This week, security specialists has received reports of yet another ransomware named .Blower Ransomware. This ransomware spreads via spam emails and malware files and appends the .blower file extension to encrypted files.
The .Blower Ransomware is a malicious software which created in order to encrypt photos, documents and music. It hijack a whole computer or its data and demand a ransom in order to unlock (decrypt) it. The developers of the .Blower Ransomware virus have a strong financial motive to infect as many computers as possible. The files that will be encrypted include the following file extensions:
.wbk, .wsd, .pkpass, .wpb, .js, .t12, .slm, .wire, .p7b, .ztmp, .wb2, .nrw, .zip, .rar, .cfr, .litemod, .wsh, .ff, .epk, .ppt, .x3d, .xmmap, .zw, .wpw, .jpg, .vfs0, .wmo, .mpqge, .psk, .mcmeta, .sidn, .mlx, .rw2, .xyw, .srw, .wbc, .gho, .vdf, .pem, .x3f, .rofl, .xbplate, .vtf, .3fr, .bkf, .svg, .indd, .vcf, .wdp, .wmv, .lbf, .dba, .ncf, .m4a, .pfx, .png, .xdl, .qic, .raw, .sav, .mdbackup, .crw, .wav, .bik, .hvpl, .fpk, .y, .pef, .kf, .sis, .xls, .t13, .xlgc, .ods, .menu, .sid, .dcr, .iwd, .ntl, .css, .odb, .wpe, .wp6, .mef, .zif, .docm, .wri, .xyp, .wmv, .layout, .der, .xxx, .xwp, .pst, .webdoc, .txt, .z, .bar, .map, .wgz, .wp4, .pdd, .fos, .wmd, .orf, .ai, .wpd, .bsa, .hkdb, .0, .dwg, .flv, .wbm, .ltx, .d3dbsp, .wdb, .wn, .lrf, .arch00, .odc, .3dm, .mddata, .rgss3a, .pdf, .eps, .xlk, .webp, .itl, .wcf, .7z, .odm, .tax, .wpd, .erf, .xbdoc, .xlsm, .mdb, .1, .pak, .qdf, .sb, .dng, .desc, .wot, .xmind, .pptx, .wotreplay, .wm, .ibank, .cer, .dxg, .bc7, .ysp, .wps, .1st, .hplg, .srf, .rwl, .wpt, .rim, .itdb, .big, .pptm, .xml, .p12, .zip, .wp5, .mdf, .re4, .py, .wp, .dmp, .xld, .wbmp, .wma, .xdb, .zi, .sie, .jpe, .zdb, .bkp, .esm, .wma, .vpk, .sr2, .xlsm, .xx, .yal, .rtf, .wpa, .db0, .crt, .zdc, .wmf, .blob, .wpl, .wp7, .csv, .cr2, .wpg, .xls, .xar, .kdb, .xy3, .r3d, .doc, .cas, .icxs, .zabw, .mov, .xll, .yml, .psd, .xlsx, .m3u, .xf, .kdc, .ybk, .jpeg, .wsc, .avi, .fsh, .tor, .raf, .syncdb, .iwi, .mp4, .upk
Once the encryption procedure is finished, it will drop a ransomnote called “_readme.txt” offering decrypt all users documents, photos and music if a payment is made. You can see an one of the variants of the ransom demanding message below:
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-1aaC7nueV9 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: email@example.com Reserve e-mail address to contact us: firstname.lastname@example.org Your personal ID:
It is very important to follow the guide below immediately. The few simple steps will allow you to remove .Blower ransomware. What is more, the step-by-step guidance below will help you recover (decrypt) encrypted files for free.
Table of contents
- How to remove .Blower Ransomware virus
- How to decrypt .blower files
- Use STOPDecrypter to decrypt .blower files
- How to restore .blower files
- How to protect your computer from .Blower Ransomware?
How to remove .Blower Ransomware virus
Manual removal does not always help to completely delete the .Blower Ransomware virus, as it is not easy to identify and get rid of components of ransomware and all malicious files from hard disk. Therefore, it’s recommended that you run malicious software removal tool to completely delete .Blower Ransomware virus off your computer. Several free malware removal tools are currently available that can be used against the ransomware. The optimum solution would be to use Zemana Anti-malware, Malwarebytes Free and Kaspersky Virus Removal Tool.
How to automatically remove .Blower Ransomware with Zemana Anti-malware
Zemana Anti-malware highly recommended, because it can search for security threats such the .Blower Ransomware virus that most ‘classic’ antivirus applications fail to pick up on. Moreover, if you have any .Blower Ransomware removal problems which cannot be fixed by this tool automatically, then Zemana Anti-malware provides 24X7 online assistance from the highly experienced support staff.
Now you can set up and run Zemana Anti-Malware (ZAM) to remove .Blower ransomware from your computer by following the steps below:
Visit the page linked below to download Zemana Free setup file named Zemana.AntiMalware.Setup on your system. Save it on your Windows desktop or in any other place.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Launch the setup file after it has been downloaded successfully and then follow the prompts to setup this tool on your computer.
During installation you can change some settings, but we advise you don’t make any changes to default settings.
When installation is finished, this malware removal tool will automatically start and update itself. You will see its main window as displayed on the screen below.
Now click the “Scan” button for scanning your machine for the .Blower ransomware virus and other security threats. A system scan can take anywhere from 5 to 30 minutes, depending on your PC. While the Zemana Anti-Malware (ZAM) tool is checking, you can see number of objects it has identified as being infected by malicious software.
When finished, the results are displayed in the scan report. Review the report and then press “Next” button.
The Zemana AntiMalware will delete .Blower ransomware and other malicious software. Once the cleaning procedure is finished, you can be prompted to restart your machine to make the change take effect.
How to automatically remove .Blower Ransomware with MalwareBytes
Remove .Blower ransomware manually is difficult and often the virus is not fully removed. Therefore, we recommend you to run the MalwareBytes Anti Malware that are fully clean your computer. Moreover, this free program will allow you to remove other malicious software that your machine can be infected too.
Visit the following page to download the latest version of MalwareBytes Free for Microsoft Windows. Save it on your MS Windows desktop.
Category: Security tools
Update: April 15, 2020
Once the downloading process is done, run it and follow the prompts. Once installed, the MalwareBytes Anti-Malware (MBAM) will try to update itself and when this process is complete, press the “Scan Now” button to begin scanning your computer for the .Blower ransomware virus and other security threats. Depending on your PC, the scan can take anywhere from a few minutes to close to an hour. While the MalwareBytes utility is scanning, you can see number of objects it has identified as being infected by malicious software. In order to remove all items, simply click “Quarantine Selected” button.
The MalwareBytes is a free program that you can use to delete all detected folders, files, services, registry entries and so on. To learn more about this malicious software removal utility, we recommend you to read and follow the steps or the video guide below.
Use KVRT to get rid of .Blower Ransomware virus from the machine
KVRT is a free portable application that scans your computer for malware and ransomwares such as the .Blower Ransomware and helps remove them easily. Moreover, it will also help you get rid of other harmful software.
Download Kaspersky virus removal tool (KVRT) on your machine by clicking on the following link.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once downloading is finished, double-click on the KVRT icon. Once initialization process is done, you will see the Kaspersky virus removal tool screen as displayed on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button . KVRT utility will start scanning the whole PC to detect the .Blower ransomware and other harmful software. Depending on your PC, the scan may take anywhere from a few minutes to close to an hour. During the scan Kaspersky virus removal tool will look for threats present on your PC.
When that process is complete, KVRT will display a list of all threats detected by the scan as shown on the screen below.
When you’re ready, click on Continue to begin a cleaning procedure.
How to decrypt .blower files
The ransom demanding message encourages victim to contact the .Blower Ransomware’s developers via the email@example.com or firstname.lastname@example.org emails in order to decrypt all photos, documents and music. These persons will require to pay a ransom (usually demand for $980 in Bitcoins).
There is absolutely no guarantee that after pay the ransom to the creators of the .Blower Ransomware, they will provide the necessary software to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware.
Use STOPDecrypter to decrypt .blower files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower).
Please check the twitter post for more info.
How to restore .blower files
In some cases, you can recover files encrypted by .Blower ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted photos, documents and music.
Run ShadowExplorer to recover .blower files
The Microsoft Windows has a feature named ‘Shadow Volume Copies’ that can allow you to recover .blower files encrypted by the .Blower ransomware virus. The way described below is only to recover encrypted documents, photos and music to previous versions from the Shadow Volume Copies using a free tool named the ShadowExplorer.
Click the link below to download ShadowExplorer. Save it directly to your Microsoft Windows Desktop.
Category: Security tools
Update: September 15, 2019
Once the download is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as on the image below.
Double click ShadowExplorerPortable to start it. You will see the a window as displayed in the following example.
In top left corner, select a Drive where encrypted documents, photos and music are stored and a latest restore point as on the image below (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export like below.
Recover .blower files with PhotoRec
Before a file is encrypted, the .Blower ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your photos, documents and music using file restore apps like PhotoRec.
Download PhotoRec on your computer by clicking on the following link.
Category: Security tools
Update: March 1, 2018
When the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll display a screen as displayed in the figure below.
Choose a drive to recover as displayed in the figure below.
You will see a list of available partitions. Choose a partition that holds encrypted personal files as displayed below.
Click File Formats button and select file types to restore. You can to enable or disable the recovery of certain file types. When this is done, click OK button.
Next, click Browse button to select where restored photos, documents and music should be written, then click Search.
Count of recovered files is updated in real time. All restored photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is complete, click on Quit button. Next, open the directory where restored files are stored. You will see a contents as shown below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from .Blower Ransomware
Most antivirus programs already have built-in protection system against the virus. Therefore, if your machine does not have an antivirus application, make sure you install it. As an extra protection, use the CryptoPrevent.
Run CryptoPrevent to protect your computer from .Blower Ransomware virus
Download CryptoPrevent on your computer from the link below.
Run it and follow the setup wizard. Once the installation is finished, you will be shown a window where you can select a level of protection, as shown in the following example.
Now press the Apply button to activate the protection.
Now your computer should be clean of the .Blower Ransomware virus. Delete KVRT and MalwareBytes. We recommend that you keep Zemana Free (to periodically scan your personal computer for new malware). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to delete .Blower ransomware from your system, then ask for help here.