Contents
vCrypt ransomware is a file-locking computer virus which uses 7Zip to store files in password-protected folders. The virus creates separate zip files per file folder, naming them as username_foldername.vcrypt. For example, a folder called Pictures would become User_MyPictures.vcrypt. The original files then get deleted by the virus. The virus also creates a ransom note, which it stores in help.html file. This file is automatically opened when the data-locking procedure takes place. The said ransomware is known to target French victims mainly.
The ransom note left in help.html file opens in the default web browser and contains some question-answer sentences in French language.
Oooopppssss… Q: Qu’ai t’il arrivé à mes fichiers ?
A: Tous vos fichiers ont étés chiffrés et placés dans une zone de sécurité.
Q: Comment récupérez mes documents !! ?
A: Suivez les instructions disponibles via cette page web. Si la page ne s’ouvre pas, veuillez vérifier votre connexion internet.
A rough translation of the given note in English is provided below.
Q: What happened to my files?
A: All your files were encrypted and placed in a secure zone.
Q: How to recover my documents !! ?
A: Follow the instructions available on this web page. If the page does not open, please check your Internet connection.
The password for each file folder is the same. It has also been noticed that the ransomware doesn’t go deeper into the computer system to search for specific file types to encrypt/lock. Instead, vCrypt ransomware targets specific default data folders in %userprofile% and %public%. To be precise, it locks Desktop, Documents, Downloads, Music, Pictures and Videos both from public and user’s locations.
It is currently unknown how much the attackers want for a ransom. The help.html ransom note includes a link to the attackers website, which is currently unreachable. What is more, it is impossible to contact the criminals regarding data recovery options.
If you have been attacked by the said virus, we strongly encourage you to remove vCrypt ransomware and protect your system now. For that, you may want to use a reliable anti-malware. For virus damage repair, consider using RESTORO.
Name | vCrypt ransomware |
Type | Ransomware virus |
Detection names | Troj/Ransom-FXO (Sophos), |
Encryption | Doesn’t encrypt; store files in password-protected 7zip folders. |
Folders affected | Desktop, Documents, Downloads, Music, Pictures and Videos |
Extension used | .vcrypt file extension |
Ransom note | help.html |
Targetting | French-speaking computer users |
Damage | Files stored in specific folders get locked into password-protected 7Zip folders. Original files get deleted instantly. The virus leaves help.html file as a ransom for the victim. The target can no longer open and view these files. Files on additional drive letters get deleted. |
Associated files | video_driver.exe, new_background.bmp, 7za.exe, help.html. |
Distribution | Possibly spreads via fake downloads, such as fake driver updates. |
Removal | Remove using anti-malware. To fix damage on Windows OS system, consider using RESTORO. |
Once executed, the vCrypt ransomware virus replicates a legitimate 7zip command-line program called 7za.exe to %Temp% folder and saves it as mod_01.exe. Following that, the ransomware starts running series of commands to archive documents in the aforementioned folders. Once an archive for a folder is created, the data from the original folder gets deleted by the virus.
What is more, the virus deletes data stored on any other drive letters on the computer without storing the data into password-protected archives. Therefore, if at the time of cyber attack you have some media devices connected to the compromised PC (such as memory cards), the ransomware will delete the data from them.
Finally, the ransomware changes the compromised computer’s desktop wallpaper with new_background.bmp picture. It is simply a black wallpaper.
Although currently it is unclear how exactly this ransomware spreads, a victim has reported that the vCrypt executable was hiding in a file called video_driver.exe. This might indicate that it was downloaded in a form of a malicious driver update from an insecure web source.
Illegal downloads, compromised websites and malicious email attachments are the most popular ransomware distribution vectors. They haven’t changed much over the years, yet computer users still fall for these techniques.
In order to avoid getting infected from online downloads or compromised websites, we strongly recommend visiting well-known and secure web sources only. Make sure you avoid visiting domains that have many digits, hyphens and other suspicious symbols in their names. Moreover, check if the website has SSL certificate, in other words, whether its domain name starts with HTTPS and not HTTP. Next, we strongly recommend you to scan any downloaded files with an antivirus before opening them. This way, even if the file is malicious, it won’t affect your system.
Finally, we strongly recommend you to refrain from searching and downloading illegal files such as software cracks or keygens – these are well known to distribute highly dangerous malware alongside them. Another thing to remember about infected websites is that they’re often marked with Deceptive site ahead intermediate page, which you shouldn’t try to cross. Finally, if you notice instant redirects after entering a website, close it immediately.
When it comes to email-driven ransomware, criminals rely on eye-catching headlines such as “Important,” “Report [date]” “Reply immediately” and similar. Such messages often include a lot of grammar mistakes and seem to be written hastily. The email often contains a link or attachment that the message urges to open as soon as possible. However, once the victim opens the malicious file, the ransomware unleashes into the system.
One of the best methods to remove vCrypt ransomware is to delete it with a well-known malware removal tool such as Malwarebytes Anti-Malware. Its Premium version provides anti-ransomware and real-time virus protection, which is simply a must these days. To repair damage that the virus may have caused on Windows system files, consider trying RESTORO.
After vCrypt ransomware virus removal, do not forget to keep real-time virus protection enabled at all times. In addition, do not forget to follow the guidance given regarding ransomware prevention. When it comes to locked data recovery, we suggest waiting for updates – cybersecurity experts are looking into this particular case to help victims recover their files shortly. As always, you can use data backups, but make sure you plug them into your computer only after removing the malware professionally first.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
vCrypt ransomware virus Removal Guidelines
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10 users
Now, you can search for and remove vCrypt ransomware virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
REMOVE MALWARE & REPAIR VIRUS DAMAGE
1 Step. Get robust antivirus to remove existing threats and enable real-time protection
INTEGO Antivirus for Windows provides robust real-time protection, Web Shield against phishing and deceptive websites, blocks malicious downloads and blocks Zero-Day threats. Use it to remove ransomware and other viruses from your computer professionally.
2 Step. Repair Virus Damage on Windows Operating System Files
Download RESTORO to scan your system for FREE and detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically.
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10 users
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Private Internet Access (PIA) VPN maintains its long-term role as a leader Private Internet Access…
XCBG ransomware aims to lock your files and demand a ransom XCBG ransomware is a…
BPQD ransomware encrypts all computer files, demands a ransom from the user BPQD ransomware is…
KQGS ransomware is a hostile computer virus designed to encrypt all of your files KQGS…
VTYM ransomware description: a virtual menace to your files stored on the computer VTYM ransomware…
FOPA ransomware is a new threatening computer virus that encrypts your files FOPA ransomware virus…
This website uses cookies.