This week, computer security experts has received reports of yet another ransomware called EMPTY ransomware. This ransomware virus spreads via spam emails and malware files and appends the .EMPTY extension to encrypted files.
The EMPTY virus is a new variant of the CryptoMix ransomware, that made to encrypt user’s personal photos, documents and music found on infected machine using a strong encryption algorithm with 1024-bit key, appending EMPTY extension to all encrypted documents, photos and music. Once the encryption procedure is done, it will display a ransom note offering decrypt all users photos, documents and music if a payment is made.
Table of contents
- What is EMPTY ransomware
- How to decrypt .EMPTY files
- How to remove EMPTY ransomware virus
- How to restore .EMPTY files
- How to prevent your computer from becoming infected by EMPTY virus?
- How does your personal computer get infected with EMPTY virus
- Finish words
The ransom note encourages victims to contact EMPTY’s makers by sending a email to email@example.com, firstname.lastname@example.org, or email@example.com in order to decrypt all documents, photos and music. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins). We don’t recommend paying a ransom, as there is no guarantee that you will be able to decrypt your personal files. Especially since you have a chance to restore .EMPTY files for free using free tools like ShadowExplorer and PhotoRec.
Therefore it’s very important to follow the step-by-step instructions below ASAP. The guidance will help you to remove EMPTY ransomware. What is more, the step by step guide below will help you restore encrypted documents, photos and music for free.
What is EMPTY ransomware virus
The EMPTY virus is a variant of crypto viruses (malware which encrypt personal files and demand a ransom) from the CryptoMix family. It affects all current versions of MS Windows operating systems such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This ransomware uses a strong encryption algorithm with 1024-bit key to eliminate the possibility of brute force a key that will allow to decrypt encrypted photos, documents and music.
When the ransomware virus infects a system, it uses system directories to store own files. To run automatically whenever you turn on your system, EMPTY virus creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.
Immediately after the launch, the virus scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware virus uses the file name extension, as a way to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.vfs0, .wav, .bay, .mpqge, .xld, .rar, .xll, .litemod, .tax, .mddata, .ai, .ltx, .zdb, .rwl, .itm, .xlsm, .webdoc, .upk, .sidn, .cfr, .mef, .dcr, .xlsb, .wbd, .y, .wpa, .ff, .zabw, .qdf, .wsd, .raw, .arch00, .dng, .srf, .xmind, .p12, .eps, .mrwref, .hplg, .wcf, .forge, .mov, .odc, .xy3, .wps, .3fr, .hkx, .py, .der, .doc, .accdb, .r3d, .wm, .sql, .wri, .erf, .zip, .ibank, .vdf, .x, .svg, .3dm, .sie, .gdb, .odp, .raf, .yal, .hvpl, .wmv, .epk, .m4a, .docm, .iwd, .pst, .x3d, .xbplate, .odb, .itl, .iwi, .rtf, .jpg, .xml, .wp, .wgz, .bc7, .sb, .crw, .bkp, .ws, .3ds, .pptm, .mp4, .js, .dxg, .png, .xlsm, .wbk, .bc6, .wot, .icxs, .ptx, .dmp, .ysp, .xwp, .odm, .wma, .gho, .vpk, .vpp_pc, .wotreplay, .xlgc, .m2, .w3x, .wp6, .d3dbsp, .txt, .sav, .xx, .indd, .wpl, .zif, .kdb, .ybk, .wbm, .rim, .ztmp, .xdb, .hkdb, .db0, .dwg, .pkpass, .sum, .xlsx, .zip, .fsh, .cdr, .vtf, .zdc, .wp4, .wp7, .cas, .mdbackup, .wmv, .crt, wallet, .wpg, .1st, .sis, .arw, .slm, .dbf, .mdf, .xbdoc, .xlk, .dba, .pef, .nrw, .psd, .menu, .apk, .pdd, .mcmeta, .fos, .qic, .wb2, .pptx, .itdb, .xls, .esm, .odt, .wbmp, .wpt, .sr2, .lbf, .lrf, .kf, .xyw, .wbc, .xxx, .snx, .sid, .desc, .map, .wpw, .big, .wmo, .wpd, .cer, .srw, .z, .pem, .1, .wsc, .syncdb, .wp5, .xar, .wbz, .lvl, .xyp, .z3d, .wdp, .jpeg, .7z, .xpm, .ncf, .p7c, .asset, .rw2, .wpe, .wps, .cr2, .jpe, .m3u, .docx, .mlx, .ods, .re4
Once a file is encrypted, the EMPTY ransomware will modify the filename and append .EMPTY extension. Next, the ransomware virus creates a file called “_HELP_INSTRUCTION.TXT”. This file contain instructions on how to decrypt all encrypted files. An example of the tutorial is:
Attention! All Your data was encrypted!
For specific informartion, please send us an email with Your ID number:
We will help You as soon as possible!
The EMPTY virus actively uses scare tactics by giving the victim a brief description of the encryption algorithm and showing a ransom note on the desktop. It is trying to force the user of the infected system, do not hesitate to pay a ransom, in an attempt to restore their personal files.
How to decrypt .EMPTY files
Currently there is no available way to decrypt EMPTY files, but you have a chance to recover encrypted photos, documents and music for free. The ransomware virus repeatedly tells the victim that uses very strong hybrid encryption with a large key. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a solution because of the big length of the key. Therefore, unfortunately, the only payment to the developers of the EMPTY ransomware entire amount requested – the only method to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the makers of the EMPTY ransomware virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware.
How to remove EMPTY ransomware virus
Most commonly it is not possible to get rid of the EMPTY ransomware virus manually. For that reason, our team developed several removal ways which we have summarized in a detailed guidance below. Therefore, if you’ve the EMPTY ransomware on your computer and are currently trying to have it removed then feel free to follow the steps below in order to resolve your problem. Read it once, after doing so, please print this page as you may need to close your browser or restart your PC.
Remove EMPTY ransomware with Zemana Anti-malware
We advise using the Zemana Anti-malware. You can download and install Zemana Anti-malware to scan for and remove EMPTY ransomware virus from your machine. When installed and updated, the malicious software remover will automatically scan and detect all threats present on the personal computer.
Download Zemana anti-malware by clicking on the following link and save it directly to your Microsoft Windows Desktop.
Author: Zemana Ltd
Category: Security tools
Update: February 14, 2019
Once the downloading process is done, start it and follow the prompts. Once installed, the Zemana anti malware will try to update itself and when this procedure is finished, press the “Scan” button It will scan through the whole system for the EMPTY virus and other malicious software.
Depending on your PC, the scan may take anywhere from a few minutes to close to an hour. When a malicious software, ‘ad supported’ software or PUPs are found, the number of the security threats will change accordingly. Wait until the the checking is finished. When you’re ready, press “Next” button.
The Zemana anti-malware will begin removing all detected folders, files, services and registry entries.
Scan and clean your PC of EMPTY virus with Malwarebytes
Get rid of EMPTY ransomware infection manually is difficult and often the ransomware is not completely removed. Therefore, we recommend you to run the Malwarebytes Free that are completely clean your PC system. Moreover, the free application will allow you to remove malware, PUPs, toolbars and ad-supported software that your system may be infected too.
Download Malwarebytes on your Microsoft Windows Desktop by clicking on the following link.
Category: Security tools
Update: February 5, 2019
When downloading is complete, close all programs and windows on your machine. Double-click the set up file named mb3-setup. If the “User Account Control” prompt pops up as shown in the figure below, click the “Yes” button.
It will open the “Setup wizard” that will help you install Malwarebytes on your personal computer. Follow the prompts and don’t make any changes to default settings.
Once install is done successfully, click Finish button. Malwarebytes will automatically start and you can see its main screen like below.
Now click the “Scan Now” button for checking your system for the EMPTY ransomware virus and other trojans and harmful software. A system scan can take anywhere from 5 to 30 minutes, depending on your PC. During the scan it’ll detect all threats present on your personal computer.
After it has finished scanning, you’ll be displayed the list of all detected items on your personal computer. When you’re ready, press “Quarantine Selected” button. The Malwarebytes will start removing EMPTY virus and other security threats. Once disinfection is finished, you may be prompted to reboot the machine.
We advise you look at the following video, which completely explains the procedure of using the Malwarebytes to remove ransomware infection and other malware.
Double-check for EMPTY ransomware virus with KVRT
KVRT is a free portable program that scans your personal computer for ad-supported software, PUPs and ransomware like EMPTY virus and helps remove them easily. Moreover, it’ll also help you get rid of any harmful internet browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) from the following link. Save it on your MS Windows desktop.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the download is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is finished, you will see the Kaspersky virus removal tool screen as shown in the figure below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to perform a system scan with this tool for the EMPTY ransomware virus and other known infections. Depending on your PC system, the scan can take anywhere from a few minutes to close to an hour. While the program is scanning, you can see count of objects it has identified as threat.
After finished, you will be shown the list of all found threats on your computer as on the image below.
Make sure all harmful entries are ‘selected’ and click on Continue to begin a cleaning procedure.
How to restore .EMPTY files
In some cases, you can restore files encrypted by EMPTY virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted personal files.
Recover .EMPTY files with ShadowExplorer
If automated backup (System Restore) is enabled, then you can use it to restore all encrypted files to previous versions.
Download ShadowExplorer from the following link. Save it on your Windows desktop or in any other place. This utility is available for Windows Vista, Windows 7, Windows 8 and Windows 10.
Category: Security tools
Update: February 27, 2018
Once downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed on the image below.
Start ShadowExplorerPortable. You will see the a window as displayed in the following example.
From the first drop down list you can choose a drive that contains encrypted documents, photos and music, from the second drop down list you can select the date that you wish to recover from. 1 – drive, 2 – restore point, as on the image below.
Righ-click entire folder or any one encrypted file and select Export, as shown below.
It will open a prompt which asking whether you’d like to recover a file or the contents of the folder to.
Restore .EMPTY files with PhotoRec
Before a file is encrypted, the EMPTY ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your photos, documents and music using file recover software like PhotoRec.
Download PhotoRec from the link below and save it to your Desktop.
Category: Security tools
Update: March 1, 2018
When downloading is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the figure below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will show a screen as on the image below.
Select a drive to recover as displayed in the figure below.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music as displayed in the figure below.
Click File Formats button and choose file types to recover. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.
Next, click Browse button to choose where restored files should be written, then click Search.
Count of recovered files is updated in real time. All restored documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the restore is finished, press on Quit button. Next, open the directory where restored photos, documents and music are stored. You will see a contents as displayed on the image below.
All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to prevent your PC system from becoming infected by EMPTY virus?
Most antivirus software already have built-in protection system against the ransomware virus. Therefore, if your computer does not have an antivirus application, make sure you install it. As an extra protection, use the CryptoPrevent.
Run CryptoPrevent to protect your PC from EMPTY ransomware virus
Download CryptoPrevent by clicking on the link below and save it to your Desktop.
Run it and follow the setup wizard. Once the installation is done, you will be shown a window where you can select a level of protection, as shown below.
Now click the Apply button to activate the protection.
How does your system get infected with EMPTY virus
The EMPTY ransomware virus is distributed through the use of spam emails. Below is an email that is infected with a ransomware virus like EMPTY ransomware.
Once this attachment has been opened, this ransomware infection will be opened automatically as you do not even notice that. The EMPTY ransomware virus will begin the encryption process. When this process is finished, it’ll show the usual ransomnote like above on _HELP_INSTRUCTION.TXT.
Once you have complete the few simple steps outlined above, your machine should be clean from EMPTY ransomware virus and other malware. Your personal computer will no longer encrypt your files. Unfortunately, if the step by step tutorial does not help you, then you have caught a new variant of ransomware, and then the best way – ask for help.
- Download HijackThis from the link below and save it to your Desktop.
Category: Security tools
Update: November 7, 2015
- Double-click on the HijackThis icon. Next click “Do a system scan only” button.
- Once the checking is finished, the scan button will read “Save log”, press it. Save this log to your desktop.
- Create a Myantispyware account here. Once you’ve registered, check your e-mail for a confirmation link, and confirm your account. After that, login.
- Copy and paste the contents of the HijackThis log into your post. If you are posting for the first time, please start a new thread by using the “New Topic” button in the Spyware Removal forum. When posting your HJT log, try to give us some details about your problems, so we can try to help you more accurately.
- Wait for one of our trained “Security Team” or Site Administrator to provide you with knowledgeable assistance tailored to your problem with the EMPTY ransomware virus.