Computer security professionals discovered a new variant of ransomware which called Blind virus. It appends the .[firstname.lastname@example.org].blind extension to encrypted file names. This blog post will provide you a brief summary of information related to this new ransomware virus and how to recover all encrypted photos, documents and music for free.
The Blind virus is a ransomware, that created to encrypt the personal photos, documents and music found on infected machine using a strong encryption algorithm with a long key, appending the .[email@example.com].blind extension to all encrypted personal files. Once the encryption process is complete, it will open a ransomnote offering decrypt all users personal files if a payment is made.
Table of contents
- What is Blind ransomware
- How to decrypt .blind files
- How to remove Blind ransomware
- Recovering files encrypted by Blind ransomware virus
- How to prevent your computer from becoming infected by Blind ransomware?
- How does your computer get infected with Blind ransomware
- Finish words
The ransomnote encourages victim to contact Blind’s creators through the email firstname.lastname@example.org in order to decrypt all files. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins). We don’t recommend paying a ransom, as there is no guarantee that you will be able to decrypt your files. Especially since you have a chance to restore your documents, photos and music for free using utilities such as ShadowExplorer and PhotoRec.
We suggest you to get rid of Blind virus as quickly as possible, until the presence of the ransomware has not led to even worse consequences. You need to follow the few simple steps below that will help you to completely remove Blind ransomware virus from your computer as well as recover encrypted files, using only few free utilities.
What is Blind ransomware
Blind ransomware is a variant of crypto viruses (malicious software that encrypt personal files and demand a ransom). It affects all current versions of Windows operating system such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This ransomware virus uses a strong encryption algorithm to eliminate the possibility of brute force a key which will allow to decrypt encrypted files.
When the ransomware virus infects a PC, it uses system directories to store own files. To run automatically whenever you turn on your system, Blind ransomware creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.
Immediately after the launch, the ransomware scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware virus uses the file name extension, as a method to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.avi, .wm, .upk, .d3dbsp, .wotreplay, .docx, .ods, .kdc, .rw2, .bkp, .xlgc, .odp, .cas, .arw, .wmv, .sav, .jpe, .rb, .wri, .xlsx, .wpd, .x3f, .wp7, .big, .wbk, .sb, .itm, .7z, .xdl, .svg, .zdc, .vpp_pc, .odb, .indd, .t12, .mp4, .db0, .dxg, .bc7, .wbmp, wallet, .zi, .wpb, .xld, .crw, .lrf, .1, .x, .xlsb, .xyp, .pdd, .wmd, .pst, .mdbackup, .srw, .3fr, .p7c, .wmo, .xmmap, .xar, .wmf, .yml, .csv, .eps, .der, .cr2, .wp, .mcmeta, .wpw, .3dm, .rar, .xx, .ff, .cdr, .xy3, .xmind, .desc, .hkx, .dcr, .wbc, .zw, .p7b, .bsa, .xls, .gho, .wps, .zabw, .mdf, .tor, .re4, .r3d, .wpa, .cfr, .wpl, .erf, .xyw, .sid, .sidd, .wdb, .xml, .psk, .snx, .layout, .apk, .wav, .xll, .docm, .xlsm, .z3d, .ztmp, .dba, .fos, .zdb, .wmv, .jpeg, .dazip, .blob, .itl, .pptx, .wcf, .psd, .rtf, .gdb, .qic, .x3d, .wp6, .accdb, .hkdb, .wgz, .hplg, .lbf, .2bp, .arch00, .tax, .xbdoc, .wdp, .wma, .xdb, .zip, .forge, .wbz, .bar, .asset, .ai, .w3x, .wbm, .m2, .bay, .zip, .xwp, .mov, .bik, .wsd, .m3u, .sql, .mef, .crt, .wn, .z, .map, .raf, .wsh, .ibank, .xxx, .das, .xlsx, .sum, .ntl, .x3f, .xls, .pdf, .sis, .ncf, .mpqge, .odm, .m4a, .nrw, .pfx, .wpt, .txt, .orf, .wma, .rgss3a, .0, .zif, .sr2, .sie, .wsc, .iwd, .vcf, .pkpass, .mddata, .rofl, .cer, .kdb, .png, .vfs0, .xlsm, .mlx, .litemod, .yal, .pem, .wp5, .vtf, .ybk, .rim, .py, .mrwref, .dng, .ptx, .webp, .raw, .odt, .itdb, .syncdb, .dmp, .y, .bkf, .wpe, .wot, .iwi, .hvpl, .sidn, .epk, .flv, .wpd, .wps, .wpg
Once a file is encrypted, its extension changed to .[email@example.com].blind. Next, the ransomware virus creates a file called “How_Decrypt_Files.hta”. This file contain tutorial on how to decrypt all encrypted files. An example of the tutorial is:
All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail firstname.lastname@example.org You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us to 3 files for free decryption. the total size of file must be less than 1Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click “Buy bitcoins”, and select the seller by payment method and price.
Also you can find other places to buy Bitcoins and beginner guide here.
The Blind ransomware actively uses scare tactics by giving the victim a brief description of the encryption algorithm and showing a ransomnote on the desktop. It is trying to force the user of the infected machine, do not hesitate to pay a ransom, in an attempt to recover their files.
How to decrypt .blind files
Currently there is no available solution to decrypt [email@example.com].blind files, but you have a chance to recover encrypted files for free. The ransomware repeatedly tells the victim that uses very strong hybrid encryption with a large key. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a method because of the big length of the key. Therefore, unfortunately, the only payment to the creators of the Blind ransomware virus entire amount requested – the only method to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the developers of the Blind ransomware, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
How to remove Blind ransomware
The Blind virus can hide its components which are difficult for you to find out and get rid of completely. This may lead to the fact that after some time, the ransomware virus once again infect your PC and encrypt your personal files. Moreover, I want to note that it’s not always safe to get rid of ransomware virus manually, if you do not have much experience in setting up and configuring the Windows operating system. The best way to look for and remove Blind ransomware is to use free malicious software removal software which are listed below.
Use Zemana Anti-malware to remove Blind ransomware
We suggest using the Zemana Anti-malware. You may download and install Zemana Anti-malware to scan for and remove Blind ransomware from your system. When installed and updated, the malicious software remover will automatically scan and detect all threats present on the PC system.
Download Zemana Free by clicking on the following link. Save it to your Desktop.
Author: Zemana Ltd
Category: Security tools
Update: April 20, 2017
After downloading is done, close all software and windows on your system. Open a directory in which you saved it. Double-click on the icon that’s called Zemana.AntiMalware.Setup as displayed in the following example.
When the installation begins, you will see the “Setup wizard” that will allow you setup Zemana AntiMalware (ZAM) on your PC.
Once setup is done, you will see window as shown in the figure below.
Now click the “Scan” button for scanning your personal computer for the Blind ransomware virus and other kinds of potential threats such as malware and potentially unwanted apps. This task can take some time, so please be patient. When a threat is detected, the number of the security threats will change accordingly. Wait until the the scanning is finished.
Once Zemana Anti-Malware has completed scanning, Zemana Anti-Malware (ZAM) will open a screen which contains a list of malware that has been detected. Make sure all items have ‘checkmark’ and click “Next” button.
The Zemana will get rid of Blind ransomware related files, folders and registry keys and move items to the program’s quarantine.
Run Malwarebytes to delete Blind ransomware
We recommend using the Malwarebytes Free that are completely clean your system of the ransomware. The free utility is an advanced malicious software removal program created by (c) Malwarebytes lab. This application uses the world’s most popular anti malware technology. It is able to help you delete ransomwares, PUPs, malware, adware, toolbars, ransomware and other security threats from your system for free.
Click the following link to download the latest version of MalwareBytes Free for Windows. Save it to your Desktop so that you can access the file easily.
Category: Security tools
Update: November 9, 2017
After downloading is finished, close all programs and windows on your machine. Double-click the install file called mb3-setup. If the “User Account Control” dialog box pops up as displayed below, click the “Yes” button.
It will open the “Setup wizard” that will help you install MalwareBytes AntiMalware (MBAM) on your machine. Follow the prompts and don’t make any changes to default settings.
Once installation is finished successfully, click Finish button. MalwareBytes will automatically start and you can see its main screen as shown on the image below.
Now click the “Scan Now” button to perform a system scan for the Blind ransomware virus and other kinds of potential threats such as malicious software and potentially unwanted software. While the MalwareBytes Anti Malware (MBAM) utility is scanning, you can see number of objects it has identified as being infected by malware.
When MalwareBytes Free has completed scanning, the results are displayed in the scan report. Review the report and then click “Quarantine Selected” button. The MalwareBytes AntiMalware (MBAM) will remove Blind virus related files, folders and registry keys and add threats to the Quarantine. Once disinfection is complete, you may be prompted to reboot the computer.
We recommend you look at the following video, which completely explains the procedure of using the MalwareBytes Anti-Malware (MBAM) to get rid of adware, browser hijacker infection and other malicious software.
Double-check for ransomware virus with KVRT
The KVRT tool is free and easy to use. It may scan and remove virus like Blind, malicious software, PUPs and ad-supported software in Mozilla Firefox, Chrome, IE and MS Edge web browsers and thereby revert back their default settings (default search engine, startpage and new tab). KVRT is powerful enough to find and delete malicious registry entries and files that are hidden on the PC system.
Download Kaspersky virus removal tool (KVRT) on your PC system by clicking on the following link.
Author: Kaspersky® lab
Category: Security tools
Update: November 3, 2015
After downloading is complete, double-click on the KVRT icon. Once initialization procedure is complete, you’ll see the Kaspersky virus removal tool screen as displayed on the screen below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next press Start scan button to detect Blind virus and other known infections. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your computer and the speed of your computer. While the Kaspersky virus removal tool application is checking, you may see number of objects it has identified as threat.
When that process is finished, you may check all threats detected on your computer as displayed below.
Review the report and then click on Continue to start a cleaning procedure.
Recovering files encrypted by Blind ransomware virus
In some cases, you can recover files encrypted by Blind virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted files.
Run ShadowExplorer to recover .blind files
In some cases, you have a chance to recover your photos, documents and music which were encrypted by the Blind ransomware. This is possible due to the use of the utility called ShadowExplorer. It is a free program that designed to obtain ‘shadow copies’ of files.
Download ShadowExplorer by clicking on the following link. Save it on your Windows desktop.
Category: Security tools
Update: February 12, 2016
After the download is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed below.
Double click ShadowExplorerPortable to run it. You will see the a window like below.
In top left corner, choose a Drive where encrypted files are stored and a latest restore point as on the image below (1 – drive, 2 – restore point).
On right panel look for a file that you want to recover, right click to it and select Export as displayed in the following example.
Restore .blind files with PhotoRec
Before a file is encrypted, the Blind ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file recover programs like PhotoRec.
Download PhotoRec on your Windows Desktop by clicking on the following link.
Category: Security tools
Update: March 23, 2016
When downloading is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll open a screen as displayed on the image below.
Select a drive to recover as on the image below.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music as shown below.
Click File Formats button and choose file types to recover. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.
Next, click Browse button to select where restored files should be written, then click Search.
Count of recovered files is updated in real time. All restored photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the restore is done, press on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as displayed in the figure below.
All recovered personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to prevent your computer from becoming infected by Blind ransomware?
Most antivirus applications already have built-in protection system against the ransomware. Therefore, if your machine does not have an antivirus program, make sure you install it. As an extra protection, run the CryptoPrevent.
Run CryptoPrevent to protect your PC from Blind ransomware
Download CryptoPrevent by clicking on the link below. Save it on your Windows desktop or in any other place.
Run it and follow the setup wizard. Once the setup is finished, you’ll be displayed a window where you can choose a level of protection, as shown below.
Now click the Apply button to activate the protection.
How does your computer get infected with Blind ransomware
The Blind ransomware virus can be distributed through the use of spam emails. Below is an email that is infected with a ransomware virus like Blind virus.
Once this attachment has been opened, this ransomware virus will be started automatically as you do not even notice that. The Blind ransomware virus will start the encryption process. When this task is complete, it’ll open the usual ransom demanding message like above on How_Decrypt_Files.hta.
Now your machine should be free of the Blind ransomware virus. Uninstall Malwarebytes and KVRT. We suggest that you keep Zemana Anti-Malware (to periodically scan your PC for new malicious software). Make sure that you have all the Critical Updates recommended for Windows operating system. Without regular updates you WILL NOT be protected when new virus, malicious programs and adware are released.
If you are still having problems while trying to delete Blind ransomware virus from your system, then ask for help in our Spyware/Malware removal forum.