.Tocue file extension ransomware virus (Restore, Decrypt .tocue files)

This week, cyber security professionals has received reports of yet another ransomware called ‘Tocue file virus‘. This ransomware spreads via spam emails and malware files and appends the .tocue file extension to encrypted files. Here’s everything you need to know about this ransomware, how to remove ‘Tocue ransomware virus’ and how to restore (decrypt) encrypted files for free.

The Tocue file virus is a new ransomware, which is designed to be implemented into the user’s system in order to block files such as video materials, web application-related files, drawings, photos, documents, archives and database, by using complex ciphered combination. In case of infection with this crypto malware, the user will not be able to unlock files on his own, even by renaming them. Tocue virus locks up almost of files, including common as:

.srf, .xar, .bc7, .css, .bik, .tax, .iwi, .ztmp, .itl, .nrw, .wma, .x, .xlsm, .big, .sidn, .wbm, .wmf, .sie, .wpw, .db0, .wmd, .rw2, .wpl, .upk, .itdb, .wbc, .wire, .wdb, .odc, .xll, .xlgc, .z, .rb, .xbdoc, .7z, .pfx, .vfs0, .wpg, .doc, .pdd, .fos, .wp7, .pem, .t12, .avi, .tor, .dmp, .pptx, .ff, .fpk, .m2, .webp, .xlsx, .mov, .docx, .zi, .mdbackup, .apk, .xwp, .xls, .txt, .ibank, .arch00, .rim, .vpk, .t13, .mcmeta, .indd, .wotreplay, .lrf, .ysp, .m3u, .sis, .bc6, .wps, .dwg, .vdf, .dbf, .crw, .xls, .desc, .rwl, .z3d, .zip, .docm, .xpm, .sav, .wbd, .odb, .mddata, .hkdb, .vpp_pc, .sql, .wn, .p12, .sb, .mp4, .das, .bsa, .sidd, .zw, .p7c, .xyp, .wdp, .m4a, .itm, .xdl, .dba, .wsd, .y, .wpd, .xx, .x3f, .xf, .rofl, .erf, .srw, .yml, .der, .re4, .syncdb, .cr2, .rgss3a, .slm, .wsh, .odt, .ptx, .dxg, .wmo, .cer, .lbf, .vtf, .bay, .vcf, .wot, .wbz, .ltx, .wav, .x3d, .pst, .wp, .mpqge, .fsh, .accdb, .snx, .gho, .yal, .rar, .xlsb, .psk, .wpt, .esm, .wbmp, .2bp, .0, .wb2, .bar, .csv, .kdc, .wmv, .ncf, .ods, .ybk, .pdf, .bkf, .zip, .menu, .forge, .eps, .wpe, .d3dbsp, .odm, .zdb, .r3d, .3ds, .raw, wallet, .flv, .sid, .dcr, .x3f, .jpe, .litemod, .epk, .w3x, .xlk, .svg, .mdf, .layout, .wpb, .wsc, .ppt, .ai, .pkpass, .icxs, .webdoc, .png, .rtf, .mrwref, .kf, .wp6, .iwd, .wp4, .wcf, .wm, .kdb, .wma, .1st, .wpa, .cfr, .xld, .xmind, .xml, .blob, .ntl, .crt, .gdb, .1, .bkp, .cas, .arw, .pptm, .xlsx, .jpeg, .cdr, .qic, .raf, .xbplate, .xdb, .map, .odp, .py, .mdb, .xxx, .zdc, .mlx, .asset, .jpg, .ws, .xyw, .wbk, .qdf, .xy3, .hvpl, .pak

All files that are encrypted with Tocue ransomware virus receive the .tocue extension, which allows victims to identify the cause of the problem that caused their work to stop. Each victim whose computer has been subjected to the Tocue virus attack, receives a ransom note from scammers, which indicates the amount of ransom for which they are willing to provide the victim with a unique code key and a decryption utility to decrypt the affected documents, photos and music.

 

Threat Summary

Name	Tocue file virus
Type	Ransomware, Crypto malware, Filecoder, Crypto virus, File locker
Encrypted files extension	.tocue
Ransom note	_readme.txt
Contact	gorentos@bitmessage.ch
Ransom amount	$980 in Bitcoins
Symptoms	Unable to open documents, photos and music. Windows Explorer displays a blank icon for the file type. Your file directories contain a ‘ransom note’ file that is usually a .html, .jpg or .txt file. Ransom note in a pop-up window with cybercriminal’s ransom demand and instructions.
Distribution methods	Email attachments. Malicious downloads that happen without a user’s knowledge when they visit a compromised web page. Social media posts (they can be used to force users to download malware with a built-in ransomware downloader or click a malicious link). Malicious web-pages.
Removal	To remove Tocue ransomware use the removal guide
Decryption	To decrypt Tocue ransomware use the steps

 

Instructions which is shown below, will help you to remove Tocue ransomware virus as well as restore encrypted files stored on your personal computer drives.

Quick links

1. How to remove Tocue file virus
2. How to decrypt .tocue files
3. Tocue decryption tool
4. How to restore .tocue files
5. How to protect your personal computer from Tocue crypto virus?
6. To sum up

How to remove Tocue file virus

Ransomware, spyware, trojans and worms can be difficult to delete manually. Do not try to remove this apps without the help of malicious software removal utilities. In order to fully uninstall Tocue ransomware virus from your system, use professionally developed utilities, such as Zemana AntiMalware (ZAM), MalwareBytes Free and Kaspersky virus removal tool.

How to remove Tocue ransomware with Zemana

Zemana can scan for all kinds of malicious software, including ransomware, as well as a variety of Trojans, viruses and rootkits. After the detection of the Tocue crypto malware, you can easily and quickly remove it.

1. Visit the page linked below to download the latest version of Zemana Free for Windows. Save it on your Desktop.
   
   

   Zemana AntiMalware
   164980 downloads
   Author: Zemana Ltd
   Category: Security tools
   Update: July 16, 2019
   
2. At the download page, click on the Download button. Your browser will open the “Save as” prompt. Please save it onto your Windows desktop.
3. Once the downloading process is finished, please close all apps and open windows on your PC. Next, run a file called Zemana.AntiMalware.Setup.
4. This will launch the “Setup wizard” of Zemana Free onto your system. Follow the prompts and do not make any changes to default settings.
5. When the Setup wizard has finished installing, the Zemana Anti Malware will open and display the main window.
6. Further, click the “Scan” button to perform a system scan for the Tocue file virus, other kinds of potential threats such as malicious software and trojans. Depending on your PC system, the scan can take anywhere from a few minutes to close to an hour. When a malicious software, adware or potentially unwanted software are found, the number of the security threats will change accordingly. Wait until the the checking is done.
7. As the scanning ends, the results are displayed in the scan report.
8. You may remove items (move to Quarantine) by simply click the “Next” button. The tool will remove Tocue ransomware, other malware, worms and trojans and move threats to the program’s quarantine. After that process is finished, you may be prompted to restart the computer.
9. Close the Zemana Anti-Malware (ZAM) and continue with the next step.

Remove Tocue with MalwareBytes Anti-Malware (MBAM)

We suggest using the MalwareBytes Anti Malware (MBAM) which are fully clean your PC system of the crypto malware. This free utility is an advanced malicious software removal application developed by (c) Malwarebytes lab. This program uses the world’s most popular antimalware technology. It’s able to help you remove crypto virus, potentially unwanted applications, malicious software, adware software, toolbars, and other security threats from your personal computer for free.

1. Visit the following page to download the latest version of MalwareBytes Free for Microsoft Windows. Save it on your Desktop.
   
   

   Malwarebytes Anti-malware
   327223 downloads
   Author: Malwarebytes
   Category: Security tools
   Update: April 15, 2020
   
2. At the download page, click on the Download button. Your internet browser will display the “Save as” dialog box. Please save it onto your Windows desktop.
3. After the download is finished, please close all programs and open windows on your PC. Double-click on the icon that’s called mb3-setup.
4. This will open the “Setup wizard” of MalwareBytes AntiMalware onto your machine. Follow the prompts and don’t make any changes to default settings.
5. When the Setup wizard has finished installing, the MalwareBytes will start and show the main window.
6. Further, click the “Scan Now” button to perform a system scan with this utility for the Tocue crypto virus, other malicious software, worms and trojans. This procedure can take quite a while, so please be patient. When a threat is found, the number of the security threats will change accordingly.
7. When the system scan is done, it will show the Scan Results.
8. Make sure all items have ‘checkmark’ and click the “Quarantine Selected” button. After the procedure is done, you may be prompted to reboot the PC system.
9. Close the Anti-Malware and continue with the next step.

Video instruction, which reveals in detail the steps above.

Get rid of Tocue ransomware with KVRT

KVRT is a free portable program that scans your computer for adware, potentially unwanted apps and ransomware viruss like Tocue and helps uninstall them easily. Moreover, it will also help you delete any malicious web-browser extensions and add-ons.

Download Kaspersky virus removal tool (KVRT) on your Windows Desktop from the following link.

After the download is done, double-click on the Kaspersky virus removal tool icon. Once initialization process is done, you will see the KVRT screen as displayed below.

Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to locate Tocue crypto malware and other known infections. When a malicious software, adware or PUPs are found, the count of the security threats will change accordingly.

Once finished, the results are displayed in the scan report like below.

Once you’ve selected what you want to remove from your PC click on Continue to start a cleaning process.

How to decrypt .tocue files

You can damage photos, documents and music encrypted with Tocue ransomware virus, or make them useless forever if you try to find the special code key on your own, which is almost impossible in view of its cryptographic complexity. It is very important to know and understand the level of importance of constantly backing up important files to various media, such as an USB flash drive, so that in case of damage to your personal computer by ransomware you can always extract a copy of corrupted files.

Never pay the ransom! Nevertheless, everyone has to remember that paying the hackers who are threatening you is a terrible idea. You can pay this ransom payment, but there is no guarantee that your files will be yours again. That is the reason why you should consider other options (that do not involve paying the hackers) in order to unlock encrypted documents, photos and music. There still are some methods to defuse crypto malware without paying ransom, so you would not need to pay hackers and you would not let them reach their goal.

There is no such solution to this problem, which is suitable for everyone. However, paying for the decryption key is not an obvious answer. If you pay for it, remember that no one gives you a guarantee that you will receive it. There is also a possibility that even the makers of the Tocue crypto malware themselves do not have this key. Most probably, they are just trying to defraud you and use you in order to get money. You should try the steps in this article. The tutorial will help you completely remove Tocue ransomware virus and you will be able to decrypt some of the blocked files without paying any ransom payment. Given the fact that fighting crypto virus is incredibly difficult, we cannot promise you that you will defuse it. Nevertheless, it is still worth a try.

Tocue decryption tool

With some variants of Tocue ransomware, it is possible to decrypt encrypted files using free tools listed below.

Michael Gillespie (@) released the Tocue decryption tool named STOPDecrypter. It can decrypt .Tocue files if they were locked by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.

STOPDecrypter is a program that can be used for Tocue files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .Tocue files using this free tool.

1. Installing the STOPDecrypter is simple. First you will need to download STOPDecrypter on your Windows Desktop from the following link.
   download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip
2. After the downloading process is done, close all applications and windows on your machine. Open a file location. Right-click on the icon that’s named STOPDecrypter.zip.
3. Further, select ‘Extract all’ and follow the prompts.
4. Once the extraction process is finished, run STOPDecrypter. Select Directory and press Decrypt button.

If STOPDecrypter does not help you to unlock .Tocue files, in some cases, you have a chance to restore your files, which were encrypted by ransomware. This is possible due to the use of the tools named ShadowExplorer and PhotoRec. An example of recovering encrypted files is given below.

How to restore .tocue files

In some cases, you can recover files encrypted by Tocue ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted files.

Run ShadowExplorer to restore .tocue files

If automated backup (System Restore) is enabled, then you can use it to restore all encrypted files to previous versions.

ShadowExplorer can be downloaded from the following link. Save it on your Windows desktop or in any other place.

After the download is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder like below.

Start the ShadowExplorer utility and then select the disk (1) and the date (2) that you wish to recover the shadow copy of file(s) encrypted by the Tocue crypto malware similar to the one below.

Now navigate to the file or folder that you wish to recover. When ready right-click on it and click ‘Export’ button as shown on the screen below.

Recover .tocue files with PhotoRec

Before a file is encrypted, the Tocue ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your documents, photos and music using file restore programs such as PhotoRec.

Download PhotoRec from the following link. Save it to your Desktop.

When downloading is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the screen below.

Double click on qphotorec_win to run PhotoRec for MS Windows. It will display a screen such as the one below.

Select a drive to recover as displayed on the image below.

You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music as displayed on the screen below.

Click File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is complete, press OK button.

Next, click Browse button to select where recovered files should be written, then click Search.

Count of restored files is updated in real time. All recovered files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.

When the recovery is done, click on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents as displayed in the following example.

All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.

How to protect your personal computer from Tocue crypto virus?

Most antivirus apps already have built-in protection system against the ransomware virus. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.

Run HitmanPro.Alert to protect your PC from Tocue crypto virus

HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.

Visit the following page to download the latest version of HitmanPro.Alert for Windows. Save it to your Desktop so that you can access the file easily.

When downloading is complete, open the directory in which you saved it. You will see an icon like below.

Double click the HitmanPro.Alert desktop icon. Once the utility is started, you will be displayed a window where you can select a level of protection, such as the one below.

Now click the Install button to activate the protection.

To sum up

Now your computer should be clean of the Tocue crypto virus. Delete MalwareBytes Anti-Malware and Kaspersky virus removal tool. We recommend that you keep Zemana Free (to periodically scan your computer for new malware). Moreover, to prevent ransomware, please stay clear of unknown and third party apps, make sure that your antivirus application, turn on the option to block or search for ransomware.

If you need more help with Tocue ransomware virus related issues, go to here.