Computer security professionals discovered a new variant of the CryptoMix ransomware which called X1881. It appends the .x1881 extension to encrypted file names. This blog post will provide you a brief summary of information related to this new ransomware and how to recover (decrypt) all encrypted photos, documents and music for free.
Once started, the X1881 ransomware virus will scan the system for certain file types and encrypt them. When encrypting a file it will change the filename and then add the x1881 extension to every encrypted file name to identify that the file has been encrypted. For example, a file named sample.doc would be encrypted and renamed to something like A0BD8167C9B1D90A3FC108DCA0B1CD90.x1881.
The ransom demanding message encourages victim to contact X1881’s makers by using the following emails:
- x1881@tuta.io
- x1883@yandex.com
- x1881@protonmail.com
- x1884@yandex.com
These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins). We don’t recommend paying a ransom, as there is no guarantee that you will be able to decrypt your files. Especially since you have a chance to recover your documents, photos and music using free tools like ShadowExplorer and PhotoRec.
Therefore it’s very important to follow the guidance below sooner. The few simple steps will allow you to remove X1881 virus. What is more, the steps below will help you recover encrypted documents, photos and music for free.
Table of contents
- What is X1881 ransomware virus
- How to decrypt .x1881 files
- How to remove X1881 ransomware
- How to restore .x1881 files
- How to prevent your PC from becoming infected by X1881 ransomware virus?
What is X1881 ransomware virus
X1881 is a variant of the CryptoMix ransomware (malware that encrypt personal files and demand a ransom). It affects all current versions of Windows operating system such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This ransomware virus uses RSA-2048 key (AES 256-bit encryption method) to eliminate the possibility of brute force a key which will allow to decrypt encrypted documents, photos and music.
When the ransomware virus infects a computer, it uses system directories to store own files. To run automatically whenever you turn on your PC, X1881 ransomware creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.
Immediately after the launch, the virus scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware uses the file name extension, as a way to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.wpa, .xyw, .sb, .wmd, .wsh, .srf, .bik, .menu, .mrwref, .upk, .pdd, .big, .indd, .m3u, .t12, .rofl, .pst, .map, .mov, .arch00, .wps, .z3d, .zip, .dazip, .1st, .wot, .webdoc, .jpg, .rim, .dcr, .erf, .zi, .wpd, .mef, .cr2, .mpqge, .wp4, .txt, .das, .kdc, .eps, .zif, .0, .p7c, .wcf, .ztmp, .d3dbsp, .wma, .hplg, .bay, .csv, .bc7, .qic, .apk, .cdr, .png, .vtf, .zip, .wsc, .wpl, .asset, .litemod, .cfr, .wps, .xwp, .avi, .zdb, .hkx, .m4a, .rgss3a, .wgz, .mcmeta, .dwg, .vfs0, .sum, .wbz, .ltx, .crt, .lbf, .xls, .accdb, .docx, .srw, .xxx, .sis, .xlsx, .1, .db0, .xar, .zabw, .wmv, .wav, .mddata, .odb, .fsh, .vcf, .vdf, .ysp, .3fr, .ws, .snx, .wp, .w3x, .wpg, .flv, .lvl, .zw, .orf, .jpeg, .mp4, .js, .wri, .ibank, .wbd, .wbk, .mdf, .x3f, .itm, .sid, .sie, .vpk, .wpw, .dxg, .wmo, .syncdb, .raw, .xbdoc, .x3d, .jpe, .layout, .xpm, .sav, .arw, .der, .bkf, .xbplate, .sql, .desc, .z, .webp, .bkp, .cer, .sidd, .m2, .rar, .itl, .psd, .wdb, .xmind, .x3f, .3ds, .xdl, .forge, .bsa, .wmv, .kdb, .pkpass, .re4, .wpt, .svg, .wpd, .lrf, .raf, .wsd, .icxs, .xy3, .ppt, .yal, .odt, .7z, .xml, .rb, .wp7, .wbmp, .mdb, .pfx, .pef, .psk, .doc, .hkdb, .crw, .t13, .ods, .py, .qdf, .tax, .esm, .fos, .rtf, .odc, .pak, .cas, .y, .iwi, .wbc, .ncf
Once a file is encrypted, its extension replaced to x1881. Next, the ransomware creates a file called “_HELP_INSTRUCTION.TXT”. This file contain tutorial on how to decrypt all encrypted files. An example of the instructions is:
Hello!
Attention! All Your data was encrypted!
For specific informartion, please send us an email with Your ID number:
x1881@tuta.io
x1883@yandex.com
x1881@protonmail.com
x1884@yandex.com
Please send email to all email addresses! We will help You as soon as possible!
DECRYPT-ID-{user-id} number
The X1881 virus actively uses scare tactics by giving the victim a brief description of the encryption algorithm and showing a ransom note on the desktop. It is trying to force the user of the infected system, do not hesitate to pay a ransom, in an attempt to recover encrypted personal files.
How to decrypt .x1881 files
Currently there is no available way to decrypt x1881 files, but you have a chance to restore encrypted photos, documents and music for free. The ransomware virus repeatedly tells the victim that uses a strong encryption algorithm with 2048-bit key. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a method because of the big length of the key. Therefore, unfortunately, the only payment to the developers of the X1881 virus entire amount requested – the only way to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the creators of the X1881 ransomware, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
How to remove X1881 ransomware
The following instructions will help you to get rid of X1881 ransomware virus and other malware. Before doing it, you need to know that starting to remove the ransomware virus, you may block the ability to decrypt files by paying creators of the ransomware virus requested ransom. Zemana Anti-malware, KVRT and Malwarebytes Anti-malware can detect different types of active ransomwares and easily delete it from your computer, but they can not recover encrypted personal files.
Use Zemana Anti-malware to remove ransomware
Zemana Anti-malware is a utility which can remove ransomware viruses, adware, PUPs, browser hijackers and other malicious software from your PC system easily and for free. Zemana Anti-malware is compatible with most antivirus software. It works under Windows (10 – XP, 32 and 64 bit) and uses minimum of machine resources.
Download Zemana Anti-Malware (ZAM) by clicking on the following link. Save it to your Desktop so that you can access the file easily.
164112 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When the download is complete, close all windows on your machine. Further, open the install file named Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as shown below, press the “Yes” button.
It will display the “Setup wizard” that will assist you install Zemana AntiMalware on the computer. Follow the prompts and do not make any changes to default settings.
Once install is done successfully, Zemana Anti Malware will automatically start and you can see its main window as shown in the figure below.
Next, click the “Scan” button . Zemana Free tool will start scanning the whole computer to find out X1881 ransomware virus and other kinds of potential threats like malware and PUPs. Depending on your system, the scan can take anywhere from a few minutes to close to an hour. During the scan Zemana will look for threats exist on your system.
After that process is complete, Zemana Free will produce a list of undesired and adware programs. Review the results once the utility has finished the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click “Next” button.
The Zemana Free will start to remove X1881 virus related files, folders and registry keys. Once the task is done, you can be prompted to restart your computer.
Scan and clean your computer of ransomware virus with Malwarebytes
We suggest using the Malwarebytes Free that are completely clean your PC system of the virus. The free tool is an advanced malware removal application created by (c) Malwarebytes lab. This program uses the world’s most popular anti malware technology. It’s able to help you delete ransomwares, PUPs, malicious software, ad-supported software, toolbars, ransomware and other security threats from your computer for free.
Please go to the following link to download the latest version of MalwareBytes Free for Microsoft Windows. Save it on your Microsoft Windows desktop.
326462 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once downloading is finished, run it and follow the prompts. Once installed, the MalwareBytes will try to update itself and when this task is finished, click the “Scan Now” button to perform a system scan with this tool for the X1881 virus and other malicious software and potentially unwanted applications. This procedure may take some time, so please be patient. When a malicious software, ad-supported software or potentially unwanted software are found, the number of the security threats will change accordingly. Next, you need to click “Quarantine Selected” button.
The MalwareBytes is a free program that you can use to get rid of all detected folders, files, services, registry entries and so on. To learn more about this malicious software removal tool, we suggest you to read and follow the instructions or the video guide below.
If the problem with X1881 ransomware is still remained
If MalwareBytes antimalware or Zemana antimalware cannot delete this virus, then we suggests to use the KVRT. KVRT is a free removal utility for ransomware viruss, adware, PUPs and toolbars.
Download Kaspersky virus removal tool (KVRT) from the following link. Save it to your Desktop.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the download is complete, double-click on the KVRT icon. Once initialization procedure is complete, you’ll see the KVRT screen like below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next press Start scan button to start scanning your computer for the X1881 ransomware virus . Depending on your PC, the scan can take anywhere from a few minutes to close to an hour. While the KVRT program is checking, you can see how many objects it has identified as threat.
Once the system scan is done, a list of all items found is prepared as displayed in the following example.
Next, you need to click on Continue to start a cleaning procedure.
How to restore .x1881 files
In some cases, you can recover files encrypted by X1881 virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted files.
Restore .x1881 files with ShadowExplorer
In some cases, you have a chance to restore your files that were encrypted by the X1881 virus. This is possible due to the use of the tool called ShadowExplorer. It is a free application which created to obtain ‘shadow copies’ of files.
Download ShadowExplorer on your PC system by clicking on the link below.
438820 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once the download is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed on the screen below.
Double click ShadowExplorerPortable to run it. You will see the a window as displayed below.
In top left corner, select a Drive where encrypted files are stored and a latest restore point as displayed on the screen below (1 – drive, 2 – restore point).
On right panel look for a file that you want to recover, right click to it and select Export like below.
Recover .x1881 files with PhotoRec
Before a file is encrypted, the X1881 ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your photos, documents and music using file recover software such as PhotoRec.
Download PhotoRec from the link below.
Once downloading is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown in the figure below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll display a screen as shown in the following example.
Select a drive to recover like below.
You will see a list of available partitions. Choose a partition that holds encrypted documents, photos and music like below.
Click File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is done, press OK button.
Next, click Browse button to select where recovered documents, photos and music should be written, then press Search.
Count of recovered files is updated in real time. All restored personal files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is finished, click on Quit button. Next, open the directory where recovered files are stored. You will see a contents as displayed on the screen below.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to prevent your PC from becoming infected by X1881 ransomware virus?
Most antivirus programs already have built-in protection system against the virus. Therefore, if your computer does not have an antivirus application, make sure you install it. As an extra protection, use the CryptoPrevent.
Run CryptoPrevent to protect your personal computer from X1881 ransomware
Download CryptoPrevent by clicking on the following link. Save it on your Desktop.
www.foolishit.com/download/cryptoprevent/
Run it and follow the setup wizard. Once the setup is finished, you’ll be displayed a window where you can select a level of protection, as on the image below.
Now press the Apply button to activate the protection.
Finish words
Once you’ve finished the instructions above, your computer should be clean from X1881 ransomware virus and other malware. Your computer will no longer encrypt your files. Unfortunately, if the few simple steps does not help you, then you have caught a new variant of virus, and then the best way – ask for help.
- Download HijackThis from the link below and save it to your Desktop.
HijackThis download
4711 downloads
Version: 2.0.5
Author: OpenSource
Category: Security tools
Update: November 7, 2015
- Double-click on the HijackThis icon. Next click “Do a system scan only” button.
- Once that process is complete, the scan button will read “Save log”, click it. Save this log to your desktop.
- Create a Myantispyware account here. Once you’ve registered, check your e-mail for a confirmation link, and confirm your account. After that, login.
- Copy and paste the contents of the HijackThis log into your post. If you are posting for the first time, please start a new thread by using the “New Topic” button in the Spyware Removal forum. When posting your HJT log, try to give us some details about your problems, so we can try to help you more accurately.
- Wait for one of our trained “Security Team” or Site Administrator to provide you with knowledgeable assistance tailored to your problem with the X1881 virus.