If your photos, documents and music does not open normally, their names modified or .imsorry added at the end of their name then your computer is infected with a new ransomware infection from a family of file-encrypting ransomware. Once started, it have encrypted all photos, documents and music stored on a personal computer drives and attached network drives.
It uses a strong encryption algorithm with long key. When the ransomware infection encrypts a file, it will add the .imsorry extension to each encrypted file. Once the virus finished enciphering of all files, it will create a file called “Read me for help thanks.txt” with tutorial on how to decrypt all photos, documents and music.
The Im Sorry ransomware infection offers to make a payment in Bitcoins to get a key to decrypt photos, documents and music. Important to know, currently not possible to decrypt the .imsorry files encrypted by the ransomware virus without the private key and decrypt program. If you choose to pay the ransom, there is no 100% guarantee that you can restore all documents, photos and music! If you do not want to pay for a decryption key, then you have a chance to recover encrypted personal files.
Use the step-by-step guide below to get rid of the ransomware infection itself and try to recover encrypted photos, documents and music.
What is Im Sorry
Im Sorry is a variant of crypto viruses (malware that encrypt personal files and demand a ransom). It affects all current versions of MS Windows OS such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This ransomware infection uses a strong encryption algorithm with 2048-bit key to eliminate the possibility of brute force a key that will allow to decrypt encrypted files.
When the ransomware infects a computer, it uses system directories to store own files. To run automatically whenever you turn on your computer, Im Sorry ransomware virus creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.
Immediately after the launch, the ransomware scans all available drives, including network and cloud storage, to determine which files will be encrypted. The virus uses the file name extension, as a method to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.wpa, .jpeg, .wp, .wmv, .zabw, .rim, .ntl, .wpd, .wcf, .rtf, .rar, .xmind, .big, .vfs0, .csv, .xbdoc, .wsh, .y, .wmo, .d3dbsp, .r3d, .avi, .xld, .0, .xyp, .kdb, .der, .wp7, .xlsm, .raf, .orf, .arch00, .txt, .bay, .odb, .wps, .wm, .wbz, .xlsx, .hvpl, .cdr, .wmd, .ztmp, .w3x, .mrwref, .snx, .ods, .docm, .iwd, .eps, .wbmp, .t13, .hplg, .rgss3a, .dxg, .accdb, .zif, .wav, .x3d, .gho, .wpd, .bc7, .xbplate, .pdf, .lbf, .desc, .sr2, .mov, .qic, .wp4, .kdc, .wot, .erf, .xll, .das, .fsh, .1st, .ncf, .epk, .syncdb, .map, .js, .wbk, .itm, .mpqge, .webp, .css, .odc, .gdb, .xdl, .rw2, .wri, .pptm, .asset, .xx, .dazip, .pptx, .svg, .bkp, .wp6, .menu, .bik, .py, .docx, .bar, .litemod, .xyw, .crw, .cr2, .xxx, .cas, .mlx, .xf, .xdb, .xml, .dmp, .zip, .mcmeta, .wp5, .cer, .jpe, .m4a, .ws, .sidd, .psd, .tor, .m3u, .zip, .ltx, .yml, .dwg, .raw, .iwi, .2bp, .odp, .ff, .xlk, .xwp, .zdb, .vdf, .vpk, .pdd, .wdb, .mdbackup, .sie, .ppt, .mddata, .arw, .xpm, .ibank, .wpl, .psk, .wn, .qdf, .bc6, .p7b, .fpk, .zdc, .doc, .wbm, .srf, .sav, .itl, .x, .dbf, .bsa, .sis, .xls, .3fr, .nrw, .jpg, .mp4, .sb, .sidn, .indd, .ai, .xlsb, .x3f, .yal, .odt, .wpg, .wbc, .db0, .dng, .sum, .sql, .ptx, .cfr, .dba, .mef, .pst, .wpe, .png, .sid, wallet, .t12, .hkdb, .xmmap, .wma, .dcr, .vpp_pc, .wotreplay, .lvl, .webdoc
Once a file is encrypted, its extension changed to .imsorry. Next, the virus creates a file named “Read me for help thanks.txt”. This file contain guidance on how to decrypt all encrypted documents, photos and music. An example of the guidance is:
Hello, I hate to inform you but your files have been encrypted.
To get them back you must pay me a small fee.
Instructions are buy btc then pay me then i’ll simply give you, your encryption key.
Step 1.
Make a account here
hxxps://blockchain.info/wallet/#/signup
Step 2.
Buy bitcoin
Use one of the trade centers below to recieve bitcoin to pay me off
hxxps://www.coinbase.com/
hxxps://localbitcoins.com/register/
Step 3.
Send the payment of 500 USD to the BTC address below
then i’ll give you the key.
Places you can read about bitcoin
hxxps://blog.newegg.com/the-fastest-way-to-get-started-with-bitcoin/
hxxps://bitcoin.org/en/getting-started
You have 3 weeks to pay else i might delete the key or i might just give you the key idk
Be sure you put your btc address in the box below as this is how i track payments.
if you f* around i’ll delete your key.
Once again,Sorry.
The Im Sorry ransomware infection actively uses scare tactics by giving the victim a brief description of the encryption algorithm and showing a threatening message on the desktop. It is trying to force the user of the infected computer, do not hesitate to pay a ransom, in an attempt to recover their personal files.
How to decrypt imsorry files
Currently there is no available method to decrypt imsorry files. The ransomware repeatedly tells the victim that uses a strong encryption algorithm with big key. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a solution because of the big length of the key. Therefore, unfortunately, the only payment to the authors of the Im Sorry ransomware infection entire amount requested – the only method to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the authors of the Im Sorry ransomware virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new virus.
How to remove Im Sorry ransomware infection
Before you run the procedure of recovering personal files which has been encrypted, make sure Im Sorry virus is not running. Firstly, you need to remove this ransomware virus permanently. Thankfully, there are several malicious software removal utilities which will effectively detect and remove Im Sorry ransomware virus and other crypto virus malicious software from your PC.
How to automatically get rid of Im Sorry with Zemana Anti-malware
We recommend you to run the Zemana Anti-malware which are completely clean your PC of this ransomware. Moreover, the utility will allow you to delete potentially unwanted applications, malware, toolbars and ‘ad supported’ software that your computer can be infected too.
Download Zemana anti malware on your system from the following link.
159513 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When the download is done, close all applications and windows on your system. Open a directory in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup as shown in the following example.
When the install starts, you will see the “Setup wizard” which will allow you install Zemana anti malware on your computer.
Once install is finished, you will see window as shown on the image below.
Now click the “Scan” button . This will start scanning the whole system to find out Im Sorry virus and other trojans and dangerous software. A scan can take anywhere from 10 to 30 minutes, depending on the count of files on your computer and the speed of your system. During the scan it’ll detect all threats exist on your PC system.
Once the system scan is done, a list of all threats detected is produced. In order to delete all threats, simply press “Next” button.
The Zemana Anti-malware will start removing Im Sorry ransomware virus related files, folders and registry keys.
Use Malwarebytes to delete ransomware infection
You can delete Im Sorry ransomware virus automatically with a help of Malwarebytes Free. We suggest this free malware removal tool because it can easily remove ransomwares, adware, PUPs and toolbars with all their components such as files, folders and registry entries.
Download Malwarebytes on your Microsoft Windows Desktop by clicking on the link below.
317590 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
After downloading is complete, close all programs and windows on your personal computer. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup as displayed below.
When the installation starts, you will see the “Setup wizard” that will help you install Malwarebytes on your personal computer.
Once installation is complete, you will see window as on the image below.
Now click the “Scan Now” button . This tool will now begin scanning your PC system for the Im Sorry ransomware virus and other trojans and harmful applications. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your PC system and the speed of your computer. While the application is checking, you can see number of objects it has identified as threat.
When the system scan is finished, it’ll display a list of detected items. Review the scan results and then press “Quarantine Selected” button.
The Malwarebytes will start removing Im Sorry ransomware virus related files, folders, registry keys. Once disinfection is finished, you may be prompted to restart your PC.
The following video explains step by step instructions on how to delete virus and other malware with Malwarebytes Anti-malware.
Remove Im Sorry ransomware and malicious extensions with KVRT
If MalwareBytes antimalware or Zemana anti malware cannot delete this ransomware virus, then we advises to run the KVRT. KVRT is a free removal utility for ransomwares, ‘ad supported’ software, potentially unwanted software and toolbars.
Download Kaspersky virus removal tool (KVRT) by clicking on the following link. Save it on your Microsoft Windows desktop or in any other place.
123862 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the downloading process is done, double-click on the KVRT icon. Once initialization process is done, you will see the KVRT screen like below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to perform a system scan for the Im Sorry ransomware infection and other trojans and harmful software. A system scan may take anywhere from 5 to 30 minutes, depending on your system.
Once the scan is finished, you can check all threats detected on your computer as shown in the figure below.
Review the report and then press on Continue to start a cleaning process.
How to restore imsorry files
In some cases, you can restore files encrypted by Im Sorry ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted photos, documents and music.
Use ShadowExplorer to recover imsorry files
Download ShadowExplorer by clicking on the following link. Save it on your Windows desktop.
419063 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown in the following example.
Double click ShadowExplorerPortable to run it. You will see the a window as displayed on the screen below.
In top left corner, choose a Drive where encrypted files are stored and a latest restore point as displayed in the figure below (1 – drive, 2 – restore point).
On right panel look for a file that you want to recover, right click to it and select Export as displayed on the screen below.
Run PhotoRec to restore imsorry files
Download PhotoRec from the link below and save it directly to your Microsoft Windows Desktop.
Once downloading is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll show a screen as displayed below.
Choose a drive to recover as on the image below.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music as shown below.
Click File Formats button and choose file types to restore. You can to enable or disable the restore of certain file types. When this is complete, click OK button.
Next, click Browse button to choose where restored photos, documents and music should be written, then click Search.
Count of restored files is updated in real time. All restored personal files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is done, click on Quit button. Next, open the directory where recovered documents, photos and music are stored. You will see a contents like below.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to prevent your machine from becoming infected by Im Sorry virus?
Most antivirus programs already have built-in protection system against the ransomware. Therefore, if your PC system does not have an antivirus program, make sure you install it. As an extra protection, use the CryptoPrevent.
Run CryptoPrevent to protect your computer from Im Sorry virus
Download CryptoPrevent by clicking on the following link. Save it on your MS Windows desktop or in any other place.
www.foolishit.com/download/cryptoprevent/
Run it and follow the setup wizard. Once the installation is complete, you’ll be displayed a window where you can select a level of protection, as displayed in the following example.
Now press the Apply button to activate the protection.
How does your computer get infected with Im Sorry ransomware
The Im Sorry ransomware virus is distributed through the use of spam emails. Below is an email that is infected with a ransomware virus like Im Sorry ransomware.
Once this attachment has been opened, this ransomware virus will be launched automatically as you do not even notice that. The Im Sorry virus will begin the encryption procedure. When this task is finished, it will open the usual ransom instructions like above on Read me for help thanks.txt.
To sum up
Once you have done the steps shown above, your system should be clean from Im Sorry virus and other malware. Your PC system will no longer encrypt your personal files. Unfortunately, if the step by step guide does not help you, then you have caught a new variant of virus, and then the best way – ask for help.
- Download HijackThis by clicking on the link below and save it to your Desktop.
HijackThis download
4164 downloads
Version: 2.0.5
Author: OpenSource
Category: Security tools
Update: November 7, 2015
- Double-click on the HijackThis icon. Next press “Do a system scan only” button.
- When this tool has finished scanning, the scan button will read “Save log”, click it. Save this log to your desktop.
- Create a Myantispyware account here. Once you’ve registered, check your e-mail for a confirmation link, and confirm your account. After that, login.
- Copy and paste the contents of the HijackThis log into your post. If you are posting for the first time, please start a new thread by using the “New Topic” button in the Spyware Removal forum. When posting your HJT log, try to give us some details about your problems, so we can try to help you more accurately.
- Wait for one of our trained “Security Team” or Site Administrator to provide you with knowledgeable assistance tailored to your problem with the Im Sorry virus.
