
Damage | Files stored in specific folders get locked into password-protected 7Zip folders. Original files get deleted instantly. The virus leaves help.html file as a ransom for the victim. The target can no longer open and view these files. Files on additional drive letters get deleted. |
Associated files | video_driver.exe, new_background.bmp, 7za.exe, help.html. |
Distribution | Possibly spreads via fake downloads, such as fake driver updates. |
Removal | Remove using anti-malware. To fix damage on Windows OS system, consider using RESTORO. |
Operation details
Once executed, the vCrypt ransomware virus replicates a legitimate 7zip command-line program called 7za.exe to %Temp% folder and saves it as mod_01.exe. Following that, the ransomware starts running series of commands to archive documents in the aforementioned folders. Once an archive for a folder is created, the data from the original folder gets deleted by the virus.
What is more, the virus deletes data stored on any other drive letters on the computer without storing the data into password-protected archives. Therefore, if at the time of cyber attack you have some media devices connected to the compromised PC (such as memory cards), the ransomware will delete the data from them.
Finally, the ransomware changes the compromised computer’s desktop wallpaper with new_background.bmp picture. It is simply a black wallpaper.
Ransomware distribution and prevention methods
Although currently it is unclear how exactly this ransomware spreads, a victim has reported that the vCrypt executable was hiding in a file called video_driver.exe. This might indicate that it was downloaded in a form of a malicious driver update from an insecure web source.
Illegal downloads, compromised websites and malicious email attachments are the most popular ransomware distribution vectors. They haven’t changed much over the years, yet computer users still fall for these techniques.
In order to avoid getting infected from online downloads or compromised websites, we strongly recommend visiting well-known and secure web sources only. Make sure you avoid visiting domains that have many digits, hyphens and other suspicious symbols in their names. Moreover, check if the website has SSL certificate, in other words, whether its domain name starts with HTTPS and not HTTP. Next, we strongly recommend you to scan any downloaded files with an antivirus before opening them. This way, even if the file is malicious, it won’t affect your system.
Finally, we strongly recommend you to refrain from searching and downloading illegal files such as software cracks or keygens – these are well known to distribute highly dangerous malware alongside them. Another thing to remember about infected websites is that they’re often marked with Deceptive site ahead intermediate page, which you shouldn’t try to cross. Finally, if you notice instant redirects after entering a website, close it immediately.
When it comes to email-driven ransomware, criminals rely on eye-catching headlines such as “Important,” “Report [date]” “Reply immediately” and similar. Such messages often include a lot of grammar mistakes and seem to be written hastily. The email often contains a link or attachment that the message urges to open as soon as possible. However, once the victim opens the malicious file, the ransomware unleashes into the system.
Remove vCrypt ransomware virus safely now
One of the best methods to remove vCrypt ransomware is to delete it with a well-known malware removal tool such as Malwarebytes Anti-Malware. Its Premium version provides anti-ransomware and real-time virus protection, which is simply a must these days. To repair damage that the virus may have caused on Windows system files, consider trying RESTORO.
After vCrypt ransomware virus removal, do not forget to keep real-time virus protection enabled at all times. In addition, do not forget to follow the guidance given regarding ransomware prevention. When it comes to locked data recovery, we suggest waiting for updates – cybersecurity experts are looking into this particular case to help victims recover their files shortly. As always, you can use data backups, but make sure you plug them into your computer only after removing the malware professionally first.
OUR GEEKS RECOMMEND
Our team recommends removing malware using a professional antivirus software.
REMOVE THREATS WITH ROBUST ANTIVIRUS
Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs.
Use INTEGO Antivirus to remove detected threats from your computer.
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
vCrypt ransomware virus Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove vCrypt ransomware virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO Antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Leave a Reply