Experienced security researchers discovered a new variant of ransomware which named .shadow ransomware virus. It appends the .shadow extension to encrypted file names. This article will provide you a brief summary of information related to this new virus and how to recover all encrypted personal files for free.
The .shadow ransomware uses a hybrid encryption mode. The virus will encrypt almost all types of files, including common as:
.vfs0, .bik, .xls, .sb, .sr2, .docm, .iwi, .epk, .d3dbsp, .fsh, .ztmp, .t13, .m2, .layout, .xdb, .xpm, .wpd, .wsd, .ybk, .lbf, .cdr, .xld, .zif, .wmo, .wpg, .wri, .mdbackup, .xls, .der, .xwp, .wpt, .ptx, .hkx, .dcr, .rb, .orf, .sie, .zdc, .pptx, .cr2, .xdl, .lrf, .mdb, .srf, .xlsx, .dbf, .xx, .litemod, .rw2, .sql, .odb, .vdf, .odp, .asset, .dwg, .das, .itm, .yal, .bkf, .wbmp, .qic, .wb2, .itdb, .7z, .tor, .hplg, .pst, .blob, .ods, .2bp, .accdb, .xar, .xlsm, .crt, .gdb, .rgss3a, .bsa, .wbz, .y, .mdf, .xll, .raf, .ai, .r3d, .dba, .xmmap, .docx, .odm, .wpb, .eps, .zabw, .p7c, .x3f, .wotreplay, .xxx, .z3d, .mp4, .wbd, .ysp, .png, .xlsm, .syncdb, .rim, .webp, .iwd, .wbm, .py, .forge, .3fr, .3dm, .sis, .css, .wdp, .vpp_pc, .pak, .bkp, .x3d, .wdb, .psd, .wbk, .rwl, .ppt, .re4, .rtf, wallet, .arw, .wn, .odt, .wire, .esm, .tax, .xf, .gho, .pfx, .doc, .hkdb, .raw, .wps, .snx, .wps, .3ds, .xlk, .slm, .wpa, .sidd, .1, .mlx, .0, .erf, .map, .sid, .m3u, .dazip, .wbc, .xbplate, .wsc, .kf, .pem, .ltx, .upk, .p12, .sav, .wmd, .srw, .wpd, .kdc, .vtf, .wgz, .crw, .jpeg, .xyw, .xml, .m4a, .ibank, .nrw, .wp4, .zi, .wmf, .icxs, .pdd, .ntl, .jpg, .xy3, .xlsb, .js, .bar, .wp5, .pptm, .pkpass, .lvl, .xyp, .zdb, .wmv, .x, .rofl, .wpe, .csv, .cfr, .wp6, .mrwref, .wmv, .cer, .qdf, .desc, .ff, .ws, .wp7, .svg, .avi, .xlsx, .apk, .wpl, .x3f, .p7b, .dmp, .bay, .wsh, .1st, .flv, .rar, .wpw, .cas, .arch00, .mddata, .z, .zip, .pdf, .dxg, .wot
When encrypting a file it will append the .shadow extension to each encrypted file name to identify that the file has been encrypted. For example, a file named
sample.doc would be encrypted and renamed to
Once the process is done, it will create a file called ‘!readme.txt’ with ransom demanding message. It includes instructions on how to purchase a private key to decrypt all documents, photos and music. You can see an one of the variants of the ransom note below:
ALL YOUR FILES ARE ENCRYPTED
Don’t worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees do we give to you?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information
Don’t try to use third-party decrypt tools because it will destroy your files.
Discount 50% available if you contact us first 72 hours.
To get this software you need write on our e-mail:
Reserve e-mail address to contact us:
Your personal ID:
We recommend you to remove .shadow ransomware virus sooner, until the presence of the ransomware virus has not led to even worse consequences. You need to follow the few simple steps below that will allow you to completely remove .shadow ransomware virus from your machine as well as restore encrypted documents, photos and music, using only few free tools.
Table of contents
- How to decrypt .shadow files
- How to remove .shadow ransomware
- How to restore .shadow files
- How to protect your PC from .shadow ransomware
How to decrypt .shadow files
The ransom instructions encourages victim to contact ransomware’s developers via
firstname.lastname@example.org in order to decrypt .shadow files. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins). We don’t recommend paying a ransom, as there is no guarantee that you will be able to decrypt your photos, documents and music. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
With some variants of this ransomware virus, it is possible to use Windows Shadow Copies or file recover utilities to recover documents, photos and music that have been encrypted by .shadow ransomware virus. You can use the free utilities listed below in the blog post.
How to remove .shadow ransomware
Most commonly it is not possible to remove the .shadow ransomware virus manually. For that reason, our team developed several removal ways which we have summarized in a detailed tutorial below. Therefore, if you’ve the .shadow ransomware virus on your machine and are currently trying to have it deleted then feel free to follow the guide below in order to resolve your problem. Some of the steps will require you to restart your PC or exit this web-page. So, read this tutorial carefully, then bookmark or print it for later reference.
Run Zemana Anti-malware to delete .shadow ransomware
We recommend you to use the Zemana Anti-malware that are completely clean your computer of this ransomware virus. Moreover, the utility will help you to get rid of PUPs, malicious software, toolbars and ad-supported software that your machine may be infected too.
- Zemana can be downloaded from the following link. Save it directly to your MS Windows Desktop.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- At the download page, click on the Download button. Your internet browser will show the “Save as” prompt. Please save it onto your Windows desktop.
- When the downloading process is finished, please close all applications and open windows on your personal computer. Next, run a file named Zemana.AntiMalware.Setup.
- This will start the “Setup wizard” of Zemana Free onto your personal computer. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the Zemana will run and display the main window.
- Further, press the “Scan” button for checking your personal computer for the .shadow ransomware and other security threats. This procedure may take some time, so please be patient. During the scan Zemana will search for threats exist on your machine.
- After Zemana Free has completed scanning, Zemana will show you the results.
- Review the scan results and then press the “Next” button. The utility will remove .shadow ransomware virus and other security threats and move threats to the program’s quarantine. After that process is finished, you may be prompted to reboot the system.
- Close the Zemana Anti Malware and continue with the next step.
How to remove .shadow ransomware with MalwareBytes Anti Malware
If you’re having issues with the .shadow ransomware removal, then download MalwareBytes Anti Malware. It is free for home use, and detects and deletes various undesired apps that attacks your computer or degrades personal computer performance. MalwareBytes AntiMalware (MBAM) can remove adware, PUPs as well as malware, including ransomware and trojans.
Installing the MalwareBytes Anti-Malware is simple. First you will need to download MalwareBytes Anti-Malware on your PC system by clicking on the link below.
Category: Security tools
Update: April 15, 2020
After the downloading process is complete, close all windows on your system. Further, open the file named mb3-setup. If the “User Account Control” prompt pops up as on the image below, click the “Yes” button.
It will display the “Setup wizard” that will help you setup MalwareBytes Free on the PC system. Follow the prompts and do not make any changes to default settings.
Once installation is done successfully, press Finish button. Then MalwareBytes will automatically run and you may see its main window as shown in the figure below.
Next, press the “Scan Now” button to perform a system scan with this utility for the .shadow ransomware virus related files, folders and registry keys. This procedure can take some time, so please be patient. While the utility is scanning, you can see how many objects and files has already scanned.
Once the scan is done, the results are displayed in the scan report. Once you’ve selected what you wish to delete from your computer click “Quarantine Selected” button.
The MalwareBytes Free will get rid of .shadow ransomware and other kinds of potential threats such as malware and potentially unwanted applications. Once that process is complete, you may be prompted to reboot your PC system. We suggest you look at the following video, which completely explains the procedure of using the MalwareBytes to remove hijacker infections, ad-supported software and other malware.
Scan your computer and remove .shadow ransomware with KVRT
KVRT is a free removal utility which can scan your computer for a wide range of security threats such as the .shadow ransomware virus, ad supported software, PUPs as well as other malicious software. It will perform a deep scan of your computer including hard drives and MS Windows registry. When a malware is found, it will help you to delete all found threats from your system with a simple click.
Download Kaspersky virus removal tool (KVRT) on your personal computer by clicking on the following link.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After downloading is finished, double-click on the KVRT icon. Once initialization procedure is complete, you’ll see the Kaspersky virus removal tool screen as displayed in the following example.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button . KVRT program will scan through the whole computer for the .shadow ransomware virus and other trojans and malicious software. This procedure may take some time, so please be patient. When a threat is detected, the number of the security threats will change accordingly. Wait until the the checking is complete.
Once KVRT has finished scanning, Kaspersky virus removal tool will display you the results as on the image below.
Next, you need to click on Continue to start a cleaning task.
How to restore .shadow files
In some cases, you can recover files encrypted by .shadow ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted documents, photos and music.
Run ShadowExplorer to recover .shadow files
In order to recover .shadow personal files encrypted by the .shadow ransomware from Shadow Volume Copies you can run a utility called ShadowExplorer. We suggest to use this way as it is easier to find and recover the previous versions of the encrypted files you need in an easy-to-use interface.
Visit the following page to download the latest version of ShadowExplorer for Windows. Save it directly to your Microsoft Windows Desktop.
Category: Security tools
Update: September 15, 2019
After the downloading process is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown on the image below.
Double click ShadowExplorerPortable to start it. You will see the a window as displayed in the following example.
In top left corner, select a Drive where encrypted photos, documents and music are stored and a latest restore point as on the image below (1 – drive, 2 – restore point).
On right panel look for a file that you want to recover, right click to it and select Export as shown on the screen below.
Use PhotoRec to recover .shadow files
Before a file is encrypted, the .shadow ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your files using file recover applications such as PhotoRec.
Download PhotoRec on your Windows Desktop by clicking on the link below.
Category: Security tools
Update: March 1, 2018
When the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the following example.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will open a screen like below.
Choose a drive to recover as displayed below.
You will see a list of available partitions. Choose a partition that holds encrypted documents, photos and music as shown in the figure below.
Click File Formats button and choose file types to recover. You can to enable or disable the restore of certain file types. When this is done, press OK button.
Next, press Browse button to choose where restored documents, photos and music should be written, then click Search.
Count of restored files is updated in real time. All restored photos, documents and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is done, click on Quit button. Next, open the directory where restored photos, documents and music are stored. You will see a contents as shown in the figure below.
All recovered personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your PC from .shadow ransomware
Most antivirus applications already have built-in protection system against the ransomware. Therefore, if your system does not have an antivirus program, make sure you install it. As an extra protection, use the CryptoPrevent.
Use CryptoPrevent to protect your PC from .shadow ransomware
Download CryptoPrevent by clicking on the link below. Save it to your Desktop so that you can access the file easily.
Run it and follow the setup wizard. Once the install is finished, you’ll be displayed a window where you can choose a level of protection, as displayed on the screen below.
Now click the Apply button to activate the protection.
Now your computer should be clean of the .shadow ransomware. Delete MalwareBytes and KVRT. We recommend that you keep Zemana Free (to periodically scan your PC system for new malware). Make sure that you have all the Critical Updates recommended for MS Windows OS. Without regular updates you WILL NOT be protected when new virus, harmful apps and ad-supported software are released.
If you are still having problems while trying to get rid of .shadow ransomware from your PC system, then ask for help here.