.Arena Virus File Ransomware Removal

A newly discovered Ransomware cryptovirus named .Arena Virus is lurking on the web and infecting numerous computers and encrypting the files on them, all around the world. Many victims have recently contacted our “How to remove” team with a call for help because their files have been encrypted by the nasty malware. For this reason, we dedicated this entire article to .Arena Virus and all the possible methods of dealing with its malicious consequences. Before we give you any hope of removing the Ransomware and getting back your files, we need to warn you that the attack of .Arena Virus can be very harmful to you if you don’t have a full file backup of your data. This cryptovirus basically acts as a blackmail tool that blocks the access of your files (by applying a secret encryption to them) and then asks you to pay ransom to decrypt them. The hackers, who control the infection, prompt their victims to purchase a decryption key in order to retrieve the important documents, images, audio and video files that have been encrypted.

.Arena virus file

 After the attack, it is almost impossible to open or use any of the affected files because the Ransomware usually changes their file extension and make them unrecognizable for the system or any other software. What is more, the malware may automatically start with Windows every time it launches and may attempt to encrypt other devices that are connected to the infected computer or the data that you have managed to restore. That’s why, if you want to continue to use your computer safely, we would highly recommend you not to pay any ransom but to remove the Ransomware with the help of the removal guide below. Unfortunately, it is not that easy to break the secret encryption and recover the affected files, but in the next lines, we are going to do our best to help you minimize the negative consequences of the .Arena Virus attack. 

Specifics regarding the Arena virus

 One thing to note with regards to this nasty malware is that this virus is from the CryptMix Ransomware family. The reason why it is referred to as the .Arena Ransomware has to do with the fact that once a file gets encrypted by it, the extension of the file gets changed to .arena. Another thing to keep in mind is that the file name would also get changed by the virus during the encryption process to a hexadecimal string. 

 The CryptoMix/.Arena virus should not be confused to another Ransowmare variant known as Crysis which also uses the .arena file extension when it encrypts the targeted user files. The main difference between CryptoMix and Crysis is that the latter does not change the name of the files that it tries to encrypt.

One other thing that needs to be pointed out when talking about this Ransomware is that it can operate even if the infected PC does not currently have Internet connection. The virus is capable of functioning independently as it contains and can use 11 public RSA-1024 encryption keys which allows .Arena to lock-up the data that it has targeted irrespective of whether the computer is connected to the Internet. Disconnecting your PC in the midst of an infection by this Ransomware would not alter the outcome of the infection whatsoever!


If you have been attacked by .Arena Virus, carefully research your options!

Ransomware, in general, is very tricky malware which has been making the news headlines with its newest and most sophisticated versions. The problem with threats like .Arena Virus is that they can sneak inside your computer practically undetected and can block the access to your files until you pay a certain amount of money (usually required as a Bitcoin payment) to the criminal creators, who stand behind the infection. The crooks target files which are commonly used in order to prevent users from accessing their most favorite and most needed data. Usually the affected files contain popular extensions such as .doc, .docx, .txt, .xls, .xlsx, .gif, .jpg, .png, .pdf, .pps, .ppt, .pptx, .odt, .db, .csv, .sql, .mdb .sm.php, .asp, .aspx, mp3, .mp4, .avi, .mov, .mpg, .html, .xml, .psd, .frm, .myd, .myi, .dbf, .rm, .wmv, .m4a, .mpa, .wav, .sav, .gam, .log, .ged, .msg, .myo, .tax, .ynab, .ifx, .ofx, .qfx, .qif, .qdf , .ncf, .nsf, .ntf, .lwp. When the encryption process is complete, .Arena Virus automatically generates a ransom message and places it on the screen of the infected computer. A short deadline is given to the victims to fulfill the ransom demands, otherwise, the hackers may not give them a decryption key with which they should regain their access. The amount requested may vary a lot and from a few bucks it may reach up to a couple of thousands, but we strongly discourage you to pay it, even if it is not that big because it may really not save your files. In most of the cases, the crooks vanish with the money the moment they get it and never send a decryption solution to the victims.

Update: We have received reports and information about a lot of instances of users who have actually made the payment to the hackers without actually getting their files unlocked. In certain instances, victims of the .Arena virus have paid as much as 1500 Euro only to find out that their data would still not get decrypted. Therefore, we strongly recommend that you seek an alternative solution to any issues related to this particular Ransomware.

So, with this in mind, what we can suggest is that you remove .Arena Virus and rather invest your money in a good system protection than sponsoring the hackers and their criminal blackmail scheme. In the free removal guide below we have published the exact steps that you need to take in order to detect and eliminate the Ransomware. For best results, we recommend you scan your PC with the professional malware removal tool and combine it with the guide. Once you have removed the infection and all of its traces, we suggest you check all of your external devices and cloud storage for copies of your encrypted files. You may be able to recover some of them this way, or if you have a full file backup, that would be the best. In case you have no backups, unfortunately, there aren’t many options that can help you recover what has been encrypted, but you can give a try to our file-restoration instructions or contact a Ransomware recovery specialist for additional assistance.

The Ransom Note

We have been able to obtain information regarding the ransom-demanding notepad file that the virus creates on the user’s computer after it has finished encrypting the targeted personal data. Here is what is normally written within the message through which the hacker informs the user that a ransom payment needs to be paid so that the files would get unlocked:

All your files have been encrypted! If you want to restore them, write us to the e-mail : ms.heisenberg@aol.com Write this ID in the title of your message DECRYPT-ID-[id] number number In case of no answer in 48 hours write us to these e-mails : ms.heisenberg@aol.com You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 files for free decryption. The total size of files must be less than 2 Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beg

If you have received the same note after having your personal data encryted, then you are more than likely one of the numerous users who have had the bad luck of landing the .Arena virus ransomware and having their files locked-up by it. If this is your case, be sure to have a look at the removal guide below that might help you handle the nasty Arena crypto virus.

.Arena Virus File Ransomware Removal

Prior to starting to execute the steps from the guide, we advise you to either bookmark this page or open it on a separate device since throughout the process of completing the guide, you might need to exit your browser.

1: Using Safe Mode

Before beginning to troubleshoot the issue, you are advised to enter Safe Mode on your PC. If you do not know how to do that, use this guide on how to enter Safe Mode.

2: Spotting the process

Open your Task Manager using the Ctrl + Shift + Esc key combination. Next, go to the processes tab and carefully look through the list for any shady entries. Usually, malicious processes will be consuming large amounts of CPU and RAM and will either have no description or will have a suspicious-looking one.

Once you identify the virus’ process, right-click on it and select Open File Location. Delete everything in the folder that opens if you are sure that the process was malicious. If you are not sure, contact us in the comments.

Go back to the Task Manager and end the potentially harmful process.

3: Hosts file IP’s

Go to your start menu and in the search field, paste the following address: notepad %windir%/system32/Drivers/etc/hosts. Select the first result and look at the bottom of the newly opened notepad file. See if there are any IP’s below “Localhost” and tell us in the comments if there were any IP addresses. 

4: System Configuration Startup Programs

Type System Configuration in the Windows search bar and open the first result. Go to the Startup tab and take a look at the list of startup programs (on Windows 10, the Startup programs can be seen in the Startup Section of the Task Manager). If any of them look shady or have unknown manufacturer or a manufacturer with a sketchy name, uncheck those entries and click on OK.

5: Registry

Open the Run window (WinKey + R), type regedit and press Enter. Once the Registry Editor opens, press Ctrl + F and type the name of the virus. Select Find Next and delete whatever gets found that has the virus’ name. Do that with all search results.

6: Deleting potential virus files

Open the Start Menu and separately type each of the following locations: %AppData% %LocalAppData% %ProgramData% %WinDir% %Temp% . Open each of those folders and sort their contents by date. Delete the most recent files and folders. When you open the Temp folder, delete everything in it.

7: Potential Decryption Method

In this final step, we will show you how to use a free software tool developed by Trend Micro that might help you unlock your files. Note that the Ransomware Decryptor that we are going to introduce you to can manage to decrypt files sealed by a limited number of Ransomware virus versions. However, the tool receives frequent updates with which it becomes able to handle more and more Ransomware variants. Here is how to use it:

  1. Follow this link to download the tool.
  2. Once you’ve downloaded the decryptor, unzip the file and launch the .exe file that will be created.
  3. Read the Terms of use and select Agree to be able to use the program.
  4. Use the upper option from the program’s interface (labeled Select) to open a list of Ransomware viruses that the tool can potentially decrypt. From the list, select the virus that has locked-up your files.                            
    • If you do not know which Ransomware has infected your PC, go check the ransom note that the virus has left behind – its name should usually be available there.
    • Also, you can use the I don’t know the ransomware name option. If you use this, when you select a Ransomware-encrypted files, the tool will attempt to automatically determine the name of the exact virus that has sealed the file. 
  5. Next, click on the second option (Select and Decrypt) and choose a folder or a file that you wan’t the program to decrypt. Once you have selected the folder/file, click on OK
    • There are several versions of Ransomware that require an extra step. For example, if you have chosen to unlock files encrytped by XORIST, XORBAT or several other viruses, the tool will require of you to provide an a pair of two files – an encrypted one and a unencrypted version of the same file. This is needed for the program to decypher the code that has been used for the other data locked up by those specific Ransomware viruses.
  6. Wait for the process to finish, depending on the number and size of the files that you want to get unlocked, the time required for the process to finish might vary.

About the author

Adrian Bitterson

1 Comment

Leave a Comment