Computer security experts discovered a new variant of the BTCWare ransomware which named Wyvern ransomware virus. It appends the .wyvern extension to encrypted file names. This blog post will provide you with all the things you need to know about ransomware virus, how to delete Wyvern virus from your computer and how to restore all encrypted documents, photos and music for free.
The Wyvern ransomware virus uses RSA-2048 key (AES 256-bit encryption method). When the virus encrypts a file, it will append the .[decryptorx@cock.li]-id-[id].wyvern extension to each encrypted file. Once the virus finished enciphering of all documents, photos and music, it will drop a file called “HELP.hta” with guide on how to decrypt all files.
The ransom demanding message offers victim to contact Wyvern’s makers (decryptorx@cock.li) in order to decrypt all files. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins). We don’t recommend paying a ransom, as there is no guarantee that you will be able to decrypt your documents, photos and music. Especially since you have a chance to recover your photos, documents and music for free using free utilities such as ShadowExplorer and PhotoRec.
Therefore it’s very important to follow the few simple steps below as quickly as possible. The step by step guidance will allow you to remove Wyvern ransomware virus. What is more, the few simple steps below will allow you recover photos, documents and music encrypted by decryptorx@cock.li virus for free.
Table of contents
- What is Wyvern ransomware virus
- How to decrypt .wyvern files
- How to remove Wyvern ransomware
- Restoring files encrypted by Wyvern ransomware virus
- How to prevent your personal computer from becoming infected by Wyvern virus?
- To sum up
What is Wyvern ransomware virus
Wyvern ransomware is a variant of crypto viruses (malicious software which encrypt personal files and demand a ransom) from the BTCWare family. It affects all current versions of Windows OS such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This ransomware virus uses a hybrid AES + RSA encryption mode to eliminate the possibility of brute force a key that will allow to decrypt encrypted files.
When the ransomware virus infects a machine, it uses system directories to store own files. To run automatically whenever you turn on your computer, Wyvern ransomware creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.
Immediately after the launch, the virus scans all available drives, including network and cloud storage, to determine which files will be encrypted. The virus uses the file name extension, as a way to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
wallet, .asset, .wpl, .arch00, .erf, .dwg, .ntl, .zi, .hplg, .ai, .ptx, .mpqge, .xbdoc, .accdb, .wpe, .rtf, .rar, .zabw, .xlsx, .wpd, .itl, .xyw, .jpeg, .m3u, .wps, .xf, .indd, .cfr, .wpt, .upk, .wm, .wbm, .xdl, .sr2, .wp5, .bsa, .bar, .crt, .xpm, .odm, .bkf, .ff, .crw, .vcf, .docm, .xlsm, .xlgc, .dba, .wn, .re4, .zip, .dazip, .wdp, .mcmeta, .vtf, .css, .pem, .hkx, .iwd, .mrwref, .m4a, .pptx, .x, .lrf, .ncf, .ybk, .der, .zdb, .srf, .py, .ws, .x3f, .wma, .mdbackup, .3fr, .tor, .pak, .fos, .wp6, .wbd, .wbk, .xlsm, .itdb, .wsh, .fpk, .eps, .ztmp, .xar, .wp7, .wire, .mef, .xml, .x3d, .webdoc, .lbf, .fsh, .xmind, .rb, .wmd, .wma, .txt, .zw, .odc, .qdf, .cer, .sb, .bc7, .xld, .cr2, .dbf, .wbc, .yal, .t12, .hvpl, .vfs0, .wdb, .doc, .p7c, .map, .litemod, .rim, .csv, .wsd, .arw, .xx, .7z, .desc, .vpk, .jpe, .mddata, .gho, .wpb, .sidd, .wotreplay, .xwp, .avi, .sidn, .wbz, .zip, .srw, .3ds, .x3f, .hkdb, .mlx, .yml, .z, .webp, .xxx, .vdf, .sum, .wri, .xdb, .psd, .apk, .tax, .blob, .wmv, .layout, .flv, .wpa, .lvl, .pkpass, .icxs, .wcf, .das, .xyp, .xlk, .ppt, .ods, .dxg, .xlsx, .sql, .sav, .forge, .mdb, .psk, .wmv, .itm, .pst, .iwi, .dcr, .wsc, .slm, .dng, .ibank, .menu, .0, .orf, .snx, .odt, .gdb, .r3d, .xy3, .1st, .sis, .rgss3a, .odp, .png, .ysp, .mov, .wp4, .zif, .mp4, .big, .js, .wmo, .ltx, .cdr, .t13, .raf, .pdf, .zdc, .rwl, .xmmap, .jpg, .odb, .y, .db0, .rw2, .cas, .xll, .z3d, .bik, .wpw, .wps, .svg, .wot, .dmp, .xbplate, .wgz, .kdc, .bc6, .raw, .bkp, .pptm, .nrw, .kdb, .wpd, .qic, .d3dbsp, .p7b, .pdd, .mdf, .wb2, .epk, .bay, .xlsb, .sid, .wmf, .esm, .syncdb
Once a file is encrypted, its extension replaced to wyvern. Next, the ransomware creates a file named “HELP.hta”. This file contain tutorial on how to decrypt all encrypted photos, documents and music. An example of the tutorial is:
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail decryptorx@cock.li You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. hxxps://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
The Wyvern ransomware virus actively uses scare tactics by giving the victim a brief description of the encryption algorithm and showing a ransom instructions on the desktop. It is trying to force the user of the infected computer, do not hesitate to pay a ransom, in an attempt to restore their photos, documents and music.
How to decrypt .wyvern files
Currently there is no available method to decrypt wyvern files, but you have a chance to restore decryptorx@cock.li files for free. The virus repeatedly tells the victim that uses RSA-2048 key (AES 256-bit encryption method). What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a solution because of the big length of the key. Therefore, unfortunately, the only payment to the makers of the Wyvern ransomware entire amount requested – the only method to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the creators of the Wyvern ransomware virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
How to remove Wyvern ransomware
The following instructions will allow you to get rid of Wyvern virus and other malicious software. Before doing it, you need to know that starting to remove the ransomware, you may block the ability to decrypt files by paying creators of the ransomware virus requested ransom. Zemana Anti-malware, KVRT and Malwarebytes Anti-malware can detect different types of active viruses and easily delete it from your PC system, but they can not recover encrypted files.
How to remove Wyvern with Zemana Anti-malware
We suggest using the Zemana Anti-malware. You can download and install Zemana Anti-malware to detect and delete Wyvern ransomware from your system. When installed and updated, the malicious software remover will automatically scan and detect all threats exist on the computer.
- Please go to the following link to download Zemana Anti Malware (ZAM). Save it on your Desktop.
Zemana AntiMalware
164112 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- At the download page, click on the Download button. Your web-browser will open the “Save as” dialog box. Please save it onto your Windows desktop.
- Once downloading is done, please close all programs and open windows on your personal computer. Next, launch a file named Zemana.AntiMalware.Setup.
- This will open the “Setup wizard” of Zemana onto your computer. Follow the prompts and don’t make any changes to default settings.
- When the Setup wizard has finished installing, the Zemana will launch and show the main window.
- Further, click the “Scan” button .Zemana Free program will scan through the whole system for the Wyvern ransomware related files, folders and registry keys. While the Zemana is checking, you can see number of objects it has identified either as being malicious software.
- When the system scan is finished, Zemana will display a list of detected threats.
- Review the results once the utility has finished the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click the “Next” button. The utility will begin to get rid of Wyvern ransomware virus and other security threats. When that process is complete, you may be prompted to restart the PC system.
- Close the Zemana and continue with the next step.
Use Malwarebytes to remove Wyvern
You can get rid of Wyvern ransomware automatically with a help of Malwarebytes Free. We advise this free malware removal utility because it may easily remove viruss, ‘ad supported’ software, PUPs and toolbars with all their components such as files, folders and registry entries.
- Visit the page linked below to download MalwareBytes. Save it directly to your Windows Desktop.
Malwarebytes Anti-malware
326462 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- When downloading is complete, close all applications and windows on your system. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup.
- Further, click Next button and follow the prompts.
- Once installation is finished, click the “Scan Now” button to perform a system scan for the Wyvern ransomware and other security threats. This process can take quite a while, so please be patient. While the MalwareBytes Free program is checking, you may see how many objects it has identified as threat.
- After finished, MalwareBytes Anti-Malware (MBAM) will produce a list of unwanted and ad supported software programs. In order to remove all items, simply click “Quarantine Selected”. Once the task is done, you can be prompted to restart your PC.
The following video offers a step by step instructions on how to get rid of browser hijackers, ad-supported software and other malware with MalwareBytes Free.
If the problem with Wyvern is still remained
KVRT is a free removal utility that can check your computer for a wide range of security threats such as the Wyvern ransomware, adware, PUPs as well as other malware. It will perform a deep scan of your machine including hard drives and MS Windows registry. When a malware is detected, it will help you to delete all found threats from your personal computer with a simple click.
Download Kaspersky virus removal tool (KVRT) on your PC system from the following link.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the downloading process is done, double-click on the KVRT icon. Once initialization procedure is done, you will see the Kaspersky virus removal tool screen as shown in the figure below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to perform a system scan with this utility for the Wyvern ransomware and other malicious software. Depending on your PC system, the scan can take anywhere from a few minutes to close to an hour. While the KVRT program is scanning, you can see count of objects it has identified as threat.
When KVRT has finished scanning your computer, KVRT will open you the results as displayed in the figure below.
Review the results once the utility has finished the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click on Continue to start a cleaning procedure.
Restoring files encrypted by Wyvern ransomware virus
In some cases, you can restore files encrypted by Wyvern ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted files.
Use shadow copies to recover .wyvern files
If automated backup (System Restore) is enabled, then you can use it to restore all encrypted files to previous versions.
Download ShadowExplorer on your system from the link below.
438819 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After downloading is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed on the image below.
Double click ShadowExplorerPortable to run it. You will see the a window as displayed on the screen below.
In top left corner, choose a Drive where encrypted files are stored and a latest restore point as displayed on the image below (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export as displayed in the figure below.
Restore .wyvern files with PhotoRec
Before a file is encrypted, the Wyvern ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your personal files using file recover applications like PhotoRec.
Download PhotoRec by clicking on the following link. Save it to your Desktop.
After the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will show a screen as shown in the following example.
Select a drive to recover like below.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music as shown in the figure below.
Press File Formats button and select file types to restore. You can to enable or disable the recovery of certain file types. When this is complete, click OK button.
Next, press Browse button to choose where restored photos, documents and music should be written, then press Search.
Count of recovered files is updated in real time. All restored files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is complete, press on Quit button. Next, open the directory where restored documents, photos and music are stored. You will see a contents as shown in the figure below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to prevent your personal computer from becoming infected by Wyvern virus?
Most antivirus applications already have built-in protection system against the ransomware virus. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, run the CryptoPrevent.
Run CryptoPrevent to protect your system from Wyvern ransomware virus
Download CryptoPrevent by clicking on the following link. Save it to your Desktop so that you can access the file easily.
www.foolishit.com/download/cryptoprevent/
Run it and follow the setup wizard. Once the setup is done, you’ll be displayed a window where you can select a level of protection, as on the image below.
Now click the Apply button to activate the protection.
To sum up
Now your system should be clean of the Wyvern ransomware. Delete Malwarebytes and KVRT. We suggest that you keep Zemana Anti-malware (to periodically scan your PC for new viruses and other malware). Moreover, to prevent virus, please stay clear of unknown and third party programs, make sure that your antivirus program, turn on the option to stop or search for ransomware.
If you need more help with Wyvern ransomware related issues, go to our Spyware/Malware removal forum.
after I realized something was wrong, I reinstalled windows. after I had access to my system I saw that every file on every drive was encrypted, will any of the above methods work on a freshly installed windows? If not is there a link that will help?
You can try to restore your files by using the PhotoRec (if you did not reformat the drive when you reinstalled windows).