This week, cyber security specialists has received reports of yet another ransomware called [email protected] Risk ransomware. This ransomware spreads via spam emails and malware files and appends the .[[email protected]].risk extension to encrypted files.
“Audit.cock.li Risk ransomware” – ransomnote
The [email protected] Risk ransomware is a variant of crypto viruses. It affects all current versions of Microsoft Windows operating system such as the Windows 10, Windows 8, Windows 7, Windows Vista and Windows XP. This virus uses RSA-AES encryption method to eliminate the possibility of brute force a key which will allow to decrypt encrypted files. The [email protected] Risk ransomware virus encrypts almost of files, including common as:
.nrw, .dwg, .xwp, .bsa, .png, .xlsm, .ppt, .xls, .zip, .3dm, .pptm, .vpk, .wpb, .rw2, .ptx, .docx, .xxx, .rb, .arw, .wbm, .ibank, .avi, .py, .xlsb, .orf, .js, .gho, .zw, .xld, .2bp, .p7c, .1, .wri, .0, .zdc, .fpk, .xlgc, .wma, .cfr, .z3d, .cdr, .webp, .esm, .apk, .srf, .ysp, .lrf, .gdb, .fos, .wps, .psk, .wbk, .wps, .x3f, .wbmp, .webdoc, .xbplate, .wpw, .dxg, .sis, .mpqge, .wmv, .erf, .xlsm, .bar, .cas, .qic, .wmo, .sb, .wsh, .xar, .wbz, .hkdb, .qdf, wallet, .wp7, .odc, .wpa, .pkpass, .zabw, .xml, .mov, .hvpl, .big, .bkp, .vtf, .cr2, .ntl, .3ds, .wire, .wp4, .wm, .xll, .z, .y, .mlx, .wdp, .lbf, .vdf, .svg, .pdf, .xf, .ybk, .pdd, .pef, .fsh, .m3u, .xy3, .m4a, .xlsx, .dba, .crt, .doc, .ff, .cer, .ods, .rgss3a, .wpe, .litemod, .rwl, .icxs, .ncf, .txt, .xlk, .pem, .wpg, .xyw, .kdb, .wmf, .asset, .mcmeta, .xmind, .yml, .vpp_pc, .mdbackup, .rim, .sr2, .pak, .layout, .p12, .srw, .wotreplay, .vcf, .mef, .blob, .dazip, .sid, .sav, .sum, .wp6, .wp5, .wav, .hkx, .pptx, .bik, .wgz, .csv, .eps, .menu, .odp, .re4, .xpm, .tor, .x, .raw, .ai, .bc7, .odm, .mrwref, .ztmp, .wmv, .mddata, .mdb, .snx, .iwd, .zi, .3fr, .accdb, .iwi, .wcf, .m2, .wbd, .pst, .vfs0, .wp, .jpg, .yal, .forge, .slm, .pfx, .odb, .p7b, .1st, .w3x, .dmp, .dng, .itm, .t13, .ws, .bkf, .7z, .sidn, .rofl, .wsc, .css, .mp4, .raf, .lvl, .d3dbsp, .sidd, .docm, .jpe
When encrypting a file it will append the .[[email protected]].risk extension to every encrypted file name to identify that the file has been encrypted. For example, a file called sample.doc would be encrypted and renamed to sample.doc.id-USERID.[[email protected]].risk. Once the procedure is complete, it will create a file named ‘FILES ENCRYPTED.txt’ with ransom demanding message. It includes instructions on how to purchase a private key to decrypt all personal files. An example of the ransom instructions is:
all your data has been locked us You want to return? write email [email protected]
or
All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected]
Write this ID in the title of your message USERID
In case of no answer in 24 hours write us to these e-mails: [email protected]
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Unfortunately, there is no way for victim’s to decrypt files for free. In the guidance below, I have outlined few methods that you can use to remove [email protected] Risk ransomware virus from your computer and restore .[[email protected]].risk files from a shadow volume copies or using file recover software.
Table of contents
- How to decrypt .[[email protected]].risk files
- How to remove [email protected] Risk ransomware virus
- How to restore .[[email protected]] files
- How to protect your PC from [email protected] Risk ransomware
How to decrypt .[[email protected]].risk files
The ransom note encourages victim to contact the Risk ransomware’s makers via the [email protected] email in order to decrypt all documents, photos and music. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins).
There is absolutely no guarantee that after pay a ransom to the authors of the [email protected] Risk ransomware virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
We do not recommend paying a ransom, as there is no guarantee that you will be able to decrypt your documents, photos and music. Especially since you have a chance to restore .risk files for free using utilities like the ShadowExplorer and PhotoRec.
How to remove [email protected] Risk ransomware virus
In order to delete [email protected] Risk ransomware from your personal computer, you need to stop all ransomware processes and delete its associated files including Windows registry entries. If any virus components are left on the PC, the ransomware can reinstall itself the next time the computer boots up. Usually ransomware viruses uses random name consist of characters and numbers that makes a manual removal procedure very difficult. We recommend you to run a free ransomware removal tools which will help delete [email protected] Risk ransomware virus from your computer. Below you can found a few popular malware removers that detects various ransomware.
How to automatically remove [email protected] Risk ransomware with Zemana Anti-malware
You can get rid of [email protected] Risk ransomware automatically with a help of Zemana Anti-malware. We recommend this malicious software removal utility because it may easily get rid of ransomwares, PUPs, ad supported software and toolbars with all their components such as folders, files and registry entries.
- Visit the following page to download Zemana Anti-Malware (ZAM). Save it on your MS Windows desktop or in any other place.
Zemana AntiMalware
165741 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- When the download is complete, close all applications and windows on your PC. Open a directory in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup.
- Further, click Next button and follow the prompts.
- Once setup is finished, click the “Scan” button to perform a system scan with this utility for the [email protected] Risk ransomware and other malware and PUPs. A scan may take anywhere from 10 to 30 minutes, depending on the number of files on your computer and the speed of your personal computer. When a malware, ad-supported software or potentially unwanted programs are detected, the number of the security threats will change accordingly.
- Once Zemana Anti Malware has completed scanning, the results are displayed in the scan report. Review the scan results and then press “Next”. When the task is complete, you may be prompted to restart your computer.
Use MalwareBytes Anti Malware to remove [email protected] Risk ransomware
We recommend using the MalwareBytes Anti-Malware which are completely clean your system of the virus. This free tool is an advanced malicious software removal application created by (c) Malwarebytes lab. This program uses the world’s most popular antimalware technology. It is able to help you remove ransomware, potentially unwanted applications, malware, adware, toolbars, and other security threats from your machine for free.
MalwareBytes AntiMalware (MBAM) can be downloaded from the following link. Save it on your Windows desktop or in any other place.
328051 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
When the download is complete, close all programs and windows on your PC. Open a directory in which you saved it. Double-click on the icon that’s called mb3-setup as shown below.
When the install begins, you will see the “Setup wizard” that will help you install Malwarebytes on your machine.
Once setup is finished, you will see window as displayed below.
Now click the “Scan Now” button . MalwareBytes Free utility will start scanning the whole PC to find out the [email protected] Risk ransomware virus and other kinds of potential threats like malicious software and PUPs. Depending on your machine, the scan can take anywhere from a few minutes to close to an hour.
When the system scan is finished, you can check all threats found on your computer. When you are ready, click “Quarantine Selected” button.
The Malwarebytes will now get rid of [email protected] Risk ransomware virus and other kinds of potential threats like malware and PUPs. Once that process is complete, you may be prompted to reboot your system.
The following video explains step-by-step instructions on how to get rid of hijacker, adware and other malicious software with MalwareBytes Free.
If the problem with [email protected] Risk ransomware is still remained
KVRT is a free portable program that scans your personal computer for various malware and ransomware viruses like the [email protected] Risk ransomware and allows delete them easily. Moreover, it’ll also allow you delete any malicious web browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) on your computer by clicking on the link below.
129572 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once downloading is done, double-click on the KVRT icon. Once initialization procedure is done, you’ll see the KVRT screen like below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to scan for [email protected] Risk ransomware and other malware. This procedure can take some time, so please be patient.
After finished, Kaspersky virus removal tool will show a screen which contains a list of malware that has been detected as shown below.
Review the scan results and then click on Continue to begin a cleaning procedure.
How to restore .[[email protected]].risk files
In some cases, you can recover files encrypted by [email protected] Risk ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted personal files.
Restore .[[email protected]].risk encrypted files using Shadow Explorer
If automated backup (System Restore) is enabled, then you can use it to recover all encrypted files to previous versions.
Visit the following page to download ShadowExplorer. Save it directly to your Windows Desktop.
440334 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the download is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed below.
Double click ShadowExplorerPortable to start it. You will see the a window as shown in the figure below.
In top left corner, choose a Drive where encrypted photos, documents and music are stored and a latest restore point like below (1 – drive, 2 – restore point).
On right panel look for a file that you want to recover, right click to it and select Export as displayed below.
Run PhotoRec to recover .[[email protected]].risk files
Before a file is encrypted, the [email protected] Risk ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file recover software like PhotoRec.
Download PhotoRec by clicking on the following link.
After the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed on the screen below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll open a screen as shown on the screen below.
Select a drive to recover like below.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music as displayed in the figure below.
Click File Formats button and select file types to recover. You can to enable or disable the restore of certain file types. When this is finished, click OK button.
Next, click Browse button to choose where restored documents, photos and music should be written, then click Search.
Count of recovered files is updated in real time. All recovered personal files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is done, press on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as displayed on the image below.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your PC from [email protected] Risk ransomware
Most antivirus programs already have built-in protection system against the virus. Therefore, if your PC does not have an antivirus program, make sure you install it. As an extra protection, run the CryptoPrevent.
Run CryptoPrevent to protect your PC from [email protected] Risk ransomware
Download CryptoPrevent from the following link.
www.foolishit.com/download/cryptoprevent/
Run it and follow the setup wizard. Once the installation is done, you’ll be shown a window where you can select a level of protection, as shown below.
Now click the Apply button to activate the protection.
To sum up
Now your machine should be clean of the [email protected] Risk ransomware virus. Uninstall MalwareBytes Free and KVRT. We recommend that you keep Zemana (to periodically scan your PC for new malicious software). Make sure that you have all the Critical Updates recommended for Microsoft Windows OS. Without regular updates you WILL NOT be protected when new ransomware virus, malicious applications and ad-supported software are released.
If you are still having problems while trying to remove [email protected] Risk ransomware from your personal computer, then ask for help here.
