• Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools

MyAntiSpyware

Menu
  • Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools

ms_13@aol.com .Ms13 ransomware virus (Restore .ms13 files)

Myantispyware team April 4, 2019    

A new variant of ransomware virus has been discovered by cyber security researchers. It appends the .[ms_13@aol.com].ms13 file extension to encrypted files. This ransomware targets computers running Microsoft Windows by spam emails, malware or manually installing the ransomware. This post will provide you with all the things you need to know about ransomware virus, how to remove .Ms13 ransomware from your personal computer and how to recover (decrypt) encrypted personal files for free.

ms13 ransomware

‘ms13 ransomware’ – ransom note

The .Ms13 ransomware is a variant of crypto viruses. It affects all current versions of Microsoft Windows OS such as the Windows 10, Windows 8, Windows 7, Windows Vista and Windows XP. This ransomware virus uses very strong hybrid encryption with a large key to eliminate the possibility of brute force a key that will allow to decrypt encrypted personal files. The .Ms13 ransomware virus encrypts almost of files, including common as:

.rtf, .svg, .qic, .wbc, .pptm, .bar, .sis, .hplg, .ibank, .t12, .z3d, .wmv, .mpqge, .kdb, .itdb, .yml, wallet, .ysp, .sql, .p7c, .iwd, .wgz, .rar, .der, .mlx, .map, .bkf, .docx, .dxg, .ncf, .pptx, .zi, .xmind, .desc, .xlk, .srw, .m3u, .raf, .sr2, .sidn, .rgss3a, .tax, .wma, .pem, .ltx, .qdf, .rim, .xlsm, .dba, .odc, .rb, .wm, .xar, .webp, .xdl, .accdb, .mov, .ptx, .py, .pst, .odp, .wbmp, .epk, .wsh, .lrf, .itm, .rw2, .das, .wbd, .ppt, .x3f, .upk, .dazip, .jpeg, .wpb, .ods, .mdf, .js, .zw, .itl, .wp4, .0, .vtf, .wpt, .m2, .wp, .jpg, .xwp, .wp5, .wcf, .1, .wpa, .wdb, .cdr, .xbdoc, .xbplate, .3fr, .raw, .x3f, .wpw, .wbk, .xlsx, .txt, .hvpl, .kf, .xlsx, .dbf, .kdc, .2bp, .p12, .forge, .bc7, .wmo, .cr2, .wmv, .ff, .menu, .orf, .xlgc, .wbm, .wmf, .fpk, .apk, .snx, .nrw, .sie, .wp6, .hkdb, .crw, .mp4, .ai, .psk, .xx, .eps, .cas, .mdb, .r3d, .wpl, .wma, .7z, .xf, .vcf, .xyp, .doc, .rwl, .odb, .ws, .lvl, .asset, .zip, .sid, .wn, .zdc, .psd, .cer, .sb, .pak, .wpg, .mddata, .zdb, .xy3, .litemod, .xlsb, .pdf, .fos, .blob, .mdbackup, .wps, .sum, .fsh, .mcmeta, .vdf, .pkpass, .xdb, .wot, .bik, .wav, .wdp, .zabw, .zip, .dng, .wsc, .m4a, .hkx, .wpd, .3dm, .wbz, .wps, .rofl, .indd, .flv, .css, .vpp_pc, .jpe, .w3x, .mef, .iwi, .esm, .bkp, .avi, .bay, .dmp, .odm, .big, .mrwref, .tor, .xls, .xld, .srf, .wsd, .syncdb, .wmd, .crt, .xls, .dcr, .d3dbsp, .wp7, .wri, .pdd, .slm, .erf, .webdoc, .xlsm, .re4, .db0, .cfr, .wpd, .xyw, .xmmap, .wire, .icxs, .yal, .bsa, .3ds, .gdb, .pef, .csv, .dwg, .sav, .ybk, .vfs0, .x3d, .xxx, .t13, .ztmp, .layout, .vpk, .odt, .xpm, .p7b, .xll, .gho, .wb2, .png, .sidd, .x, .zif, .arch00, .wotreplay, .wpe, .docm, .lbf

Once a file is encrypted, its extension replaced to .ms13. Next, the ransomware drops a file named ‘FILES ENCRYPTED.txt’. This file contain a note on how to decrypt all encrypted files. You can see an one of the variants of the ransomnote below:

all your data has been locked us
You want to return?
write email ms_13@aol.com

Use the step-by-step guidance below to get rid of the ransomware itself and try to recover encrypted photos, documents and music for free.

Table of contents

  1. How to remove .Ms13 ransomware
  2. How to decrypt .ms13 files
  3. How to restore .ms13 files
  4. How to protect your PC from .Ms13 ransomware virus?
  5. To sum up

How to remove .Ms13 ransomware

There are not many good free anti malware applications with high detection ratio. The effectiveness of malware removal tools depends on various factors, mostly on how often their virus/malware signatures DB are updated in order to effectively detect modern worms, trojans, ransomware and other malicious software. We recommend to run several programs, not just one. These programs which listed below will allow you remove all components of the .Ms13 ransomware virus from your disk and Windows registry.




Remove .Ms13 ransomware virus with Zemana Anti-malware

We recommend you to use the Zemana Anti-malware that are completely clean your PC system of ransomware virus. Moreover, the utility will help you to delete trojans, malicious software, worms and adware that your PC may be infected too.

Now you can setup and use Zemana AntiMalware (ZAM) to delete .Ms13 ransomware from your browser by following the steps below:

Click the following link to download Zemana AntiMalware installation package called Zemana.AntiMalware.Setup on your system. Save it on your MS Windows desktop.

Zemana AntiMalware
Zemana AntiMalware
165044 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019

Start the setup file after it has been downloaded successfully and then follow the prompts to set up this tool on your system.

Zemana Free SetupWizard

During install you can change some settings, but we advise you do not make any changes to default settings.

When installation is done, this malicious software removal utility will automatically run and update itself. You will see its main window as on the image below.

Now click the “Scan” button to locate .Ms13 ransomware related files, folders and registry keys. When a malware, adware or PUPs are detected, the number of the security threats will change accordingly.

Zemana Anti Malware (ZAM) scan for .Ms13 ransomware and other malware and PUPs

Once the system scan is finished, Zemana AntiMalware (ZAM) will display a screen that contains a list of malicious software that has been detected. Next, you need to click “Next” button.

Zemana Free scan is finished

The Zemana will get rid of .Ms13 ransomware and other kinds of potential threats and add threats to the Quarantine. After that process is finished, you may be prompted to reboot your PC to make the change take effect.

Remove Ms13 ransomware with MalwareBytes AntiMalware (MBAM)

You can remove Ms13 ransomware automatically with a help of MalwareBytes. We suggest this free malware removal tool because it may easily delete ransomware, adware, malware and other unwanted apps with all their components such as files, folders and registry entries.

MalwareBytes Anti-Malware (MBAM) for MS Windows, scan for ransomware is done

Installing the MalwareBytes AntiMalware (MBAM) is simple. First you will need to download MalwareBytes Anti Malware from the following link. Save it to your Desktop.

Malwarebytes Anti-malware
Malwarebytes Anti-malware
327273 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020

Once the downloading process is done, run it and follow the prompts. Once installed, the MalwareBytes Free will try to update itself and when this process is finished, click the “Scan Now” button to start scanning your computer for the Ms13 ransomware virus and other security threats. This task may take some time, so please be patient. Next, you need to click “Quarantine Selected” button.

The MalwareBytes Anti Malware (MBAM) is a free program that you can use to remove all detected folders, files, services, registry entries and so on. To learn more about this malware removal tool, we recommend you to read and follow the steps or the video guide below.

Scan and clean your computer of ransomware with KVRT

KVRT is a free portable application that scans your computer for trojans, worms and ransomware viruses like the .Ms13 ransomware and allows get rid of them easily. Moreover, it will also allow you delete any malicious internet browser extensions and add-ons.

Download Kaspersky virus removal tool (KVRT) from the link below. Save it to your Desktop so that you can access the file easily.

Kaspersky virus removal tool
Kaspersky virus removal tool
129295 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018

Once downloading is complete, double-click on the KVRT icon. Once initialization process is finished, you will see the Kaspersky virus removal tool screen as on the image below.

KVRT main window

Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to scan for .Ms13 ransomware virus . This procedure may take quite a while, so please be patient. During the scan Kaspersky virus removal tool will search for threats present on your computer.

KVRT scanning

After KVRT has finished scanning, KVRT will create a list of undesired applications adware as on the image below.

KVRT scan report

Once you’ve selected what you wish to get rid of from your machine press on Continue to start a cleaning process.

How to decrypt .ms13 files

The .Ms13 ransomware encourages to make a payment in Bitcoins to get a key to decrypt personal files. Important to know, currently not possible to decrypt .ms13 files without the private key and decrypt program.

Should you pay the ransom

Should you pay the ransom? A majority of experienced security experts will reply immediately that you should never pay a ransom if affected by ransomware! If you choose to pay the ransom, there is no 100% guarantee that you can decrypt all personal files!

Files encrypted by ransomware

Currently there is no available solution to decrypt .ms13 files, but you have a chance to restore encrypted documents, photos and music for free.

How to restore .ms13 files

In some cases, you can recover files encrypted by .Ms13 ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted files.




Recover .ms13 encrypted files using Shadow Explorer

If automated backup (System Restore) is enabled, then you can use it to restore all encrypted files to previous versions.

Installing the ShadowExplorer is simple. First you’ll need to download ShadowExplorer on your MS Windows Desktop from the link below.

ShadowExplorer
ShadowExplorer
439670 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019

Once the downloading process is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown in the following example.

ShadowExplorer folder

Start the ShadowExplorer utility and then choose the disk (1) and the date (2) that you want to recover the shadow copy of file(s) encrypted by the .Ms13 ransomware virus as displayed on the image below.

ShadowExplorer restore files encrypted by the .Ms13 ransomware virus

Now navigate to the file or folder that you want to recover. When ready right-click on it and press ‘Export’ button as on the image below.

ShadowExplorer restore file

Run PhotoRec to restore .ms13 files

Before a file is encrypted, the .Ms13 ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your personal files using file restore apps like PhotoRec.

Download PhotoRec from the link below.

PhotoRec
PhotoRec
221321 downloads
Author: CGSecurity
Category: Security tools
Update: March 1, 2018

Once downloading is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the figure below.

testdisk photorec folder

Double click on qphotorec_win to run PhotoRec for Windows. It’ll open a screen as shown in the figure below.

PhotoRec for windows

Select a drive to recover as displayed in the figure below.

photorec select drive

You will see a list of available partitions. Choose a partition that holds encrypted files as shown on the screen below.

photorec select partition

Click File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is finished, press OK button.

PhotoRec file formats

Next, press Browse button to choose where recovered personal files should be written, then click Search.

photorec

Count of restored files is updated in real time. All restored personal files are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.

When the restore is complete, click on Quit button. Next, open the directory where restored photos, documents and music are stored. You will see a contents as shown below.

PhotoRec - result of recovery

All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.

How to protect your PC from .Ms13 ransomware virus?

Most antivirus applications already have built-in protection system against the ransomware virus. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.

Run HitmanPro.Alert to protect your PC system from .Ms13 ransomware

HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.

Installing the HitmanPro.Alert is simple. First you will need to download HitmanPro Alert from the link below. Save it on your Desktop.

HitmanPro.Alert
HitmanPro.Alert
6879 downloads
Author: Sophos
Category: Security tools
Update: March 6, 2019

After the download is done, open the file location. You will see an icon like below.

HitmanPro.Alert file icon

Double click the HitmanPro.Alert desktop icon. When the tool is launched, you will be displayed a window where you can select a level of protection, as on the image below.

HitmanPro.Alert install

Now press the Install button to activate the protection.

To sum up

After completing the few simple steps shown above, your system should be clean from .Ms13 ransomware virus and other malicious software. Your computer will no longer encrypt your photos, documents and music. Unfortunately, if the steps does not help you, then you have caught a new ransomware virus, and then the best way – ask for help here.

 

Virus

 Previous Post

.Refols file extension ransomware virus (Restore, Decrypt .refols files)

Next Post 

How to remove Movie-river.com pop-up ads [Chrome, Firefox, IE, Edge]

Author: Myantispyware team

Myantispyware is an information security website created in 2004. Our content is written in collaboration with Cyber Security specialists, IT experts, under the direction of Patrik Holder and Valeri Tchmych, founders of Myantispyware.com.

Leave a Reply Cancel reply

New Guides

Split Max AC Reviews, Scam or Legit, Uncovering the Truth!
Nusayin Cooling Ace Review: Scam or Legit? What You Need to Know
Imwing Cooling Ace Reviews, Scam or Legit, Uncovering the Truth!
How to remove Amencest.co.in pop-up ads
scam alert
Don’t Get Tricked by GEROLAX.com: The Bitcoin Promo Code Scam

Follow Us

Search

Useful Guides

This setting is enforced by your administrator (Removal guide)
How to reset Google Chrome settings to default
search.yahoo.com
Remove Search.yahoo.com Redirect Virus ✅ (Quick & Easy) in 2024
Malwarebytes won’t install, run or update – How to fix it
adwcleaner
AdwCleaner – Review, How to use, Comments

Recent Guides

Files encrypted by Refols ransomware
.Refols file extension ransomware virus (Restore, Decrypt .refols files)
Torshinnotsave.info
How to remove Torshinnotsave.info pop-ups [Chrome, Firefox, IE, Edge]
FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY
FORWARD THIS MAIL TO WHOEVER IS IMPORTANT email scam
I steal you privacy email scam
I steal you privacy. EMAIL SCAM
Ugledrabronle.info
How to remove Ugledrabronle.info pop-ups [Chrome, Firefox, IE, Edge]

Myantispyware.com

Myantispyware has been a trusted source for computer security and technology advice since 2004. Our mission is to provide reliable tech guidance and expert, practical solutions to help you stay safe online and protect your digital life.

Social Links

Pages

About Us
Contact Us
Privacy Policy

Copyright © 2004 - 2024 MASW - Myantispyware.com.