A new variant of ransomware virus has been discovered by computer security experts. It appends the .encryptedALL file extension to encrypted files. This ransomware targets computers running Microsoft Windows by spam emails and malicious software.
“.encryptedALL ransomware” – ransom note
The encryptedALL ransomware is a virus, which designed to encrypt the files found on infected personal computer using very strong hybrid encryption with a large key, appending the .encryptedALL extension to all encrypted files. It can encrypt almost types of files, including the following:
.srw, .icxs, .sql, .zi, .ods, .r3d, .vfs0, .wsh, .wbk, .ppt, .xwp, .slm, .3ds, .wotreplay, .jpeg, .upk, .xmind, .cas, wallet, .fsh, .pst, .mdb, .csv, .bc6, .mcmeta, .odm, .wp6, .apk, .2bp, .3fr, .zif, .wp7, .wpl, .xml, .sid, .dba, .wm, .xbdoc, .cr2, .wgz, .pkpass, .jpe, .sidd, .rb, .xxx, .bsa, .pak, .xlk, .dxg, .mpqge, .xf, .arch00, .blob, .esm, .ai, .tor, .wp, .xls, .sis, .wbm, .wmd, .raw, .lrf, .crt, .cer, .py, .ibank, .sidn, .lbf, .sie, .webdoc, .p7c, .raf, .hvpl, .mdbackup, .ysp, .d3dbsp, .das, .7z, .ntl, .rgss3a, .xlsx, .m2, .xlsx, .hkdb, .db0, .qic, .pdd, .arw, .js, .wpe, .wdb, .xyw, .itm, .t12, .wsc, .wmv, .svg, .mrwref, .sav, .hkx, .der, .cdr, .m3u, .xbplate, .wb2, .p12, .dng, .sum, .kdc, .eps, .xdl, .bik, .indd, .wp4, .wbmp, .mp4, .rim, .yal, .kdb, .xlsb, .t13, .map, .ztmp, .0, .vcf, .wps, .wmo, .iwi, .1st, .syncdb, .fpk, .mov, .forge, .wsd, .avi, .z3d, .re4, .pptm, .dmp, .zw, .ncf, .psd, .wn, .snx, .odp, .srf, .wav, .vtf, .wma, .rwl, .wbc, .xy3, .txt, .webp, .layout, .big, .p7b, .xmmap, .bc7, .sr2, .png, .x3f, .xx, .epk, .ptx, .wpg, .tax, .vpp_pc, .xdb, .hplg, .zdc, .css, .dwg, .sb, .vpk, .wp5, .lvl, .pdf, .pef, .wpa, .iwd, .wire, .z, .kf, .odc, .bay, .xar, .qdf, .wmf, .flv, .rar, .yml, .itdb, .xlgc, .w3x, .m4a, .ff, .wbz, .x3f, .gho, .mlx, .wbd, .rtf, .wpb, .wcf, .odb, .erf, .wri, .mdf, .jpg, .gdb, .dazip, .wpw, .ws, .bar, .wot, .wmv, .doc, .docx, .zdb, .asset, .nrw, .xld, .cfr, .odt, .x, .menu, .mddata, .1, .pfx, .orf, .accdb, .desc, .x3d, .docm, .xpm, .ybk, .wpd, .xll, .zip, .bkp, .xlsm, .dbf, .xls, .zabw, .wpt, .psk, .zip, .wdp, .rofl
When encrypting a file it will add the .encryptedALL extension to each encrypted file name to identify that the file has been encrypted. For example, a file called sample.doc would be encrypted and renamed to [id=A0014591]sample.doc.encryptedALL. Once the process is complete, it will create a file called ‘Read Me.txt’ with ransom note. It includes instructions on how to purchase a private key to decrypt all personal files. You can see an one of the variants of the ransom demanding message below:
- ALL YOUR FILES ARE ENCRYPTED - Your personal ID: Don't worry, you can return all your files! All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees do we give to you? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file less than 1Mb for free. File must not contain valuable information Don't try to use third-party decrypt tools because it will destroy your files. You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. To get this software you need write on our e-mail: RobSmithMba@protonmail.com Reserve e-mail address to contact us: support@robsmithmba.com
In the instructions below, I have outlined few methods that you can use to remove .encryptedALL ransomware from your PC system and restore .encryptedALL files from a shadow volume copies or using file recover software.
Quick links:
- How to remove .encryptedALL ransomware virus
- How to decrypt .encryptedALL files
- How to restore .encryptedALL files
- How to protect your PC system from .encryptedALL ransomware?
- To sum up
How to remove .encryptedALL ransomware virus
Most often it is not possible to delete the .encryptedALL ransomware virus manually. For that reason, our team designed several removal solutions which we have combined in a detailed instructions below. Therefore, if you have the encryptedALL ransomware on your personal computer and are currently trying to have it deleted then feel free to follow the step-by-step guide below in order to resolve your problem. Read this manual carefully, bookmark or print it, because you may need to shut down your web-browser or restart your personal computer.
How to remove .encryptedALL ransomware with Zemana Anti-malware
Zemana Anti-malware highly recommended, because it can find security threats such the .encryptedALL ransomware, trojans, worms and other malicious software which most ‘classic’ antivirus apps fail to pick up on. Moreover, if you have any .encryptedALL ransomware removal problems which cannot be fixed by this tool automatically, then Zemana Anti-malware provides 24X7 online assistance from the highly experienced support staff.
Visit the page linked below to download the latest version of Zemana Free for Microsoft Windows. Save it directly to your Microsoft Windows Desktop.
164979 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Once downloading is done, close all windows on your computer. Further, start the setup file named Zemana.AntiMalware.Setup. If the “User Account Control” prompt pops up as on the image below, click the “Yes” button.
It will display the “Setup wizard” which will assist you install Zemana Free on the PC. Follow the prompts and do not make any changes to default settings.
Once install is done successfully, Zemana AntiMalware (ZAM) will automatically start and you can see its main window as displayed on the image below.
Next, press the “Scan” button . Zemana Anti-Malware program will scan through the whole computer for the .encryptedALL ransomware virus related files, folders and registry keys. This procedure can take quite a while, so please be patient. When a threat is detected, the number of the security threats will change accordingly.
When Zemana completes the scan, Zemana Anti-Malware (ZAM) will show a screen that contains a list of malware that has been found. Next, you need to click “Next” button.
The Zemana Free will delete .encryptedALL ransomware virus and other security threats and move items to the program’s quarantine. After the task is done, you can be prompted to reboot your computer.
How to automatically remove encryptedALL ransomware with MalwareBytes Anti Malware
Remove encryptedALL ransomware virus manually is difficult and often this virus is not fully removed. Therefore, we suggest you to run the MalwareBytes Free that are completely clean your PC. Moreover, this free application will help you to delete malicious software, potentially unwanted software, trojans, worms and adware that your PC can be infected too.
Visit the page linked below to download the latest version of MalwareBytes Free for MS Windows. Save it to your Desktop so that you can access the file easily.
327222 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once the downloading process is done, close all programs and windows on your personal computer. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup like below.
When the installation starts, you’ll see the “Setup wizard” which will help you set up Malwarebytes on your PC system.
Once install is finished, you will see window as displayed in the figure below.
Now press the “Scan Now” button to perform a system scan for the encryptedALL ransomware related files, folders and registry keys. This process can take quite a while, so please be patient. While the MalwareBytes is checking, you can see how many objects it has identified either as being malware.
When MalwareBytes completes the scan, the results are displayed in the scan report. Review the scan results and then click “Quarantine Selected” button.
The Malwarebytes will now remove encryptedALL ransomware virus and other kinds of potential threats and add items to the Quarantine. Once that process is complete, you may be prompted to reboot your PC system.
The following video explains few simple steps on how to delete hijacker, adware software and other malicious software with MalwareBytes Anti Malware.
If the problem with .encryptedALL ransomware virus is still remained
KVRT is a free portable application that scans your personal computer for malware and ransomware such as the .encryptedALL virus and allows get rid of them easily. Moreover, it will also help you delete any trojans and worms.
Download Kaspersky virus removal tool (KVRT) on your personal computer from the link below.
129279 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the downloading process is complete, double-click on the KVRT icon. Once initialization procedure is done, you will see the KVRT screen as shown on the screen below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to perform a system scan with this tool for the .encryptedALL ransomware virus . A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your system and the speed of your personal computer. During the scan KVRT will scan for threats present on your system.
When the system scan is finished, you may check all threats detected on your computer as on the image below.
Next, you need to press on Continue to start a cleaning procedure.
How to decrypt .encryptedALL files
The .encryptedALL ransomware virus offers victim to contact it’s authors via RobSmithMba@protonmail.com and support@robsmithmba.com emails in order to decrypt all photos, documents and music. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins).
Never pay the ransom! You might feel that you have no other choice but to pay up and decrypt .encryptedALL files quickly. There is no guarantee that the creators of .encryptedALL ransomware virus will live up to the word and give back your personal files.
Especially since you have a chance to recover your documents, photos and music for free using free utilities such as ShadowExplorer and PhotoRec.
How to restore .encryptedALL files
In some cases, you can recover files encrypted by .encryptedALL ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted photos, documents and music.
Recover .encryptedALL files with ShadowExplorer
A free utility called ShadowExplorer is a simple method to use the ‘Previous Versions’ feature of Microsoft Windows 10 (8, 7 , Vista). You can restore documents, photos and music encrypted by the .encryptedALL ransomware virus from Shadow Copies for free.
Installing the ShadowExplorer is simple. First you’ll need to download ShadowExplorer on your personal computer by clicking on the following link.
439621 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once downloading is complete, extract the downloaded file to a directory on your system. This will create the necessary files as displayed on the image below.
Start the ShadowExplorerPortable application. Now choose the date (2) that you want to recover from and the drive (1) you wish to restore files (folders) from like below.
On right panel navigate to the file (folder) you wish to recover. Right-click to the file or folder and press the Export button like below.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Use PhotoRec to recover .encryptedALL files
Before a file is encrypted, the .encryptedALL ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your personal files using file recover apps like PhotoRec.
Download PhotoRec on your MS Windows Desktop from the link below.
When the download is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the image below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll show a screen like below.
Choose a drive to recover as displayed in the figure below.
You will see a list of available partitions. Choose a partition that holds encrypted photos, documents and music as shown in the figure below.
Click File Formats button and choose file types to recover. You can to enable or disable the restore of certain file types. When this is finished, click OK button.
Next, press Browse button to select where recovered documents, photos and music should be written, then click Search.
Count of restored files is updated in real time. All restored documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is complete, press on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as shown below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your PC system from .encryptedALL ransomware?
Most antivirus apps already have built-in protection system against the ransomware. Therefore, if your computer does not have an antivirus application, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Run HitmanPro.Alert to protect your PC system from .encryptedALL ransomware virus
All-in-all, HitmanPro.Alert is a fantastic utility to protect your personal computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of MS Windows operating system from MS Windows XP to Windows 10.
Visit the page linked below to download the latest version of HitmanPro.Alert for Microsoft Windows. Save it on your Windows desktop or in any other place.
After the download is finished, open the file location. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. After the tool is started, you’ll be displayed a window where you can choose a level of protection, as on the image below.
Now click the Install button to activate the protection.
To sum up
Once you have done the steps outlined above, your computer should be clean from .encryptedALL ransomware virus and other malicious software. Your computer will no longer encrypt your personal files. Unfortunately, if the step-by-step guidance does not help you, then you have caught a new variant of ransomware virus, and then the best way – ask for help here.
