Computer security experts discovered a new variant of Crysis/Dharma ransomware which called Arena virus. It appends the [firstname.lastname@example.org].arena extension to encrypted file names. This article will provide you a brief summary of information related to this new ransomware infection and how to decrypt or recover all encrypted documents, photos and music for free.
Table of contents
- What is Arena ransomware
- How to decrypt .[email@example.com].arena files
- How to remove Arena ransomware virus
- Restoring files encrypted with Arena ransomware virus
- How to prevent your PC from becoming infected by Arena ransomware virus?
- To sum up
Once installed, the Arena virus will scan the PC for some file types and encrypt them. When encrypting a file it will add the .[firstname.lastname@example.org].arena extension to every encrypted file name to identify that the file has been encrypted. For example, a file named sample.doc would be encrypted and renamed to sample.doc.[your-id][email@example.com].arena.
The ransom demanding message encourages victim to contact Arena’s authors by sending a email to firstname.lastname@example.org in order to decrypt all photos, documents and music. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins). We don’t recommend paying a ransom, as there is no guarantee that you will be able to decrypt your personal files. Especially since you have a chance to restore .arena files for free using free utilities such as ShadowExplorer and PhotoRec.
We suggest you to remove Arena ransomware virus as quickly as possible, until the presence of the ransomware infection has not led to even worse consequences. You need to follow the few simple steps below that will allow you to completely remove Arena virus from your PC as well as recover encrypted files, using only few free utilities.
What is Arena ransomware virus
Arena virus is a variant of crypto viruses (malware that encrypt personal files and demand a ransom) from the Crysis/Dharma family. It affects all current versions of Microsoft Windows operating systems such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This ransomware infection uses RSA key (AES encryption method) to eliminate the possibility of brute force a key that will allow to decrypt encrypted personal files.
When the Arena ransomware virus infects a PC system, it uses system directories to store own files. To run automatically whenever you turn on your PC system, Arena ransomware virus creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.
Immediately after the launch, the ransomware virus scans all available drives, including network and cloud storage, to determine which files will be encrypted. The virus uses the file name extension, as a way to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.0, .png, .bsa, .sid, .xlk, .dba, .wpw, .pkpass, .fpk, .re4, .wbm, .map, .xlsb, .zw, .cer, .wotreplay, .wsd, .qdf, .zi, .zdc, .hkdb, .bar, .ztmp, .wdb, .menu, .wp, .der, .erf, .wot, .raf, .lvl, .t12, .xlsx, .dng, .dcr, .z3d, .z, .wps, .hvpl, .txt, .xyp, .webp, .syncdb, .epk, .wbc, .eps, .xpm, .kdc, .gdb, .mdf, .3fr, .mdb, .xxx, .avi, .bay, .2bp, .rw2, .rar, .3ds, .xlsm, .wgz, .xls, .dbf, .crt, .ybk, .xdl, .r3d, .mcmeta, .wri, .slm, .jpeg, .jpg, .m2, .vdf, .xmmap, .itm, .3dm, .xf, .wsh, .gho, .p7c, .svg, .wmv, .vfs0, .wpd, .p7b, .7z, .flv, .csv, .mef, .xdb, .wdp, .yml, .xmind, .wsc, .ppt, .wpd, .cfr, .zip, .xx, .bc7, .hkx, .rtf, .pptm, .iwd, .wmf, .raw, .fos, .ods, .itl, .mdbackup, .wcf, .doc, .sr2, .vtf, .cdr, .wmo, .mddata, .ff, .xll, wallet, .xml, .das, .wps, .orf, .psk, .xar, .xy3, .tor, .pptx, .wm, .zabw, .nrw, .odb, .wpb, .ncf, .ysp, .rwl, .d3dbsp, .sav, .m4a, .wma, .bkp, .bik, .lrf, .sidd, .zdb, .pfx, .bkf, .icxs, .x3f, .dmp, .litemod, .xlgc, .wpa, .srf, .mlx, .dxg, .mp4, .yal, .py, .sidn, .wp7, .bc6, .mov, .layout, .asset, .sql, .1st, .wp5, .w3x, .xls, .psd, .dazip, .webdoc, .wpe, .xlsx, .snx, .xbplate, .p12, .wpl, .kf, .wbk, .xlsm, .itdb, .wma, .lbf, .pak, .indd, .cas, .t13, .dwg, .wmv, .x, .iwi, .hplg, .crw, .pdf, .ai, .sis, .apk, .zip, .blob, .srw, .mrwref, .qic, .accdb, .sie, .js, .css, .ptx, .odt, .odm, .pst, .x3f, .wbd, .fsh, .ibank, .vpp_pc, .db0, .pem, .big, .kdb, .wav, .xld, .wp6, .1, .y, .wbz, .vcf, .upk, .rgss3a, .docx, .pdd
Once a file is encrypted, its extension replaced to .[email@example.com].arena. Next, the ransomware creates a file called “info.hta”. This file contain instructions on how to decrypt all encrypted files. An example of the guidance is:
All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail firstname.lastname@example.org
Write this ID in the title of your message
In case of no answer in 24 hours write us to these e-mails:email@example.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
Also you can find other places to buy Bitcoins and beginners guide here:
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
The Arena ransomware infection actively uses scare tactics by giving the victim a brief description of the encryption algorithm and showing a ransomnote on the desktop. It is trying to force the user of the infected system, do not hesitate to pay a ransom, in an attempt to recover their documents, photos and music.
How to decrypt .[firstname.lastname@example.org].arena files
Currently there is no available way to decrypt .arena files, but you have a chance to restore encrypted photos, documents and music for free. The ransomware virus repeatedly tells the victim that uses a hybrid AES + RSA encryption mode. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a method because of the big length of the key. Therefore, unfortunately, the only payment to the developers of the Arena ransomware infection entire amount requested – the only way to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the creators of the Arena virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new virus.
How to remove Arena ransomware virus
Before you run the procedure of restoring documents, photos and music that has been encrypted, make sure Arena ransomware infection is not running. Firstly, you need to remove this ransomware permanently. Luckily, there are several malicious software removal tools that will effectively scan for and remove Arena ransomware virus and other crypto virus malware from your PC.
Run Zemana Anti-malware to remove Arena virus
You can get rid of Arena ransomware virus automatically with a help of Zemana Anti-malware. We suggest this malicious software removal tool because it may easily get rid of ransomwares, potentially unwanted applications, ad supported software and toolbars with all their components such as folders, files and registry entries.
- Download Zemana antimalware (ZAM) by clicking on the link below and save it directly to your Windows Desktop.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- Once the downloading process is complete, close all software and windows on your computer. Open a directory in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup.
- Further, click Next button and follow the prompts.
- Once install is finished, press the “Scan” button . This will begin scanning the whole personal computer to find out Arena ransomware virus and other malicious software. This process can take quite a while, so please be patient. While the tool is checking, you can see how many objects it has identified either as being malware.
- After it completes the scan, you will be opened the list of all detected threats on your machine. In order to remove all items, simply press “Next”. Once disinfection is done, you may be prompted to restart your personal computer.
Run Malwarebytes to remove Arena ransomware
You can remove Arena ransomware automatically with a help of Malwarebytes Free. We suggest this free malware removal tool because it may easily remove ransomwares, ad supported software, potentially unwanted software and toolbars with all their components such as files, folders and registry entries.
Download Malwarebytes by clicking on the link below. Save it on your Windows desktop.
Category: Security tools
Update: July 25, 2019
After downloading is finished, close all applications and windows on your PC system. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup as shown in the following example.
When the installation begins, you will see the “Setup wizard” which will help you install Malwarebytes on your computer.
Once installation is finished, you will see window as displayed in the following example.
Now click the “Scan Now” button . This will start scanning the whole system to find out Arena ransomware infection and other trojans and malicious programs. While the utility is checking, you may see how many objects and files has already scanned.
Once the checking is complete, it will show a screen that contains a list of malicious software that has been found. Review the report and then click “Quarantine Selected” button.
The Malwarebytes will begin removing Arena virus related files, folders, registry keys. Once disinfection is finished, you may be prompted to restart your computer.
The following video explains step by step instructions on how to delete ransomware infection and other malicious software with Malwarebytes Anti-malware.
Double-check for Arena ransomware virus with KVRT
If MalwareBytes anti-malware or Zemana anti-malware cannot delete this virus, then we recommends to use the KVRT. KVRT is a free removal tool for viruss, adware, potentially unwanted programs and toolbars.
Download Kaspersky virus removal tool (KVRT) from the following link and save it to your Desktop.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When downloading is finished, double-click on the KVRT icon. Once initialization process is done, you’ll see the Kaspersky virus removal tool screen as displayed in the following example.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next press Start scan button to begin scanning your PC for the Arena virus and other malicious software. During the scan it’ll detect all threats present on your system.
When it completes the scan, the results are displayed in the scan report like below.
Next, you need to click on Continue to start a cleaning process.
Restoring files encrypted by Arena ransomware
In some cases, you can restore files encrypted by Arena ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted files.
Use shadow copies to recover .arena files
In some cases, you have a chance to restore your photos, documents and music which were encrypted by the Arena virus. This is possible due to the use of the tool named ShadowExplorer. It is a free program that developed to obtain ‘shadow copies’ of files.
Download ShadowExplorer on your MS Windows Desktop by clicking on the link below.
Category: Security tools
Update: February 27, 2018
When downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed on the screen below.
Double click ShadowExplorerPortable to run it. You will see the a window like below.
In top left corner, select a Drive where encrypted photos, documents and music are stored and a latest restore point like below (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export as displayed below.
Restore .[email@example.com].arena files with PhotoRec
Before a file is encrypted, the Arena virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your photos, documents and music using file recover applications such as PhotoRec.
Download PhotoRec from the link below. Save it on your Windows desktop or in any other place.
Category: Security tools
Update: March 1, 2018
When the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will show a screen as shown in the figure below.
Select a drive to recover as shown in the figure below.
You will see a list of available partitions. Choose a partition that holds encrypted photos, documents and music as displayed on the screen below.
Press File Formats button and select file types to recover. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.
Next, press Browse button to choose where recovered documents, photos and music should be written, then click Search.
Count of recovered files is updated in real time. All restored documents, photos and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is complete, press on Quit button. Next, open the directory where restored documents, photos and music are stored. You will see a contents like below.
All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to prevent your machine from becoming infected by Arena ransomware?
Most antivirus applications already have built-in protection system against the ransomware infection. Therefore, if your PC system does not have an antivirus application, make sure you install it. As an extra protection, run the CryptoPrevent.
Use CryptoPrevent to protect your personal computer from Arena ransomware
Download CryptoPrevent on your machine from the following link.
Run it and follow the setup wizard. Once the installation is done, you’ll be displayed a window where you can select a level of protection, as displayed below.
Now click the Apply button to activate the protection.
To sum up
Once you have finished the step by step guidance shown above, your computer should be clean from Arena ransomware virus and other malware. Your personal computer will no longer encrypt your files. Unfortunately, if the instructions does not help you, then you have caught a new variant of virus, and then the best way – ask for help.
- Download HijackThis by clicking on the link below and save it to your Desktop.
Category: Security tools
Update: November 7, 2015
- Double-click on the HijackThis icon. Next press “Do a system scan only” button.
- When that process is finished, the scan button will read “Save log”, press it. Save this log to your desktop.
- Create a Myantispyware account here. Once you’ve registered, check your e-mail for a confirmation link, and confirm your account. After that, login.
- Copy and paste the contents of the HijackThis log into your post. If you are posting for the first time, please start a new thread by using the “New Topic” button in the Spyware Removal forum. When posting your HJT log, try to give us some details about your problems, so we can try to help you more accurately.
- Wait for one of our trained “Security Team” or Site Administrator to provide you with knowledgeable assistance tailored to your problem with the Arena ransomware virus.