This week, computer security specialists has received reports of yet another ransomware called “.Best ransomware“. This ransomware spreads via spam emails and malware files and appends the .best file extension to encrypted files.
The .Best Ransomware is a malicious software that created in order to encrypt files. It hijack a whole computer or its data and demand a ransom in order to unlock (decrypt) them. The creators of the .Best ransomware have a strong financial motive to infect as many computers as possible. The files that will be encrypted include the following file extensions:
.zdb, .vfs0, .esm, .eps, .rgss3a, .srf, .xlsm, .kdb, .3fr, .sql, .db0, .xlsx, .0, .wmd, .sum, .arch00, .wpa, .z, .wpd, .ai, .wgz, .cas, .crt, .mrwref, .t13, .dmp, .jpg, .avi, .xlsb, .sr2, .wp5, .mov, .vdf, .cer, .wps, .bar, .hkdb, .zip, .wmo, .wma, .odc, .xf, .flv, .wp, .cfr, .ws, .ysp, .ybk, .pdf, .xpm, .xdb, .dwg, .arw, .dxg, .sidn, .zabw, .mpqge, .vpp_pc, .doc, .cdr, .odb, .yal, .3dm, .1st, .xbdoc, .docm, .wbm, .pdd, .sie, .wbmp, .forge, .xy3, .orf, .iwi, .ztmp, .wpt, .csv, .epk, .itm, .itl, .svg, .wps, .rar, .rtf, .bkp, .wdp, .rw2, .pem, .wsc, .indd, .y, .snx, .gho, .pptm, .z3d, .tor, .wpw, .py, .upk, .r3d, .psd, .raw, .rim, .asset, .sidd, .sb, .wb2, .webp, .ppt, .bay, .wire, .wot, .xls, .kdc, .desc, .sis, .xlgc, .pef, .rofl, .w3x, .t12, .wn, .ptx, .big, .wp7, .wpg, .wbc, .jpeg, .pkpass, .7z, .mcmeta, .wmf, .vtf, .slm, .mddata, .xbplate, .vpk, .dng, .bsa, .ltx, .syncdb, .xar, .docx, .p7c, .xlsx, .crw, .xml, .iwd, .menu, .wsh, .rwl, .accdb, .d3dbsp, .hplg, .lvl, .css, .xyp, .wpl, .x3f, .map, .pfx, .fsh, .xxx, .raf, .mdbackup, .xmmap, .wmv, .kf, .das, .dazip, .dcr, .xlk, .xld, .qdf, .zip, .icxs, .xls, .mdb, .yml, .hvpl, .odp, .wbk, .m4a, .wma, .fos, .odt, .wp6, .wav, .xwp, .odm, .ff, .p7b, .dba, .wp4, .txt, .layout, .wpe, .sid, .x3f, .zi, .mdf, .sav, .ncf, .wcf, .gdb, .nrw
Once a file is encrypted, its extension replaced to “.id-USERID.[bestdecoding@cock.li].best”. Next, the ransomware virus creates a file named ‘FILES ENCRYPTED.txt’. This file contain an information on how to decrypt all encrypted documents, photos and music. An example of the ransomnote is:
all your data has been locked us
You want to return?
write email bestdecoding@cock.li or best@decoding.biz
Therefore it is very important to follow the step-by-step tutorial below sooner. The tutorial will allow you to remove .Best ransomware virus. What is more, the few simple steps below will allow you restore encrypted documents, photos and music for free.
Table of contents
- How to remove .Best ransomware
- How to decrypt .best files
- How to restore .best files
- How to protect your system from .Best ransomware
How to remove .Best ransomware
Even if you have the up-to-date classic antivirus installed, and you’ve checked your computer for ransomware viruses and removed anything found, you need to do the guidance below. The .Best ransomware removal is not simple as installing another antivirus. Classic antivirus programs are not made to run together and will conflict with each other, or possibly crash Microsoft Windows. Instead we recommend complete the steps below an run Zemana Anti-malware, Malwarebytes or Kaspersky Virus Removal Tool, which are free programs dedicated to search for and remove malware like the .Best ransomware virus. Run these utilities to ensure the virus is removed.
Use Zemana Anti-malware to remove .Best ransomware
We suggest you to run the Zemana Anti-malware that are completely clean your computer of this virus. Moreover, the utility will allow you to delete potentially unwanted programs, malware, toolbars and ad-supported software that your system may be infected too.
Visit the following page to download Zemana Free. Save it on your Windows desktop.
164117 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When the download is finished, launch it and follow the prompts. Once installed, the Zemana AntiMalware (ZAM) will try to update itself and when this procedure is finished, click the “Scan” button to begin scanning your machine for the .Best Ransomware virus related files, folders and registry keys.
This procedure can take some time, so please be patient. During the scan Zemana Anti-Malware (ZAM) will scan for threats present on your machine. You may get rid of items (move to Quarantine) by simply click “Next” button.
The Zemana Free will delete .Best ransomware virus and other malicious software and move threats to the program’s quarantine.
Use MalwareBytes Free to delete .Best ransomware
If you’re having issues with the .Best Ransomware virus removal, then download MalwareBytes. It is free for home use, and detects and removes various undesired programs that attacks your system or degrades PC performance. MalwareBytes AntiMalware can get rid of adware, PUPs as well as malware, including ransomware and trojans.
- MalwareBytes can be downloaded from the following link. Save it on your Desktop.
Malwarebytes Anti-malware
326469 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- Once the downloading process is complete, close all apps and windows on your personal computer. Open a file location. Double-click on the icon that’s named mb3-setup.
- Further, press Next button and follow the prompts.
- Once install is finished, press the “Scan Now” button to perform a system scan with this tool for the .Best Ransomware virus and other kinds of potential threats like malware and PUPs. While the MalwareBytes Anti-Malware application is checking, you may see how many objects it has identified as threat.
- Once the system scan is finished, the results are displayed in the scan report. Make sure all threats have ‘checkmark’ and click “Quarantine Selected”. When disinfection is complete, you can be prompted to restart your PC system.
The following video offers a steps on how to remove browser hijacker infections, adware and other malware with MalwareBytes.
Use KVRT to remove .Best ransomware virus from the machine
KVRT is a free portable program that scans your system for adware, potentially unwanted applications and ransomware viruss like .Best Ransomware and allows delete them easily. Moreover, it’ll also help you delete any harmful web-browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) by clicking on the link below. Save it to your Desktop.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the download is finished, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is finished, you’ll see the KVRT screen as shown on the screen below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next press Start scan button to detect .Best ransomware virus and other malicious software. This procedure may take quite a while, so please be patient. While the Kaspersky virus removal tool application is checking, you can see how many objects it has identified as threat.
When the scan get finished, you will be shown the list of all detected items on your PC like below.
Review the scan results and then press on Continue to begin a cleaning procedure.
How to decrypt .best files
The ransom note offers victim to contact the .Best Ransomware’s developers via bestdecoding@cock.li or best@decoding.biz emails in order to decrypt all photos, documents and music. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins).
There is absolutely no guarantee that after pay a ransom to the makers of the .Best ransomware virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware.
We don’t recommend paying a ransom, as there is no guarantee that you will be able to decrypt your personal files. Especially since you have a chance to recover your documents, photos and music for free using free tools like ShadowExplorer and PhotoRec.
How to restore .best files
In some cases, you can recover files encrypted by .Best ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted documents, photos and music.
Use shadow copies to recover .best files
An alternative is to recover .best photos, documents and music from their Shadow Copies. The Shadow Volume Copies are copies of files and folders that MS Windows 10 (8, 7 and Vista) automatically saved as part of system protection. This feature is fantastic at rescuing personal files that were locked by .Best Ransomware virus. The steps below will give you all the details.
Visit the following page to download ShadowExplorer. Save it on your MS Windows desktop or in any other place.
438828 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once the download is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder like below.
Start the ShadowExplorer utility and then choose the disk (1) and the date (2) that you wish to restore the shadow copy of file(s) encrypted by the .Best ransomware virus as displayed in the figure below.
Now navigate to the file or folder that you wish to recover. When ready right-click on it and click ‘Export’ button as shown in the figure below.
Recover .best files with PhotoRec
Before a file is encrypted, the .Best ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your personal files using file recover programs like PhotoRec.
Download PhotoRec by clicking on the link below.
Once the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the figure below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll display a screen as displayed in the figure below.
Select a drive to recover as displayed below.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music as shown on the image below.
Click File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is finished, press OK button.
Next, click Browse button to select where recovered files should be written, then press Search.
Count of recovered files is updated in real time. All recovered files are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the restore is done, click on Quit button. Next, open the directory where restored files are stored. You will see a contents as shown in the following example.
All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your system from .Best ransomware
Most antivirus apps already have built-in protection system against the ransomware. Therefore, if your system does not have an antivirus program, make sure you install it. As an extra protection, use the CryptoPrevent.
Run CryptoPrevent to protect your system from .Best ransomware
Download CryptoPrevent by clicking on the following link. Save it to your Desktop.
www.foolishit.com/download/cryptoprevent/
Run it and follow the setup wizard. Once the installation is complete, you will be shown a window where you can choose a level of protection, as shown on the image below.
Now press the Apply button to activate the protection.
To sum up
Now your system should be clean of the .Best ransomware virus. Uninstall MalwareBytes Free and Kaspersky virus removal tool. We suggest that you keep Zemana (to periodically scan your system for new malware). Moreover, to prevent virus, please stay clear of unknown and third party applications, make sure that your antivirus program, turn on the option to stop or look for ransomware.
If you need more help with .Best ransomware related issues, go to here.