This week, cyber security specialists has received reports of yet another ransomware called Audit@cock.li Risk ransomware. This ransomware spreads via spam emails and malware files and appends the .[email@example.com].risk extension to encrypted files.
The Audit@cock.li Risk ransomware is a variant of crypto viruses. It affects all current versions of Microsoft Windows operating system such as the Windows 10, Windows 8, Windows 7, Windows Vista and Windows XP. This virus uses RSA-AES encryption method to eliminate the possibility of brute force a key which will allow to decrypt encrypted files. The Audit@cock.li Risk ransomware virus encrypts almost of files, including common as:
.nrw, .dwg, .xwp, .bsa, .png, .xlsm, .ppt, .xls, .zip, .3dm, .pptm, .vpk, .wpb, .rw2, .ptx, .docx, .xxx, .rb, .arw, .wbm, .ibank, .avi, .py, .xlsb, .orf, .js, .gho, .zw, .xld, .2bp, .p7c, .1, .wri, .0, .zdc, .fpk, .xlgc, .wma, .cfr, .z3d, .cdr, .webp, .esm, .apk, .srf, .ysp, .lrf, .gdb, .fos, .wps, .psk, .wbk, .wps, .x3f, .wbmp, .webdoc, .xbplate, .wpw, .dxg, .sis, .mpqge, .wmv, .erf, .xlsm, .bar, .cas, .qic, .wmo, .sb, .wsh, .xar, .wbz, .hkdb, .qdf, wallet, .wp7, .odc, .wpa, .pkpass, .zabw, .xml, .mov, .hvpl, .big, .bkp, .vtf, .cr2, .ntl, .3ds, .wire, .wp4, .wm, .xll, .z, .y, .mlx, .wdp, .lbf, .vdf, .svg, .pdf, .xf, .ybk, .pdd, .pef, .fsh, .m3u, .xy3, .m4a, .xlsx, .dba, .crt, .doc, .ff, .cer, .ods, .rgss3a, .wpe, .litemod, .rwl, .icxs, .ncf, .txt, .xlk, .pem, .wpg, .xyw, .kdb, .wmf, .asset, .mcmeta, .xmind, .yml, .vpp_pc, .mdbackup, .rim, .sr2, .pak, .layout, .p12, .srw, .wotreplay, .vcf, .mef, .blob, .dazip, .sid, .sav, .sum, .wp6, .wp5, .wav, .hkx, .pptx, .bik, .wgz, .csv, .eps, .menu, .odp, .re4, .xpm, .tor, .x, .raw, .ai, .bc7, .odm, .mrwref, .ztmp, .wmv, .mddata, .mdb, .snx, .iwd, .zi, .3fr, .accdb, .iwi, .wcf, .m2, .wbd, .pst, .vfs0, .wp, .jpg, .yal, .forge, .slm, .pfx, .odb, .p7b, .1st, .w3x, .dmp, .dng, .itm, .t13, .ws, .bkf, .7z, .sidn, .rofl, .wsc, .css, .mp4, .raf, .lvl, .d3dbsp, .sidd, .docm, .jpe
When encrypting a file it will append the .[firstname.lastname@example.org].risk extension to every encrypted file name to identify that the file has been encrypted. For example, a file called
sample.doc would be encrypted and renamed to
sample.doc.id-USERID.[email@example.com].risk. Once the procedure is complete, it will create a file named ‘FILES ENCRYPTED.txt’ with ransom demanding message. It includes instructions on how to purchase a private key to decrypt all personal files. An example of the ransom instructions is:
all your data has been locked us You want to return? write email firstname.lastname@example.org
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail email@example.com Write this ID in the title of your message USERID In case of no answer in 24 hours write us to these e-mails: firstname.lastname@example.org You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price. hxxps://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Unfortunately, there is no way for victim’s to decrypt files for free. In the guidance below, I have outlined few methods that you can use to remove Audit@cock.li Risk ransomware virus from your computer and restore .[email@example.com].risk files from a shadow volume copies or using file recover software.
Table of contents
- How to decrypt .[firstname.lastname@example.org].risk files
- How to remove Audit@cock.li Risk ransomware virus
- How to restore .[email@example.com] files
- How to protect your PC from Audit@cock.li Risk ransomware
How to decrypt .[firstname.lastname@example.org].risk files
The ransom note encourages victim to contact the Risk ransomware’s makers via the Audit@cock.li email in order to decrypt all documents, photos and music. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins).
There is absolutely no guarantee that after pay a ransom to the authors of the Audit@cock.li Risk ransomware virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
We do not recommend paying a ransom, as there is no guarantee that you will be able to decrypt your documents, photos and music. Especially since you have a chance to restore .risk files for free using utilities like the ShadowExplorer and PhotoRec.
How to remove Audit@cock.li Risk ransomware virus
In order to delete Audit@cock.li Risk ransomware from your personal computer, you need to stop all ransomware processes and delete its associated files including Windows registry entries. If any virus components are left on the PC, the ransomware can reinstall itself the next time the computer boots up. Usually ransomware viruses uses random name consist of characters and numbers that makes a manual removal procedure very difficult. We recommend you to run a free ransomware removal tools which will help delete Audit@cock.li Risk ransomware virus from your computer. Below you can found a few popular malware removers that detects various ransomware.
How to automatically remove Audit@cock.li Risk ransomware with Zemana Anti-malware
You can get rid of Audit@cock.li Risk ransomware automatically with a help of Zemana Anti-malware. We recommend this malicious software removal utility because it may easily get rid of ransomwares, PUPs, ad supported software and toolbars with all their components such as folders, files and registry entries.
- Visit the following page to download Zemana Anti-Malware (ZAM). Save it on your MS Windows desktop or in any other place.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- When the download is complete, close all applications and windows on your PC. Open a directory in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup.
- Further, click Next button and follow the prompts.
- Once setup is finished, click the “Scan” button to perform a system scan with this utility for the Audit@cock.li Risk ransomware and other malware and PUPs. A scan may take anywhere from 10 to 30 minutes, depending on the number of files on your computer and the speed of your personal computer. When a malware, ad-supported software or potentially unwanted programs are detected, the number of the security threats will change accordingly.
- Once Zemana Anti Malware has completed scanning, the results are displayed in the scan report. Review the scan results and then press “Next”. When the task is complete, you may be prompted to restart your computer.
Use MalwareBytes Anti Malware to remove Audit@cock.li Risk ransomware
We recommend using the MalwareBytes Anti-Malware which are completely clean your system of the virus. This free tool is an advanced malicious software removal application created by (c) Malwarebytes lab. This program uses the world’s most popular antimalware technology. It is able to help you remove ransomware, potentially unwanted applications, malware, adware, toolbars, and other security threats from your machine for free.
MalwareBytes AntiMalware (MBAM) can be downloaded from the following link. Save it on your Windows desktop or in any other place.
Category: Security tools
Update: July 25, 2019
When the download is complete, close all programs and windows on your PC. Open a directory in which you saved it. Double-click on the icon that’s called mb3-setup as shown below.
When the install begins, you will see the “Setup wizard” that will help you install Malwarebytes on your machine.
Once setup is finished, you will see window as displayed below.
Now click the “Scan Now” button . MalwareBytes Free utility will start scanning the whole PC to find out the Audit@cock.li Risk ransomware virus and other kinds of potential threats like malicious software and PUPs. Depending on your machine, the scan can take anywhere from a few minutes to close to an hour.
When the system scan is finished, you can check all threats found on your computer. When you are ready, click “Quarantine Selected” button.
The Malwarebytes will now get rid of Audit@cock.li Risk ransomware virus and other kinds of potential threats like malware and PUPs. Once that process is complete, you may be prompted to reboot your system.
The following video explains step-by-step instructions on how to get rid of hijacker, adware and other malicious software with MalwareBytes Free.
If the problem with Audit@cock.li Risk ransomware is still remained
KVRT is a free portable program that scans your personal computer for various malware and ransomware viruses like the Audit@cock.li Risk ransomware and allows delete them easily. Moreover, it’ll also allow you delete any malicious web browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) on your computer by clicking on the link below.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once downloading is done, double-click on the KVRT icon. Once initialization procedure is done, you’ll see the KVRT screen like below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to scan for Audit@cock.li Risk ransomware and other malware. This procedure can take some time, so please be patient.
After finished, Kaspersky virus removal tool will show a screen which contains a list of malware that has been detected as shown below.
Review the scan results and then click on Continue to begin a cleaning procedure.
How to restore .[email@example.com].risk files
In some cases, you can recover files encrypted by Audit@cock.li Risk ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted personal files.
Restore .[firstname.lastname@example.org].risk encrypted files using Shadow Explorer
If automated backup (System Restore) is enabled, then you can use it to recover all encrypted files to previous versions.
Visit the following page to download ShadowExplorer. Save it directly to your Windows Desktop.
Category: Security tools
Update: September 15, 2019
When the download is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed below.
Double click ShadowExplorerPortable to start it. You will see the a window as shown in the figure below.
In top left corner, choose a Drive where encrypted photos, documents and music are stored and a latest restore point like below (1 – drive, 2 – restore point).
On right panel look for a file that you want to recover, right click to it and select Export as displayed below.
Run PhotoRec to recover .[email@example.com].risk files
Before a file is encrypted, the Audit@cock.li Risk ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file recover software like PhotoRec.
Download PhotoRec by clicking on the following link.
Category: Security tools
Update: March 1, 2018
After the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed on the screen below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll open a screen as shown on the screen below.
Select a drive to recover like below.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music as displayed in the figure below.
Click File Formats button and select file types to recover. You can to enable or disable the restore of certain file types. When this is finished, click OK button.
Next, click Browse button to choose where restored documents, photos and music should be written, then click Search.
Count of recovered files is updated in real time. All recovered personal files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is done, press on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as displayed on the image below.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your PC from Audit@cock.li Risk ransomware
Most antivirus programs already have built-in protection system against the virus. Therefore, if your PC does not have an antivirus program, make sure you install it. As an extra protection, run the CryptoPrevent.
Run CryptoPrevent to protect your PC from Audit@cock.li Risk ransomware
Download CryptoPrevent from the following link.
Run it and follow the setup wizard. Once the installation is done, you’ll be shown a window where you can select a level of protection, as shown below.
Now click the Apply button to activate the protection.
To sum up
Now your machine should be clean of the Audit@cock.li Risk ransomware virus. Uninstall MalwareBytes Free and KVRT. We recommend that you keep Zemana (to periodically scan your PC for new malicious software). Make sure that you have all the Critical Updates recommended for Microsoft Windows OS. Without regular updates you WILL NOT be protected when new ransomware virus, malicious applications and ad-supported software are released.
If you are still having problems while trying to remove Audit@cock.li Risk ransomware from your personal computer, then ask for help here.