Computer security experts discovered a new variant of the CryptoMix ransomware which called Shark virus. It appends the SHARK extension to encrypted file names. This post will provide you with all the things you need to know about ransomware virus, how to remove Shark ransomware virus from your machine and how to recover all encrypted files for free.
The Shark ransomware virus uses RSA-2048 key (AES 256-bit encryption method). When the ransomware encrypts a file, it will append the SHARK extension to each encrypted file. Once the ransomware virus finished enciphering of all files, it will drop a file called “_HELP_INSTRUCTION.TXT” with tutorial on how to decrypt all photos, documents and music.
The ransomnote encourages victim to contact Shark’s creators (firstname.lastname@example.org, email@example.com, firstname.lastname@example.org) in order to decrypt all documents, photos and music. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins). We don’t recommend paying a ransom, as there is no guarantee that you will be able to decrypt your photos, documents and music. Especially since you have a chance to restore your photos, documents and music for free using free tools such as ShadowExplorer and PhotoRec.
We advise you to get rid of Shark ransomware virus as soon as possible, until the presence of the virus has not led to even worse consequences. You need to follow the step-by-step guidance below that will help you to completely remove Shark ransomware virus from your machine as well as recover encrypted documents, photos and music, using only few free tools.
Table of contents
- What is Shark ransomware virus
- How to decrypt .SHARK files
- How to remove Shark ransomware
- How to restore .SHARK files
- How to prevent your personal computer from becoming infected by Shark ransomware virus?
- To sum up
What is Shark ransomware virus
Shark ransomware is a variant of crypto viruses (malware which encrypt personal files and demand a ransom) from the CryptoMix family. It affects all current versions of Microsoft Windows OS such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This ransomware virus uses a hybrid AES + RSA encryption mode to eliminate the possibility of brute force a key which will allow to decrypt encrypted documents, photos and music.
When the ransomware infects a PC, it uses system directories to store own files. To run automatically whenever you turn on your computer, Shark ransomware creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.
Immediately after the launch, the ransomware scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware uses the file name extension, as a method to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.nrw, .wmd, .zabw, .itdb, .xls, .pptm, .pak, .wbc, .x, .xlsm, .wmf, .fos, .wbm, .srw, .xy3, .wma, .ysp, .vdf, .mdf, .mp4, .layout, .xlsm, .odb, .kdb, .pst, .wmo, .sum, .fpk, .3dm, .wsc, .3ds, .dwg, .docx, .mef, .vfs0, .dazip, .xlsx, .map, .ppt, .sql, .raf, .iwd, .rgss3a, .dbf, .ai, .menu, .t13, .py, .wn, .xx, .wdp, .forge, .wbd, .ws, .mov, .wb2, .wpb, .xmind, .webp, .raw, .mlx, .rar, .ff, .0, .xdl, .lvl, .xbplate, .wbk, .2bp, .cfr, .itl, .odp, .kdc, .das, .wav, .epk, .vpk, .psd, .dxg, .flv, .dng, .kf, .xbdoc, .sr2, .zip, .m2, .dba, .x3f, .ods, .p12, .arw, .mrwref, .wpw, .wmv, .1, .hkx, .z3d, .crw, .1st, .7z, .xwp, .syncdb, .itm, .pdd, .wm, .wbmp, .xlk, .vpp_pc, .xf, .js, .3fr, .wps, .xyp, .wgz, .wdb, .x3d, .pkpass, .ybk, .qdf, .ztmp, .asset, .wotreplay, .rofl, .jpg, .p7c, .accdb, .pfx, .srf, .vtf, .zip, .indd, .wp7, .mcmeta, .rb, .wp4, .xyw, .xlgc, .ptx, .rwl, .hplg, .docm, .mpqge, .zdc, .db0, .vcf, .blob, .fsh, .ncf, .wp5, .hkdb, .bc6, .cas, .odt, .m3u, .pdf, .wot, .x3f, .lbf, .jpeg, .ibank, .wri, .wpt, .tor, .der, .wma, .sie, .rtf, .sb, .bkp, .apk, .pptx, .re4, .mdbackup, .sis, .gdb, .dmp, .zi, .bkf, .xdb, .wbz, .hvpl, .rim, .wpd, .bsa, .odm, .wsd, .big, .sidn, .odc, .cdr, .bar, .yal, .cer, .m4a, .dcr, .xld, .bik, .avi, .p7b, .orf, .wpl, .wpe, .xpm, .ntl, .erf, .xll, .wsh, .iwi, .mddata, .cr2, .wmv
Once a file is encrypted, its extension changed to SHARK. Next, the ransomware virus creates a file called “_HELP_INSTRUCTION.TXT”. This file contain guidance on how to decrypt all encrypted personal files. An example of the guidance is:
Hello! Attention! All Your data was encrypted! For specific informartion, please send us an email with Your ID number: email@example.com firstname.lastname@example.org email@example.com We will help You as soon as possible!
The Shark virus actively uses scare tactics by giving the victim a brief description of the encryption algorithm and showing a ransom note on the desktop. It is trying to force the user of the infected system, do not hesitate to pay a ransom, in an attempt to recover their photos, documents and music.
How to decrypt .SHARK files
Currently there is no available solution to decrypt SHARK files, but you have a chance to restore encrypted personal files for free. The virus repeatedly tells the victim that uses RSA-2048 key (AES 256-bit encryption method). What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a method because of the big length of the key. Therefore, unfortunately, the only payment to the developers of the Shark ransomware virus entire amount requested – the only way to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the developers of the Shark ransomware virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware.
How to remove Shark ransomware
Most commonly it’s not possible to remove the Shark ransomware manually. For that reason, our team developed several removal methods which we’ve summarized in a detailed tutorial below. Therefore, if you have the Shark ransomware on your PC and are currently trying to have it removed then feel free to follow the tutorial below in order to resolve your problem. Certain of the steps will require you to restart your computer or exit this page. So, read this guide carefully, then bookmark or print it for later reference.
How to automatically delete Shark virus with Zemana Anti-malware
You can delete Shark ransomware virus automatically with a help of Zemana Anti-malware. We suggest this malware removal utility because it may easily remove viruses, potentially unwanted programs, ad-supported software and toolbars with all their components such as folders, files and registry entries.
Download Zemana Anti Malware (ZAM) by clicking on the following link. Save it to your Desktop so that you can access the file easily.
Author: Zemana Ltd
Category: Security tools
Update: April 20, 2017
When the download is finished, run it and follow the prompts. Once installed, the Zemana Anti Malware will try to update itself and when this procedure is finished, click the “Scan” button to search for Shark virus and other malware and PUPs.
Depending on your PC system, the scan can take anywhere from a few minutes to close to an hour. While the Zemana Anti Malware tool is checking, you can see number of objects it has identified as being infected by malicious software. In order to delete all threats, simply press “Next” button.
The Zemana Free will start to remove Shark ransomware virus related files, folders and registry keys.
Scan and free your computer of ransomware virus with Malwarebytes
Manual Shark ransomware virus removal requires some computer skills. Some files and registry entries that created by the ransomware can be not completely removed. We advise that use the Malwarebytes Free that are completely clean your system of ransomware virus. Moreover, the free application will help you to remove malicious software, PUPs, adware and toolbars that your PC can be infected too.
Download MalwareBytes Anti Malware by clicking on the following link. Save it on your Microsoft Windows desktop or in any other place.
Category: Security tools
Update: November 9, 2017
After the download is finished, close all applications and windows on your machine. Double-click the setup file named mb3-setup. If the “User Account Control” dialog box pops up as shown on the screen below, click the “Yes” button.
It will open the “Setup wizard” which will help you set up MalwareBytes Anti Malware on your machine. Follow the prompts and do not make any changes to default settings.
Once installation is complete successfully, press Finish button. MalwareBytes Anti-Malware (MBAM) will automatically start and you can see its main screen as on the image below.
Now click the “Scan Now” button to find Shark ransomware and other security threats. A system scan can take anywhere from 5 to 30 minutes, depending on your PC system.
Once the scanning is complete, MalwareBytes AntiMalware (MBAM) will create a list of undesired and adware applications. Review the scan results and then press “Quarantine Selected” button. The MalwareBytes Free will begin to get rid of Shark ransomware related files, folders and registry keys. When finished, you may be prompted to restart the PC system.
We recommend you look at the following video, which completely explains the procedure of using the MalwareBytes to remove adware, browser hijacker and other malicious software.
Use KVRT to delete Shark ransomware virus from the PC
KVRT is a free portable program that scans your computer for adware, potentially unwanted software and ransomware such as Shark virus and helps delete them easily. Moreover, it will also allow you remove any malicious web-browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) by clicking on the link below. Save it on your Desktop.
Author: Kaspersky® lab
Category: Security tools
Update: November 3, 2015
When the download is finished, double-click on the KVRT icon. Once initialization procedure is complete, you’ll see the Kaspersky virus removal tool screen as displayed on the image below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button .Kaspersky virus removal tool application will scan through the whole personal computer for the Shark virus and other trojans and harmful programs. A system scan may take anywhere from 5 to 30 minutes, depending on your PC. During the scan KVRT will find threats exist on your computer.
After the scanning is finished, the results are displayed in the scan report as displayed in the following example.
Review the results once the tool has finished the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click on Continue to begin a cleaning process.
How to restore .SHARK files
In some cases, you can recover files encrypted by Shark virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted files.
Use ShadowExplorer to recover .SHARK files
If automated backup (System Restore) is enabled, then you can use it to recover all encrypted files to previous versions.
Download ShadowExplorer on your Windows Desktop by clicking on the link below.
Category: Security tools
Update: February 12, 2016
When the downloading process is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as on the image below.
Double click ShadowExplorerPortable to launch it. You will see the a window as on the image below.
In top left corner, choose a Drive where encrypted personal files are stored and a latest restore point as displayed below (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export as displayed on the screen below.
Recover .SHARK files with PhotoRec
Before a file is encrypted, the Shark ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your personal files using file recover programs such as PhotoRec.
Download PhotoRec on your MS Windows Desktop from the following link.
Category: Security tools
Update: March 23, 2016
When downloading is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for Windows. It will show a screen as displayed on the image below.
Choose a drive to recover as on the image below.
You will see a list of available partitions. Choose a partition that holds encrypted files like below.
Press File Formats button and choose file types to restore. You can to enable or disable the recovery of certain file types. When this is done, click OK button.
Next, press Browse button to select where restored files should be written, then click Search.
Count of restored files is updated in real time. All recovered documents, photos and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is finished, press on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents as displayed in the following example.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to prevent your personal computer from becoming infected by Shark ransomware virus?
Most antivirus applications already have built-in protection system against the ransomware virus. Therefore, if your PC does not have an antivirus application, make sure you install it. As an extra protection, run the CryptoPrevent.
Use CryptoPrevent to protect your PC system from Shark virus
Download CryptoPrevent by clicking on the link below. Save it on your Desktop.
Run it and follow the setup wizard. Once the installation is finished, you’ll be shown a window where you can choose a level of protection, as on the image below.
Now click the Apply button to activate the protection.
To sum up
After completing the instructions outlined above, your PC should be free from Shark ransomware virus and other malicious software. Your machine will no longer encrypt your files. Unfortunately, if the few simple steps does not help you, then you have caught a new virus, and then the best way – ask for help in our Spyware/Malware removal forum.