A new variant of ransomware virus has been discovered by cyber security researchers. It appends the .[ms_13@aol.com].ms13 file extension to encrypted files. This ransomware targets computers running Microsoft Windows by spam emails, malware or manually installing the ransomware. This post will provide you with all the things you need to know about ransomware virus, how to remove .Ms13 ransomware from your personal computer and how to recover (decrypt) encrypted personal files for free.
‘ms13 ransomware’ – ransom note
The .Ms13 ransomware is a variant of crypto viruses. It affects all current versions of Microsoft Windows OS such as the Windows 10, Windows 8, Windows 7, Windows Vista and Windows XP. This ransomware virus uses very strong hybrid encryption with a large key to eliminate the possibility of brute force a key that will allow to decrypt encrypted personal files. The .Ms13 ransomware virus encrypts almost of files, including common as:
.rtf, .svg, .qic, .wbc, .pptm, .bar, .sis, .hplg, .ibank, .t12, .z3d, .wmv, .mpqge, .kdb, .itdb, .yml, wallet, .ysp, .sql, .p7c, .iwd, .wgz, .rar, .der, .mlx, .map, .bkf, .docx, .dxg, .ncf, .pptx, .zi, .xmind, .desc, .xlk, .srw, .m3u, .raf, .sr2, .sidn, .rgss3a, .tax, .wma, .pem, .ltx, .qdf, .rim, .xlsm, .dba, .odc, .rb, .wm, .xar, .webp, .xdl, .accdb, .mov, .ptx, .py, .pst, .odp, .wbmp, .epk, .wsh, .lrf, .itm, .rw2, .das, .wbd, .ppt, .x3f, .upk, .dazip, .jpeg, .wpb, .ods, .mdf, .js, .zw, .itl, .wp4, .0, .vtf, .wpt, .m2, .wp, .jpg, .xwp, .wp5, .wcf, .1, .wpa, .wdb, .cdr, .xbdoc, .xbplate, .3fr, .raw, .x3f, .wpw, .wbk, .xlsx, .txt, .hvpl, .kf, .xlsx, .dbf, .kdc, .2bp, .p12, .forge, .bc7, .wmo, .cr2, .wmv, .ff, .menu, .orf, .xlgc, .wbm, .wmf, .fpk, .apk, .snx, .nrw, .sie, .wp6, .hkdb, .crw, .mp4, .ai, .psk, .xx, .eps, .cas, .mdb, .r3d, .wpl, .wma, .7z, .xf, .vcf, .xyp, .doc, .rwl, .odb, .ws, .lvl, .asset, .zip, .sid, .wn, .zdc, .psd, .cer, .sb, .pak, .wpg, .mddata, .zdb, .xy3, .litemod, .xlsb, .pdf, .fos, .blob, .mdbackup, .wps, .sum, .fsh, .mcmeta, .vdf, .pkpass, .xdb, .wot, .bik, .wav, .wdp, .zabw, .zip, .dng, .wsc, .m4a, .hkx, .wpd, .3dm, .wbz, .wps, .rofl, .indd, .flv, .css, .vpp_pc, .jpe, .w3x, .mef, .iwi, .esm, .bkp, .avi, .bay, .dmp, .odm, .big, .mrwref, .tor, .xls, .xld, .srf, .wsd, .syncdb, .wmd, .crt, .xls, .dcr, .d3dbsp, .wp7, .wri, .pdd, .slm, .erf, .webdoc, .xlsm, .re4, .db0, .cfr, .wpd, .xyw, .xmmap, .wire, .icxs, .yal, .bsa, .3ds, .gdb, .pef, .csv, .dwg, .sav, .ybk, .vfs0, .x3d, .xxx, .t13, .ztmp, .layout, .vpk, .odt, .xpm, .p7b, .xll, .gho, .wb2, .png, .sidd, .x, .zif, .arch00, .wotreplay, .wpe, .docm, .lbf
Once a file is encrypted, its extension replaced to .ms13. Next, the ransomware drops a file named ‘FILES ENCRYPTED.txt’. This file contain a note on how to decrypt all encrypted files. You can see an one of the variants of the ransomnote below:
all your data has been locked us You want to return? write email ms_13@aol.com
Use the step-by-step guidance below to get rid of the ransomware itself and try to recover encrypted photos, documents and music for free.
Table of contents
- How to remove .Ms13 ransomware
- How to decrypt .ms13 files
- How to restore .ms13 files
- How to protect your PC from .Ms13 ransomware virus?
- To sum up
How to remove .Ms13 ransomware
There are not many good free anti malware applications with high detection ratio. The effectiveness of malware removal tools depends on various factors, mostly on how often their virus/malware signatures DB are updated in order to effectively detect modern worms, trojans, ransomware and other malicious software. We recommend to run several programs, not just one. These programs which listed below will allow you remove all components of the .Ms13 ransomware virus from your disk and Windows registry.
Remove .Ms13 ransomware virus with Zemana Anti-malware
We recommend you to use the Zemana Anti-malware that are completely clean your PC system of ransomware virus. Moreover, the utility will help you to delete trojans, malicious software, worms and adware that your PC may be infected too.
Now you can setup and use Zemana AntiMalware (ZAM) to delete .Ms13 ransomware from your browser by following the steps below:
Click the following link to download Zemana AntiMalware installation package called Zemana.AntiMalware.Setup on your system. Save it on your MS Windows desktop.
165044 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Start the setup file after it has been downloaded successfully and then follow the prompts to set up this tool on your system.
During install you can change some settings, but we advise you do not make any changes to default settings.
When installation is done, this malicious software removal utility will automatically run and update itself. You will see its main window as on the image below.
Now click the “Scan” button to locate .Ms13 ransomware related files, folders and registry keys. When a malware, adware or PUPs are detected, the number of the security threats will change accordingly.
Once the system scan is finished, Zemana AntiMalware (ZAM) will display a screen that contains a list of malicious software that has been detected. Next, you need to click “Next” button.
The Zemana will get rid of .Ms13 ransomware and other kinds of potential threats and add threats to the Quarantine. After that process is finished, you may be prompted to reboot your PC to make the change take effect.
Remove Ms13 ransomware with MalwareBytes AntiMalware (MBAM)
You can remove Ms13 ransomware automatically with a help of MalwareBytes. We suggest this free malware removal tool because it may easily delete ransomware, adware, malware and other unwanted apps with all their components such as files, folders and registry entries.
Installing the MalwareBytes AntiMalware (MBAM) is simple. First you will need to download MalwareBytes Anti Malware from the following link. Save it to your Desktop.
327273 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once the downloading process is done, run it and follow the prompts. Once installed, the MalwareBytes Free will try to update itself and when this process is finished, click the “Scan Now” button to start scanning your computer for the Ms13 ransomware virus and other security threats. This task may take some time, so please be patient. Next, you need to click “Quarantine Selected” button.
The MalwareBytes Anti Malware (MBAM) is a free program that you can use to remove all detected folders, files, services, registry entries and so on. To learn more about this malware removal tool, we recommend you to read and follow the steps or the video guide below.
Scan and clean your computer of ransomware with KVRT
KVRT is a free portable application that scans your computer for trojans, worms and ransomware viruses like the .Ms13 ransomware and allows get rid of them easily. Moreover, it will also allow you delete any malicious internet browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) from the link below. Save it to your Desktop so that you can access the file easily.
129295 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once downloading is complete, double-click on the KVRT icon. Once initialization process is finished, you will see the Kaspersky virus removal tool screen as on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to scan for .Ms13 ransomware virus . This procedure may take quite a while, so please be patient. During the scan Kaspersky virus removal tool will search for threats present on your computer.
After KVRT has finished scanning, KVRT will create a list of undesired applications adware as on the image below.
Once you’ve selected what you wish to get rid of from your machine press on Continue to start a cleaning process.
How to decrypt .ms13 files
The .Ms13 ransomware encourages to make a payment in Bitcoins to get a key to decrypt personal files. Important to know, currently not possible to decrypt .ms13 files without the private key and decrypt program.
Should you pay the ransom? A majority of experienced security experts will reply immediately that you should never pay a ransom if affected by ransomware! If you choose to pay the ransom, there is no 100% guarantee that you can decrypt all personal files!
Currently there is no available solution to decrypt .ms13 files, but you have a chance to restore encrypted documents, photos and music for free.
How to restore .ms13 files
In some cases, you can recover files encrypted by .Ms13 ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted files.
Recover .ms13 encrypted files using Shadow Explorer
If automated backup (System Restore) is enabled, then you can use it to restore all encrypted files to previous versions.
Installing the ShadowExplorer is simple. First you’ll need to download ShadowExplorer on your MS Windows Desktop from the link below.
439670 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once the downloading process is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown in the following example.
Start the ShadowExplorer utility and then choose the disk (1) and the date (2) that you want to recover the shadow copy of file(s) encrypted by the .Ms13 ransomware virus as displayed on the image below.
Now navigate to the file or folder that you want to recover. When ready right-click on it and press ‘Export’ button as on the image below.
Run PhotoRec to restore .ms13 files
Before a file is encrypted, the .Ms13 ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your personal files using file restore apps like PhotoRec.
Download PhotoRec from the link below.
Once downloading is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the figure below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll open a screen as shown in the figure below.
Select a drive to recover as displayed in the figure below.
You will see a list of available partitions. Choose a partition that holds encrypted files as shown on the screen below.
Click File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is finished, press OK button.
Next, press Browse button to choose where recovered personal files should be written, then click Search.
Count of restored files is updated in real time. All restored personal files are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the restore is complete, click on Quit button. Next, open the directory where restored photos, documents and music are stored. You will see a contents as shown below.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your PC from .Ms13 ransomware virus?
Most antivirus applications already have built-in protection system against the ransomware virus. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Run HitmanPro.Alert to protect your PC system from .Ms13 ransomware
HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Installing the HitmanPro.Alert is simple. First you will need to download HitmanPro Alert from the link below. Save it on your Desktop.
After the download is done, open the file location. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. When the tool is launched, you will be displayed a window where you can select a level of protection, as on the image below.
Now press the Install button to activate the protection.
To sum up
After completing the few simple steps shown above, your system should be clean from .Ms13 ransomware virus and other malicious software. Your computer will no longer encrypt your photos, documents and music. Unfortunately, if the steps does not help you, then you have caught a new ransomware virus, and then the best way – ask for help here.
