If you are on this page, then you have undoubtedly encountered the most dangerous commercial strain of viruses on the planet – Ransomware. Ransomware are crypto viruses that encrypt (lock) your files and then proceed to spread around to other PCs in the same network, demanding payment (typically in the form of bitcoins) to release the files. Up until months after the infestation has begun, there are no known reliable remedies to ransomware, which means that if you are on this page, you will likely have to wait for one, buy a reputable file recovery software, or pay up the ransomware, which in this case is in the thousands of dollars. However, we very much advise against paying “Oops your files have been encrypted” Virus since there is nor particular reason for the crooks to return your files once they get your money.
“Oops your files have been encrypted” Virus in particular is currently in the process of spreading like wildfire in the most massive and unsurmountable infection campaign of all time. Literally no other ransomware has been exhibited on this scale. Even the Locky Ransomware of 2016, which was dubbed as the biggest cyber threat in the world, pales in comparison to the scale of this threat. In the news we have uncovered that currently:
- A number of airports were encrypted, leaving dozens – if not hundreds – of flights to be canceled outright until the situation is resolved.
- Reportedly the Russian ministry of interior is encrypted by “Oops your files have been encrypted” Virus.
- Unlike smaller ransomware campaigns, this has spread worldwide – locally transmitted ransomware are quick to die out. “Oops your files have been encrypted” Virus in particular promises to remain for a long time.
The classic ransomware sample is distributed via a variety of phishing techniques like spam emails with shock value attachments (for example: important taxes notice) designed for one purpose only – to make you click on them. Once that is achieved, the ransomware begins to spread silently into your system via a Trojan and start locking up your files. If you pay, the trojan then has the ability to record your payment credentials, meaning they can extract more money out of you once done. Make no mistake – if you pay, you are not only supporting the people behind the ransomware, but are also leaving yourself to the mercy of people who invaded your PC and demanded ransom.
Most of the algorithms used by ransomware are unbreakable ciphers universally designed to store information away in a safe manner. Unfortunately, this technology has been severely corrupted by the criminals and the payday they make is enough to run a business through it. Unlike common ransomware, however, “Oops your files have been encrypted” Virus is uniquely distributed because of a windows exploit supposedly planted by the NSA. After the big leak of the exploit, criminals decided to to take advantage. While there is still a trojan in your system, the main entry point is in fact not through malspam, but though the exploit – which leaves vulnerable practically every PC which hasn’t patched the exploit. The security patch was carried through a windows updates weeks ago, but due to most users’ inability or reluctance to patch, millions of systems remain exposed. This includes many corporations.
One of the biggest marks in any ransomware campaign is the rapid spread in infection. One of the the worst things you can do is send ANY file related to “Oops your files have been encrypted” Virus to an acquaintance of yours, including the ransom note. Every single one of the files contains a piece of code that can succesfully infect the other person’s PC as well.
The removal guide below is specifically tailored to help users remove “Oops your files have been encrypted” Virus, however it is important to note that this pertains only to the virus itself. Once encrypted, there is very little that can actually help your files, so we urge you not to have unreal expectations of what can be achieved. Nevertheless, if you follow the steps word for word, you have a good chance to secure your system and erase all traces of the threat.
“Oops your files have been encrypted” Virus Removal
Prior to starting to execute the steps from the guide, we advise you to either bookmark this page or open it on a separate device since throughout the process of completing the guide, you might need to exit your browser.
1: Using Safe Mode
Before beginning to troubleshoot the issue, you are advised to enter Safe Mode on your PC. If you do not know how to do that, use this guide on how to enter Safe Mode.
2: Spotting the process
Open your Task Manager using the Ctrl + Shift + Esc key combination. Next, go to the processes tab and carefully look through the list for any shady entries. Usually, malicious processes will be consuming large amounts of CPU and RAM and will either have no description or will have a suspicious-looking one.
Once you identify the virus’ process, right-click on it and select Open File Location. Delete everything in the folder that opens if you are sure that the process was malicious. If you are not sure, contact us in the comments.
Go back to the Task Manager and end the potentially harmful process.
3: Hosts file IP’s
Go to your start menu and in the search field, paste the following address: notepad %windir%/system32/Drivers/etc/hosts. Select the first result and look at the bottom of the newly opened notepad file. See if there are any IP’s below “Localhost” and tell us in the comments if there were any IP addresses.
4: System Configuration Startup Programs
Type System Configuration in the Windows search bar and open the first result. Go to the Startup tab and take a look at the list of startup programs (on Windows 10, the Startup programs can be seen in the Startup Section of the Task Manager). If any of them look shady or have unknown manufacturer or a manufacturer with a sketchy name, uncheck those entries and click on OK.
Open the Run window (WinKey + R), type regedit and press Enter. Once the Registry Editor opens, press Ctrl + F and type the name of the virus. Select Find Next and delete whatever gets found that has the virus’ name. Do that with all search results.
6: Deleting potential virus files
Open the Start Menu and separately type each of the following locations: %AppData% %LocalAppData% %ProgramData% %WinDir% %Temp% . Open each of those folders and sort their contents by date. Delete the most recent files and folders. When you open the Temp folder, delete everything in it.