A new variant of ransomware virus has been discovered by cyber security specialists. It appends the .[newsantaclaus@aol.com].santa extension to encrypted files. This ransomware targets computers running Microsoft Windows by spam emails and malware.
Santa ransomware – ransom note
The Newsantaclaus@aol.com Santa ransomware is a virus, which designed to encrypt the documents, photos and music found on infected personal computer using a strong encryption algorithm, adding the .[newsantaclaus@aol.com].santa extension to all encrypted files. It can encrypt almost types of files, including the following:
.accdb, .mcmeta, .svg, .lrf, .xlsx, .hkdb, .menu, .big, .3ds, .bc6, .ybk, .rb, .tor, .js, .dba, .wpa, .arch00, .der, .sidd, .sis, .png, .gho, .avi, .xyw, .sr2, .xbdoc, .wbz, .wpg, .wmv, .mddata, .wps, .p12, .z, .wpd, .zdc, .wm, .wpt, .hkx, .das, .rw2, .m2, .itm, .xmmap, .mdf, .zip, .jpg, .wav, .sie, .fpk, .zip, wallet, .cer, .icxs, .wma, .ws, .mlx, .sidn, .wri, .kdc, .kdb, .xlsm, .forge, .ods, .itl, .txt, .wp6, .0, .wgz, .xld, .kf, .zdb, .yml, .wbm, .ptx, .bsa, .webp, .d3dbsp, .ibank, .rim, .xls, .pfx, .wp7, .y, .ai, .fsh, .epk, .pptm, .xy3, .odm, .vcf, .zabw, .dbf, .ltx, .sb, .wsd, .wsh, .iwd, .bc7, .odc, .crt, .rar, .wdp, .cas, .wp4, .wbk, .cr2, .wsc, .css, .py, .pdd, .esm, .bkf, .xlsb, .bik, .jpeg, .dxg, .pak, .cfr, .wpw, .pem, .docm, .lbf, .xx, .t12, .mp4, .rofl, .wmv, .qdf, .docx, .wbd, .asset, .xbplate, .tax, .raf, .xlk, .xdl, .dwg, .crw, .zi, .wps, .vtf, .wpd, .vpp_pc, .jpe, .xmind, .lvl, .bkp, .erf, .wmf, .p7c, .hvpl, .desc, .mdbackup, .odt, .xxx, .pst, .vpk, .wb2, .litemod, .re4, .x3f, .srw, .wotreplay, .mrwref, .bay, .m4a, .ztmp, .odb, .x3d, .rwl, .blob, .syncdb, .wmo, .sql, .wma, .2bp, .rgss3a, .cdr, .dmp, .wpb, .flv, .wdb, .3fr, .eps, .srf, .7z, .xlsm, .r3d, .fos, .xyp, .bar, .wpl, .m3u, .ff, .pdf, .xls, .xwp, .x, .x3f, .pef, .pptx, .iwi, .rtf, .xar, .wmd, .xpm, .wbc, .snx, .nrw, .raw, .gdb, .p7b
When the virus encrypts a file, it will add the .[newsantaclaus@aol.com].santa extension to each encrypted file. Once the ransomware virus finished enciphering of all documents, photos and music, it will drop a file named “FILES ENCRYPTED.txt” with ransomnote on how to decrypt encrypted files. You can see an one of the variants of the ransom instructions below:
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail: newsantaclaus@aol.com Write this ID in the title of your message In case of no answer in 24 hours write us to these e-mails: newsantaclaus@aol.com You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price. localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
The ransom note offers victim to contact Newsantaclaus@aol.com Santa’s creators in order to decrypt all files. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins). Unfortunately, there is no method for victim’s to decrypt files for free. In the tutorial below, I have outlined few methods that you can use to remove Newsantaclaus@aol.com Santa ransomware from your personal computer and restore .santa files from a shadow volume copies or using file recover applications.
Table of contents
- How to decrypt .santa files
- How to remove Newsantaclaus@aol.com Santa ransomware
- How to restore .santa files
- How to protect your computer from Newsantaclaus@aol.com Santa ransomware
How to decrypt .santa files
If your documents, photos and music have been locked by the Newsantaclaus@aol.com Santa ransomware virus, We recommends: do not to pay the ransom. If this malware make money for its authors, then your payment will only increase attacks against you.
Of course, decryption without the private key is not possible, but that does not mean that the Newsantaclaus@aol.com Santa ransomware must seriously disrupt your live. The free tools listed below has the ability to remove Newsantaclaus@aol.com Santa ransomware and prevent any further damage. After that you can restore encrypted files from their Shadow Copies or using file restore tool.
How to remove Newsantaclaus@aol.com Santa ransomware
Even if you have the up-to-date classic antivirus installed, and you’ve checked your computer for viruses and removed anything found, you need to do the guide below. The Newsantaclaus@aol.com Santa ransomware virus removal is not simple as installing another antivirus. Classic antivirus programs are not made to run together and will conflict with each other, or possibly crash Microsoft Windows. Instead we recommend complete the steps below an use Zemana Anti-malware, Malwarebytes or Kaspersky Virus Removal Tool, which are free programs dedicated to find out and delete malicious software like Newsantaclaus@aol.com Santa ransomware virus. Run these tools to ensure the virus is removed.
Automatically get rid of Newsantaclaus@aol.com Santa ransomware with Zemana Anti-malware
We suggest using the Zemana Anti-malware which are completely clean your system of the ransomware virus. The utility is an advanced malicious software removal program created by (c) Zemana lab. It is able to help you get rid of potentially unwanted apps, viruses, ad-supported software, malicious software, toolbars, ransomware and other security threats from your computer for free.
Now you can install and run Zemana Free to remove Newsantaclaus@aol.com Santa ransomware from your web-browser by following the steps below:
Visit the following page to download Zemana Anti Malware setup file named Zemana.AntiMalware.Setup on your system. Save it on your Windows desktop.
165033 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Start the setup package after it has been downloaded successfully and then follow the prompts to set up this utility on your computer.
During install you can change certain settings, but we advise you do not make any changes to default settings.
When install is complete, this malware removal tool will automatically launch and update itself. You will see its main window as shown on the image below.
Now press the “Scan” button to perform a system scan with this utility for the Newsantaclaus@aol.com Santa ransomware virus and other security threats. While the Zemana Anti-Malware (ZAM) is checking, you can see count of objects it has identified either as being malicious software.
Once the system scan is complete, Zemana AntiMalware (ZAM) will show a scan report. Review the results once the utility has finished the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click “Next” button.
The Zemana Anti-Malware (ZAM) will remove Newsantaclaus@aol.com Santa ransomware virus and other kinds of potential threats such as malware and potentially unwanted software and add threats to the Quarantine. When finished, you may be prompted to reboot your system to make the change take effect.
How to automatically remove Newsantaclaus@aol.com Santa ransomware with MalwareBytes Anti Malware (MBAM)
Manual Newsantaclaus@aol.com Santa ransomware removal requires some computer skills. Some files and registry entries that created by the ransomware may be not fully removed. We suggest that use the MalwareBytes Anti Malware (MBAM) that are completely clean your PC of this ransomware. Moreover, this free application will help you to remove malicious software, PUPs, adware and toolbars that your PC can be infected too.
Visit the following page to download the latest version of MalwareBytes Anti Malware (MBAM) for Microsoft Windows. Save it on your Microsoft Windows desktop or in any other place.
327261 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
When the downloading process is done, close all apps and windows on your PC. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup as displayed in the following example.
When the installation starts, you will see the “Setup wizard” that will help you setup Malwarebytes on your computer.
Once installation is complete, you’ll see window as displayed on the image below.
Now click the “Scan Now” button . MalwareBytes Anti-Malware tool will start scanning the whole PC system to find out Newsantaclaus@aol.com Santa ransomware and other kinds of potential threats. This procedure can take quite a while, so please be patient. While the MalwareBytes Anti-Malware (MBAM) application is scanning, you can see number of objects it has identified as threat.
After the scan is finished, MalwareBytes Anti Malware will display a scan report. Once you have selected what you want to get rid of from your system click “Quarantine Selected” button.
The Malwarebytes will now remove Newsantaclaus@aol.com Santa ransomware virus and other security threats. After disinfection is finished, you may be prompted to restart your machine.
The following video explains guidance on how to remove hijacker, adware and other malicious software with MalwareBytes Anti Malware (MBAM).
Remove Newsantaclaus@aol.com Santa ransomware virus from PC system with KVRT
KVRT is a free portable program that scans your computer for adware, PUPs and ransomware viruss like Newsantaclaus@aol.com Santa ransomware and helps remove them easily. Moreover, it will also help you delete any harmful browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) on your Microsoft Windows Desktop by clicking on the following link.
129293 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the downloading process is done, double-click on the KVRT icon. Once initialization procedure is complete, you’ll see the KVRT screen as shown in the figure below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button . Kaspersky virus removal tool utility will start scanning the whole computer to find out Newsantaclaus@aol.com Santa ransomware virus and other known infections. A system scan can take anywhere from 5 to 30 minutes, depending on your system. While the KVRT utility is checking, you can see number of objects it has identified as being affected by malicious software.
When the system scan is done, KVRT will open a list of detected threats as shown on the image below.
Review the report and then click on Continue to begin a cleaning procedure.
How to restore .santa files
In some cases, you can recover files encrypted by Newsantaclaus@aol.com Santa ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted documents, photos and music.
Restore .santa encrypted files using Shadow Explorer
A free tool called ShadowExplorer is a simple method to use the ‘Previous Versions’ feature of Microsoft Windows 10 (8, 7 , Vista). You can restore .santa photos, documents and music encrypted by the Newsantaclaus@aol.com Santa ransomware virus from Shadow Copies for free.
Please go to the link below to download ShadowExplorer. Save it directly to your MS Windows Desktop.
439663 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the downloading process is finished, extract the saved file to a folder on your machine. This will create the necessary files as displayed in the following example.
Launch the ShadowExplorerPortable program. Now choose the date (2) that you wish to restore from and the drive (1) you wish to recover files (folders) from as on the image below.
On right panel navigate to the file (folder) you wish to recover. Right-click to the file or folder and click the Export button as on the image below.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and press ‘OK’ button.
Use PhotoRec to restore .santa files
Before a file is encrypted, the Newsantaclaus@aol.com Santa ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your files using file restore applications such as PhotoRec.
Download PhotoRec on your Microsoft Windows Desktop from the following link.
Once the download is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the figure below.
Double click on qphotorec_win to run PhotoRec for Windows. It will open a screen like below.
Choose a drive to recover as displayed in the figure below.
You will see a list of available partitions. Choose a partition that holds encrypted personal files as displayed in the following example.
Click File Formats button and select file types to restore. You can to enable or disable the recovery of certain file types. When this is done, press OK button.
Next, click Browse button to choose where recovered files should be written, then click Search.
Count of restored files is updated in real time. All restored personal files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is done, click on Quit button. Next, open the directory where recovered files are stored. You will see a contents as displayed in the following example.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your computer from Newsantaclaus@aol.com Santa ransomware
Most antivirus applications already have built-in protection system against the ransomware. Therefore, if your personal computer does not have an antivirus application, make sure you install it. As an extra protection, use the CryptoPrevent.
Use CryptoPrevent to protect your system from Newsantaclaus@aol.com Santa ransomware
Download CryptoPrevent from the link below. Save it on your MS Windows desktop.
www.foolishit.com/download/cryptoprevent/
Run it and follow the setup wizard. Once the installation is finished, you will be shown a window where you can select a level of protection, as displayed in the figure below.
Now click the Apply button to activate the protection.
To sum up
After completing the few simple steps outlined above, your machine should be clean from Newsantaclaus@aol.com Santa ransomware and other malware. Your system will no longer encrypt your photos, documents and music. Unfortunately, if the steps does not help you, then you have caught a new variant of ransomware, and then the best way – ask for help here.
