VTUA ransomware aims to lock your files to demand a ransom for decryption
Contents
VTUA ransomware virus is a new variant from file-encrypting STOP/DJVU malware family. Once it compromises the target computer system, it scans all directories and encrypts personal or work files found in them using Salsa20 crypto-algorithm and marks each of them with .vtua file extension. To illustrate, a file originally named 1.jpg appears as 1.jpg.vtua after being secured with encryption algorithm. Moreover, the file becomes impossible to open. Victims of this malware attack will immediately notice a ransom note called _readme.txt in each folder, which the virus drops as a message from the cybercriminals. The note explains that in order to regain access to all files, one needs to pay a ransom to cybercriminals. The note suggests that it is the only possible way to get VTUA file decryption tool. The price of it depends on how quickly the computer user writes to the attackers and settles an agreement. If this is done within 72 hours (3 full days), the victim becomes eligible for a 50% discount and tool would cost $490 in this scenario. Otherwise, the victim needs to pay a full amount which is $980. The attackers suggest contacting them for further information via provided email addresses: supporthelp@airmail.cc and manager@mailtemp.ch.
The main goal of VTUA ransomware is to illegally block victim’s access to his/hers own files by leveraging a complex encryption algorithm and public encryption key. In order to decrypt locked files, the victim needs a private decryption key, which is in possession of cybercriminals. In legal usages of encryption, it is used to secure information transmission, for example, by sending private data over the Internet, such as passwords, emails, and other sensitive details. However, in this case, hackers are making a bad use of it in order to extort the computer user by taking one’s data hostage.
This variant of STOP/DJVU malware works identically as its previous copies (TISC, NQSQ and others). The algorithm of this malicious program works in a way to affect the initial 150KB of information in each file. Such rule helps to corrupt files quickly and confidently, so that the whole file storage encryption could be done before the victim notices the ongoing attack. This leaves the victim with little chances of recovering data if no data backup was present prior to the attack; however, there are some ways to decrypt or repair affected files. Generally, victims affected by offline key have a chance to restore their files (we will explain this later) or use Media_Repair tool by DiskTuna to repair some audio and video files as explained in this guide.
Once this ransomware does its dirty job and illegally locks victim’s files, it surely leaves an explanation behind. Therefore, the virus saves _readme.txt note in every folder. This message explains that VTUA ransomware has encrypted all images, videos, documents, archives and other important files with “strongest” encryption. The note also ensures that not all is lost and the victim can still decrypt all data if one manages to meet the cybercriminals’ expectations. They suggest writing to them via provided email addresses along with Personal ID and one test file.
The criminals then would respond with decrypted test file version and further instructions on how to purchase cryptocurrency and make the transaction to the attacker’s virtual wallet address. However, the ransom note warns not to send a test file that contains valuable information, or the attackers might refuse to decrypt it. The reasoning behind this is related to the crooks’ fear that the victim won’t see any meaning of paying the ransom after recovering the most important information.
The _readme.txt note also includes guidelines regarding the VTUA decryption tool and key pricing. The note simply suggests that the victim can get a 50% discount if one contacts the attacker and settles an agreement within 72 hours. This time is calculated from the initial computer attack timestamp. Needless to say, the criminals most likely agree to this decryption price if the victim manages to make the transaction within this timeframe as well. However, if the victim doesn’t reach out within given timeframe, the attackers say the decryption price will be $980. Of course, they won’t accept any other form of payment other than one made in cryptocurrency such as Bitcoin. They do not accept regular payments because these can help to reveal true identity of ransomware operators.
Our team experts do not recommend paying ransoms to virtual extortionists. The same recommendations are issued by FBI. Here are some reasons why paying a ransom to crypto-malware operators isn’t a good idea:
- Regardless the amount you transfer to cybercriminals, they can disappear the minute the transaction reaches their wallets. In other words, paying does not guarantee file decryption or recovery in any way. Everything is up to cybercriminals’ hands in this situation.
- Please do not keep the ransomware cycle active – victims who choose to pay the ransom helps to keep this illegal business active. In other words, the attackers wouldn’t create so many ransomware variants if there weren’t so many victims paying to decrypt their files.
- Ransomware operators earn millions of US dollars annually. The amount of money crooks can generate attracts other people to join the illegal business.
- STOP/DJVU ransomware variants including VTUA virus tend to infect the already-compromised computer with additional malware, for instance, information stealer known as AZORULT Trojan. It can collect sensitive information from the host which may be used for further victim extortion and blackmail.
REPAIR VIRUS DAMAGE
Scan your system for FREE to detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically. Includes Avira spyware/malware detection & removal engine.
What this ransomware does to your computer
If you have fallen victim to VTUA ransomware virus attack, we believe that it is important to clear the uncertainties and explain what the virus done to your computer system. Although you might have an idea how you got infected, let us clarify that the majority of these viruses arrive in a form of a malicious torrent download. Most of the victims report downloading a compromised software crack or keygen.
Once in the computer system, the ransomware collects some information about its operating system, user name, hardware details and software installed, then fetches victim’s geolocation information (IP address, country code, city, longitude, latitude, zip code and time zone) by connecting to “https[:]//api.2ip.ua/geo.json” domain. At this point, the ransomware checks whether the country code matches one from its exception list and if this is the case, it terminates itself without encrypting one’s files. Otherwise, it continues the attack and tries to connect to its Command & Control server to generate a unique encryption key for the victim. Once received, the virus saves it to bowsakkdestx.txt file along with victim’s personal ID string. This string is also separately saved to PersonalID.txt file.
In case the ransomware fails to connect to the said server, it switches to use a hardcoded offline encryption key for the computer. You can identify whether this key was used very easily – just look at your personal ID ending – if the last two characters are t1, it most likely means you’re affected with offline key and that is partly good news because you can expect to recover your files in the future.
Once the virus determines the encryption key to use, it begins scanning the computer system and encrypting files found in it. It has set rules to bypass system folders so that the operating system could continue functioning. During this procedure, the ransomware makes data inaccessible, marks each file with additional extension and drops ransom notes in every folder. At the same time, it showcases a fake Windows Update prompt with progress bar for the victim, trying to deceive one into thinking the system is slow due to ongoing essential updates being downloaded and installed (the prompt is launched by fake winupdate.exe process).
Next, the ransomware runs a Command Line task to delete Volume Shadow Copies from the system, thus blocking victim’s chances to recover data using System Restore points (if any were created):
vssadmin.exe Delete Shadows /All /Quiet
However, this is not the last illegal modification done by the ransomware. On top of previous pile of functions that block victim’s access to own files, the virus adds a list of domain names to Windows HOSTS file. The virus maps them to localhost IP, thus causing a DNS resolution problem (DNS_PROBE_FINISHED_NXDOMAIN) when the victim attempts to access one of those websites from the list. To clarify, the malware restricts access to websites publishing guides on malware removal, tips on how to respond to ransomware attack or guides on how to recover files, plus various forums where users discuss computer problems. In simple terms, the ransomware operators do not want the victim to find help online, thus they seek to create even more tension in the current situation.
Finally, the ransomware can deliver more malware to the computer system, although the _readme.txt note says nothing about it. The sneaky virus can drop AZORULT Trojan to your PC, which is a malware used to collect sensitive information from your computer remotely. It has a set of functionalities that are listed below:
- Download and run even more malware on your computer;
- View files in your computer folders and delete them;
- Steal private information or login credentials, including cryptocurrency wallets, banking details, login credentials saved for various websites and similar;
- Steal login info of Telegram and Steam accounts.
Keeping all the damage done by this malware to your computer, we strongly recommend you to take steps to secure your information and whole computer system immediately. We suggest using robust security software with real-time protection such as INTEGO Antivirus which has excellent malware detection rate to remove existing threats from your Windows operating system. Moreover, computer experts advise downloading and scanning your PC with RESTORO to repair virus damage caused on Windows OS files.
Ransomware Summary
| Name | VTUA Ransomware Virus |
| Type | Ransomware; Crypto-malware; Virtual Extortion Virus |
| Family | STOP/DJVU |
| Encryption type | RSA Salsa20 |
| Previous versions | DARJ DAZX, TYWD, TYCX, TYOS, TYPO, JYWD (find full list here) |
| Version | 338th |
| Extension | .vtua |
| Cybercriminal emails | manager@mailtemp.ch, supporthelp@airmail.cc |
| Dropper | SmokeLoader (see VirusTotal details) |
| Damage | The ransomware encrypts all files on the target Windows operating system by applying Salsa20 encryption algorithm and adds .vtua extension to each of them to make them distinguishable. A copy of _readme.txt note can be found in every file directory containing encrypted data. The virus ensures that Volume Shadow Copies are deleted and inserts a list of domain names to block to Windows HOSTS file. Some variants of this ransomware group can infect the computer with additional malware such as AZORULT Trojan. |
| Ransom note | _readme.txt |
| Ransom demand | $490-$980 in Bitcoin |
| Distribution | Victims often download this ransomware along illegal torrent downloads, cracked software, key generators or tools like KMSPico. |
| Detection names | Ransom:Win32/StopCrypt.MK!MTB (Microsoft), HEUR:Trojan-Ransom.Win32.Stop.gen (Kaspersky), Gen:Variant.Ulise.313073 (BitDefender), ML.Attribute.HighConfidence (Symantec), Win32:BotX-gen [Trj] (Avast) see all detection name variations on VirusTotal |
| Removal | Remove ransomware and related malware from your PC using professional software of your choice. We highly recommend using INTEGO Antivirus. To repair virus damage on Windows OS files, consider scanning with RESTORO. |
REPAIR VIRUS DAMAGE
Scan your system for FREE to detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically. Includes Avira spyware/malware detection & removal engine.
Ransomware distribution tricks: avoid getting infected
It is essential to get to know how ransomware-type viruses are distributed by cybercriminals so you could avoid similar attacks in the future. There are several common attack vectors such as exploits, malicious email attachments and illegal torrent downloads. When it comes to STOP/DJVU variants such as VTUA virus, the main attack method is based on pirated software versions made available via untrustworthy torrent libraries online.
Cybercriminals prey on computer users who are willing to use peer-to-peer file sharing agents to download copies of pirated software or games and activate their premium versions for free. What is even worse, many computer users tend to interpret their security software alerts for such downloads as irrelevant. They believe that AV software always marks each download involving word “crack” as malicious; although antivirus software indeed sometimes marks such downloads falsely, in the majority of cases, it is best to stay on the safe side and avoid opening such files.
Another important thing is that if you do not immediately notice signs of computer malware, it doesn’t mean it is not there. There are many variants of malware that can reside on your computer system unnoticed for a long time, for instance, cryptocurrency miners, Trojans and other malware. Moreover, you should know that malware such as ransomware can be configured to launch after a set period of time to avoid being detected immediately.
We have aggregated a list of software names that victims of STOP/DJVU ransomware variants have tried to download from unofficial sources and ended up infected. In other words, keep in mind that cybercriminals tend to hide the described file-encrypting threat in software cracks for these programs:
- Adobe Photoshop;
- Corel Draw;
- Tenorshare 4ukey;
- Cubase;
- Adobe Illustrator;
- League of Legends;
- Windows activation tools such as KMSPico.
If you want to avoid getting infected, please try to download programs and games you need from official and confirmed sources only. Besides, we strongly encourage you to support legitimate software developers who try to create useful or entertaining programs rather than greedy criminals. The amount of money hackers will demand paying for recovery of your own data is always much higher than the cost of legitimate software license. Besides, the attackers can steal private information from your computer and blackmail you for a very long time. In other words, trying to save money by installing pirated software copies is simply not worth the risk.
Another way that cybercriminals use to distribute ransomware is malicious email spam. Typically, cybercrooks compose convincing messages and pretend to be your colleague, a representative from a well-known company (such as eBay, Amazon, or parcel delivery company). The hackers can inject a malicious script that triggers the malware download into popular document formats such as Word or PDF file. These documents arrive as email attachment along deceptive messages asking to view attached email contents as soon as possible.
The attackers will use common and legitimate-looking names for these documents, for example, invoice, payment details, order summary, waybill and similar. They can even go as far as spoofing the sender’s address to trick you into thinking the email came from a trusted sender. Our general recommendation is to avoid emails that seem even slightly suspicious or ones that you did not expect to receive.
Finally, victims of this ransomware strain should beware that cybercriminals place malicious file decryption tools online to cause double-encryption of data. One of ransomware strains that’s known for distributing non-functional STOP/DJVU data decryption tools is ZORAB. If you accidentally download this decryption tool to your computer, your files that are already encrypted would get corrupted again. We’d like to emphasize that in case an official decryption tools appears, it will be discussed in all the reputable websites covering cybersecurity news. Do not expect to find a magical tool to restore your files in shady websites online if the reputable websites do not mention existence of such software at all.
Remove VTUA Ransomware Virus and Decrypt Your Files
Now that your files are encrypted and your computer was affected by one of the most dangerous computer viruses in the wild, it is essential to secure your computer in the first place. Therefore, we have prepared in-depth guide on how to remove VTUA Ransomware Virus safely. Of course, we strongly suggest that you use a robust security software to eliminate existing threats professionally. Our team recommends INTEGO Antivirus which is VB100 certified software (in simple terms, it is confirmed to have excellent malware detection rates). After deleting malware, we also recommend you to download RESTORO here and scan your computer to identify and repair virus damage caused for Windows operating system files.
Once VTUA virus removal is completed, we suggest you to take the following steps:
- Let your local law enforcement agencies know about the cyber attack incident. You can find some references on who you should contact below the article.
- If you have data backups, you can restore your files using them. Remember: plug your removable data storage devices to computer only after the malware is deleted, otherwise the virus will encrypt them as well.
- Get to know how you can decrypt or repair files affected by STOP/DJVU versions.
- Change all of your passwords for websites saved in your browsers, also for Telegram, Steam and other programs (due to the Azorult Trojan’s activity).
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
STEP 1. REMOVE AUTOMATICALLY WITH ROBUST ANTIVIRUS
STEP 2. REPAIR VIRUS DAMAGE TO YOUR COMPUTER
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
VTUA Ransomware Virus Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove VTUA Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube.
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10/11 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove VTUA Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.
Special Offer
Compatibility: Microsoft Windows
See Full Review
RESTORO is a unique PC Repair Tool which comes with an in-built Avira scan engine to detect and remove spyware/malware threats and uses a patented technology to repair virus damage. The software can repair damaged, missing or malfunctioning Windows OS files, corrupted DLLs, and more. The free version offers a scan that detects issues. To fix them, license key for the full software version must be purchased.
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10/11 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Decrypt VTUA files
Fix and open large VTUA files easily:
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
- Create a copy of encrypted file to a separate folder using Copy > Paste commands.
- Now, right-click the created copy and choose Rename. Select the VTUA extension and delete it. Press Enter to save changes.
- In the prompt asking whether you want to make the changes as file might become unusable, click OK.
- Try opening the file.
STOP/DJVU decryption tool usage guide
STOP/DJVU ransomware versions are grouped into old and new variants. VTUA Ransomware Virus is considered the new STOP/DJVU variant, just like DARJ DAZX, TYWD, TYCX, TYOS, TYPO, JYWD (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie.
Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible.
In order to test the tool and see if it can decrypt VTUA files, follow the given tutorial.
- Download the decryption tool from Emsisoft.
- Click the little arrow next to your download and choose Show in Folder.
- Now, right-click the file and choose Run as Administrator. If asked, enter administrator's password.
- In UAC window, click Yes.
- Click Yes to agree to software terms in both windows.
- The tool will automatically include C:// disk as a location to decrypt. The file recovery tool will prepopulate the locations to scan, including connected data storage drives or network drives. Click Add folder if you wish to add additional locations.
In Options tab, you can choose to keep encrypted file copies. We recommend leaving this option selected, especially if you do not know if the decryption tool will work. - Click Decrypt to start restoring VTUA files. You will see the progress in the Results tab. Here, you can see messages from the tool, such as whether the decryption procedure is successful, or you need to wait for an update.
You might also be informed that online key was used to encrypt your files. In such case, the decryption tool won't work for you, and the only way to recover your files is to use a data backup.
Meanings of decryptor's messages
The VTUA decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages:
Error: Unable to decrypt file with ID: [example ID]
This message typically means that there is no corresponding decryption key in the decryptor's database.
No key for New Variant online ID: [example ID]
Notice: this ID appears to be an online ID, decryption is impossible
This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible.
Result: No key for new variant offline ID: [example ID]
This ID appears to be an offline ID. Decryption may be possible in the future.
If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn't available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your VTUA extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Report Internet crime to legal departments
Victims of VTUA Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:
- In the United States, go to the On Guard Online website.
- In Australia, go to the SCAMwatch website.
- In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.
- In Ireland, go to the An Garda Síochána website.
- In New Zealand, go to the Consumer Affairs Scams website.
- In the United Kingdom, go to the Action Fraud website.
- In Canada, go to the Canadian Anti-Fraud Centre.
- In India, go to Indian National Cybercrime Reporting Portal.
- In France, go to the Agence nationale de la sécurité des systèmes d’information.
If you can't find an authority corresponding to your location on this list, we recommend using any search engine to look up "[your country name] report cyber crime". This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities.
Another recommendation is to contact your country's or region’s federal police or communications authority.
Frequently Asked Questions
You can only open VTUA files if you have the decryption key, or if you were affected by offline encryption type.
To figure out whether you were affected by offline encryption, please go to C:/SystemID/PersonalID.txt and see if the string inside of it ends in t1. You can also try using Emsisoft Decryptor for STOP/DJVU.
Please follow the guidances provided by the official VTUA decryption tools and believe what they say. If they say it is impossible to decrypt, it really is so. There is no magic tool or human capable of decrypting your files hiding somewhere. Encryption is a technique created to be nearly impossible to decrypt without a special private key (held by the criminals).
We advise scanning with anti-virus, anti-malware, malware removal tools or software like RESTORO to eliminate virus damage on the system. If you do not trust using a single tool, try running one after another. However, we do not recommend keeping several security programs on a computer at once as they can interfere with each other's work.
Beware of fake VTUA decryption tools circulating around the web. Cyber criminals are uploading them to various shady websites, also might be promoting them via suspicious Youtube videos. These programs can infect your computer even more heavily (Trojans, miners, etc.). We suggest being extremely cautious around the web. If there will be an official STOP/DJVU decryption tool available, it will be widely discussed in public media.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Leave a Reply