Geek's Advice

VTUA ransomware aims to lock your files to demand a ransom for decryption

VTUA ransomware virus is a new variant from file-encrypting STOP/DJVU malware family. Once it compromises the target computer system, it scans all directories and encrypts personal or work files found in them using Salsa20 crypto-algorithm and marks each of them with .vtua file extension. To illustrate, a file originally named 1.jpg appears as 1.jpg.vtua after being secured with encryption algorithm. Moreover, the file becomes impossible to open. Victims of this malware attack will immediately notice a ransom note called _readme.txt in each folder, which the virus drops as a message from the cybercriminals. The note explains that in order to regain access to all files, one needs to pay a ransom to cybercriminals. The note suggests that it is the only possible way to get VTUA file decryption tool. The price of it depends on how quickly the computer user writes to the attackers and settles an agreement. If this is done within 72 hours (3 full days), the victim becomes eligible for a 50% discount and tool would cost $490 in this scenario. Otherwise, the victim needs to pay a full amount which is $980. The attackers suggest contacting them for further information via provided email addresses: supporthelp@airmail.cc and manager@mailtemp.ch.

The main goal of VTUA ransomware is to illegally block victim’s access to his/hers own files by leveraging a complex encryption algorithm and public encryption key. In order to decrypt locked files, the victim needs a private decryption key, which is in possession of cybercriminals. In legal usages of encryption, it is used to secure information transmission, for example, by sending private data over the Internet, such as passwords, emails, and other sensitive details. However, in this case, hackers are making a bad use of it in order to extort the computer user by taking one’s data hostage.

This variant of STOP/DJVU malware works identically as its previous copies (TISC, NQSQ and others). The algorithm of this malicious program works in a way to affect the initial 150KB of information in each file. Such rule helps to corrupt files quickly and confidently, so that the whole file storage encryption could be done before the victim notices the ongoing attack. This leaves the victim with little chances of recovering data if no data backup was present prior to the attack; however, there are some ways to decrypt or repair affected files. Generally, victims affected by offline key have a chance to restore their files (we will explain this later) or use Media_Repair tool by DiskTuna to repair some audio and video files as explained in this guide.

Once this ransomware does its dirty job and illegally locks victim’s files, it surely leaves an explanation behind. Therefore, the virus saves _readme.txt note in every folder. This message explains that VTUA ransomware has encrypted all images, videos, documents, archives and other important files with “strongest” encryption. The note also ensures that not all is lost and the victim can still decrypt all data if one manages to meet the cybercriminals’ expectations. They suggest writing to them via provided email addresses along with Personal ID and one test file.

The criminals then would respond with decrypted test file version and further instructions on how to purchase cryptocurrency and make the transaction to the attacker’s virtual wallet address. However, the ransom note warns not to send a test file that contains valuable information, or the attackers might refuse to decrypt it. The reasoning behind this is related to the crooks’ fear that the victim won’t see any meaning of paying the ransom after recovering the most important information.

The _readme.txt note also includes guidelines regarding the VTUA decryption tool and key pricing. The note simply suggests that the victim can get a 50% discount if one contacts the attacker and settles an agreement within 72 hours. This time is calculated from the initial computer attack timestamp. Needless to say, the criminals most likely agree to this decryption price if the victim manages to make the transaction within this timeframe as well. However, if the victim doesn’t reach out within given timeframe, the attackers say the decryption price will be $980. Of course, they won’t accept any other form of payment other than one made in cryptocurrency such as Bitcoin. They do not accept regular payments because these can help to reveal true identity of ransomware operators.

Our team experts do not recommend paying ransoms to virtual extortionists. The same recommendations are issued by FBI. Here are some reasons why paying a ransom to crypto-malware operators isn’t a good idea:

• Regardless the amount you transfer to cybercriminals, they can disappear the minute the transaction reaches their wallets. In other words, paying does not guarantee file decryption or recovery in any way. Everything is up to cybercriminals’ hands in this situation.
• Please do not keep the ransomware cycle active – victims who choose to pay the ransom helps to keep this illegal business active. In other words, the attackers wouldn’t create so many ransomware variants if there weren’t so many victims paying to decrypt their files.
• Ransomware operators earn millions of US dollars annually. The amount of money crooks can generate attracts other people to join the illegal business.
• STOP/DJVU ransomware variants including VTUA virus tend to infect the already-compromised computer with additional malware, for instance, information stealer known as AZORULT Trojan. It can collect sensitive information from the host which may be used for further victim extortion and blackmail.

REMOVE MALWARE & REPAIR VIRUS DAMAGE

What this ransomware does to your computer

If you have fallen victim to VTUA ransomware virus attack, we believe that it is important to clear the uncertainties and explain what the virus done to your computer system. Although you might have an idea how you got infected, let us clarify that the majority of these viruses arrive in a form of a malicious torrent download. Most of the victims report downloading a compromised software crack or keygen.

Once in the computer system, the ransomware collects some information about its operating system, user name, hardware details and software installed, then fetches victim’s geolocation information (IP address, country code, city, longitude, latitude, zip code and time zone) by connecting to “https[:]//api.2ip.ua/geo.json” domain. At this point, the ransomware checks whether the country code matches one from its exception list and if this is the case, it terminates itself without encrypting one’s files. Otherwise, it continues the attack and tries to connect to its Command & Control server to generate a unique encryption key for the victim. Once received, the virus saves it to bowsakkdestx.txt file along with victim’s personal ID string. This string is also separately saved to PersonalID.txt file.

In case the ransomware fails to connect to the said server, it switches to use a hardcoded offline encryption key for the computer. You can identify whether this key was used very easily – just look at your personal ID ending – if the last two characters are t1, it most likely means you’re affected with offline key and that is partly good news because you can expect to recover your files in the future.

Once the virus determines the encryption key to use, it begins scanning the computer system and encrypting files found in it. It has set rules to bypass system folders so that the operating system could continue functioning. During this procedure, the ransomware makes data inaccessible, marks each file with additional extension and drops ransom notes in every folder. At the same time, it showcases a fake Windows Update prompt with progress bar for the victim, trying to deceive one into thinking the system is slow due to ongoing essential updates being downloaded and installed (the prompt is launched by fake winupdate.exe process).

Next, the ransomware runs a Command Line task to delete Volume Shadow Copies from the system, thus blocking victim’s chances to recover data using System Restore points (if any were created):

^{vssadmin.exe Delete Shadows /All /Quiet}

However, this is not the last illegal modification done by the ransomware. On top of previous pile of functions that block victim’s access to own files, the virus adds a list of domain names to Windows HOSTS file. The virus maps them to localhost IP, thus causing a DNS resolution problem (DNS_PROBE_FINISHED_NXDOMAIN) when the victim attempts to access one of those websites from the list. To clarify, the malware restricts access to websites publishing guides on malware removal, tips on how to respond to ransomware attack or guides on how to recover files, plus various forums where users discuss computer problems. In simple terms, the ransomware operators do not want the victim to find help online, thus they seek to create even more tension in the current situation.

Finally, the ransomware can deliver more malware to the computer system, although the _readme.txt note says nothing about it. The sneaky virus can drop AZORULT Trojan to your PC, which is a malware used to collect sensitive information from your computer remotely. It has a set of functionalities that are listed below:

• Download and run even more malware on your computer;
• View files in your computer folders and delete them;
• Steal private information or login credentials, including cryptocurrency wallets, banking details, login credentials saved for various websites and similar;
• Steal login info of Telegram and Steam accounts.

Keeping all the damage done by this malware to your computer, we strongly recommend you to take steps to secure your information and whole computer system immediately. We suggest using robust security software with real-time protection such as INTEGO Antivirus which has excellent malware detection rate to remove existing threats from your Windows operating system. Moreover, computer experts advise downloading and scanning your PC with RESTORO to repair virus damage caused on Windows OS files.

Ransomware Summary

REMOVE MALWARE & REPAIR VIRUS DAMAGE

Ransomware distribution tricks: avoid getting infected

It is essential to get to know how ransomware-type viruses are distributed by cybercriminals so you could avoid similar attacks in the future. There are several common attack vectors such as exploits, malicious email attachments and illegal torrent downloads. When it comes to STOP/DJVU variants such as VTUA virus, the main attack method is based on pirated software versions made available via untrustworthy torrent libraries online.

Cybercriminals prey on computer users who are willing to use peer-to-peer file sharing agents to download copies of pirated software or games and activate their premium versions for free. What is even worse, many computer users tend to interpret their security software alerts for such downloads as irrelevant. They believe that AV software always marks each download involving word “crack” as malicious; although antivirus software indeed sometimes marks such downloads falsely, in the majority of cases, it is best to stay on the safe side and avoid opening such files.

Another important thing is that if you do not immediately notice signs of computer malware, it doesn’t mean it is not there. There are many variants of malware that can reside on your computer system unnoticed for a long time, for instance, cryptocurrency miners, Trojans and other malware. Moreover, you should know that malware such as ransomware can be configured to launch after a set period of time to avoid being detected immediately.

We have aggregated a list of software names that victims of STOP/DJVU ransomware variants have tried to download from unofficial sources and ended up infected. In other words, keep in mind that cybercriminals tend to hide the described file-encrypting threat in software cracks for these programs:

• Adobe Photoshop;
• Corel Draw;
• Tenorshare 4ukey;
• Cubase;
• Adobe Illustrator;
• League of Legends;
• Windows activation tools such as KMSPico.

If you want to avoid getting infected, please try to download programs and games you need from official and confirmed sources only. Besides, we strongly encourage you to support legitimate software developers who try to create useful or entertaining programs rather than greedy criminals. The amount of money hackers will demand paying for recovery of your own data is always much higher than the cost of legitimate software license. Besides, the attackers can steal private information from your computer and blackmail you for a very long time. In other words, trying to save money by installing pirated software copies is simply not worth the risk.

Another way that cybercriminals use to distribute ransomware is malicious email spam. Typically, cybercrooks compose convincing messages and pretend to be your colleague, a representative from a well-known company (such as eBay, Amazon, or parcel delivery company). The hackers can inject a malicious script that triggers the malware download into popular document formats such as Word or PDF file. These documents arrive as email attachment along deceptive messages asking to view attached email contents as soon as possible.

The attackers will use common and legitimate-looking names for these documents, for example, invoice, payment details, order summary, waybill and similar. They can even go as far as spoofing the sender’s address to trick you into thinking the email came from a trusted sender. Our general recommendation is to avoid emails that seem even slightly suspicious or ones that you did not expect to receive.

Finally, victims of this ransomware strain should beware that cybercriminals place malicious file decryption tools online to cause double-encryption of data. One of ransomware strains that’s known for distributing non-functional STOP/DJVU data decryption tools is ZORAB. If you accidentally download this decryption tool to your computer, your files that are already encrypted would get corrupted again. We’d like to emphasize that in case an official decryption tools appears, it will be discussed in all the reputable websites covering cybersecurity news. Do not expect to find a magical tool to restore your files in shady websites online if the reputable websites do not mention existence of such software at all.

Remove VTUA Ransomware Virus and Decrypt Your Files

Now that your files are encrypted and your computer was affected by one of the most dangerous computer viruses in the wild, it is essential to secure your computer in the first place. Therefore, we have prepared in-depth guide on how to remove VTUA Ransomware Virus safely. Of course, we strongly suggest that you use a robust security software to eliminate existing threats professionally. Our team recommends INTEGO Antivirus which is VB100 certified software (in simple terms, it is confirmed to have excellent malware detection rates). After deleting malware, we also recommend you to download RESTORO here and scan your computer to identify and repair virus damage caused for Windows operating system files.

Once VTUA virus removal is completed, we suggest you to take the following steps:

• Let your local law enforcement agencies know about the cyber attack incident. You can find some references on who you should contact below the article.
• If you have data backups, you can restore your files using them. Remember: plug your removable data storage devices to computer only after the malware is deleted, otherwise the virus will encrypt them as well.
• Get to know how you can decrypt or repair files affected by STOP/DJVU versions.
• Change all of your passwords for websites saved in your browsers, also for Telegram, Steam and other programs (due to the Azorult Trojan’s activity).

OUR GEEKS RECOMMEND

Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:

STEP 1. REMOVE AUTOMATICALLY WITH ROBUST ANTIVIRUS

REMOVE & PROTECT WITH INTEGO

Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7.. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs.

Use INTEGO Antivirus to remove detected threats from your computer.

Read full review here.

STEP 2. REPAIR VIRUS DAMAGE TO YOUR COMPUTER

DOWNLOAD RESTORO

RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically.

RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them.

Read full review here.

GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.

Norbert Webb

Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.