Cyber security researchers discovered a new variant of the ‘merosa@india.com ransomware‘, which named ‘Etols ransomware‘. It appends the .etols file extension to encrypted file names. Here’s everything you need to know about this ransomware, how to remove ‘.Etols ransomware’ and how to restore (decrypt) encrypted files for free.
The .Etols ransomware is a malicious software, that designed to encrypt the documents, photos and music found on infected personal computer using a hybrid encryption mode, adding the .etols extension to all encrypted files. It can encrypt almost types of files, including the following:
.dmp, .wps, .x, .wn, .flv, .rgss3a, .svg, .sr2, .srw, .lvl, .1, .wpl, .rwl, .wsc, .3dm, .syncdb, .sidd, .1st, .wcf, .dbf, .3ds, .psk, .raw, .rofl, .apk, .wbk, .css, .dwg, .yal, .wb2, .pem, .vpp_pc, .snx, .epk, .xml, .odm, .zi, .wbd, .rtf, .y, .0, .xlsm, .mp4, .3fr, .mpqge, .wma, .x3d, .csv, .mdf, .cdr, .bar, .wpe, .xlsx, .jpe, .vdf, .ysp, .wmd, .ybk, .r3d, .sql, .wp, .wdb, .pdd, .srf, .arch00, .p7b, .icxs, .txt, .psd, .2bp, .xdb, .xy3, .wbmp, .re4, .lrf, .bsa, .xx, .dba, .iwd, .png, wallet, .z3d, .hplg, .wp5, .yml, .pdf, .ods, .bc6, .kf, .wp4, .wsh, .das, .wpg, .xdl, .nrw, .zdb, .wpw, .wpd, .itm, .m2, .ws, .webdoc, .der, .xf, .layout, .vtf, .t13, .wm, .sie, .wp6, .erf, .ztmp, .bay, .big, .cer, .xyp, .esm, .litemod, .cr2, .xlgc, .xbdoc, .qic, .wmv, .ncf, .sav, .wdp, .jpeg, .dcr, .gdb, .doc, .mlx, .wmo, .xxx, .bc7, .wpa, .xlsx, .pptm, .desc, .xll, .d3dbsp, .xyw, .cas, .mddata, .fpk, .odb, .mef, .xar, .py, .wps, .wbm, .rw2, .p12, .vpk, .crw, .crt, .xlk, .rar, .bik, .wbc, .wot, .mrwref, .docm, .dazip, .zif, .kdc, .wpb, .tor, .slm, .wma, .x3f, .hvpl, .ibank, .wsd, .dng, .hkdb, .forge, .xpm, .mdbackup, .sum, .bkp, .pef, .wri, .qdf, .ff, .gho, .ai, .iwi, .webp, .m4a, .pfx, .ltx, .avi, .wpt, .fos, .sid, .lbf, .itdb, .wgz, .vcf, .odp, .kdb, .zdc
Once the encryption process is finished, it will drop a ransom instructions named “_readme.txt” offering decrypt all users documents, photos and music if a payment is made. An example of the ransomnote is:
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-xuSAEnnA8P Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: merosa@india.com Reserve e-mail address to contact us: merosa@firemail.cc Your personal ID:
Instructions which is shown below, will allow you to remove .Etols ransomware as well as recover (decrypt) encrypted files stored on your PC system drives.
Table of contents
- How to remove .Etols ransomware virus
- How to decrypt .etols files
- Use STOPDecrypter to decrypt .etols files
- How to restore .etols files
- How to protect your PC from .Etols ransomware?
- Finish words
How to remove .Etols ransomware virus
Even if you have the up-to-date classic antivirus installed, and you have checked your machine for ransomware and removed anything found, you need to do the guidance below. The .Etols ransomware virus removal is not simple as installing another antivirus. Classic antivirus applications are not created to run together and will conflict with each other, or possibly crash Microsoft Windows. Instead we suggest complete the steps below an run Zemana Anti-malware, Malwarebytes or Kaspersky Virus Removal Tool, which are free applications dedicated to find and get rid of malware like .Etols ransomware. Use these tools to ensure the ransomware is removed.
Remove .Etols ransomware virus with Zemana Anti-malware
We advise you to use the Zemana Anti-malware which are completely clean your PC system of this ransomware. Moreover, the utility will allow you to get rid of trojans, malicious software, worms and adware software that your system can be infected too.
Visit the page linked below to download Zemana Anti-Malware. Save it on your MS Windows desktop or in any other place.
164112 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After the download is finished, close all windows on your PC. Further, start the install file named Zemana.AntiMalware.Setup. If the “User Account Control” prompt pops up as displayed on the screen below, press the “Yes” button.
It will show the “Setup wizard” which will assist you install Zemana Anti-Malware (ZAM) on the computer. Follow the prompts and do not make any changes to default settings.
Once installation is finished successfully, Zemana Anti-Malware will automatically start and you can see its main window like below.
Next, press the “Scan” button to begin checking your personal computer for the .Etols ransomware virus and other security threats. A scan can take anywhere from 10 to 30 minutes, depending on the count of files on your PC system and the speed of your computer. When malicious software is detected, the count of the security threats will change accordingly. Wait until the the scanning is done.
After the scan get finished, a list of all items detected is created. In order to remove all threats, simply click “Next” button.
The Zemana AntiMalware will remove .Etols ransomware virus and other security threats. When the clean-up is complete, you can be prompted to restart your computer.
Remove Etols ransomware with MalwareBytes Free
You can remove Etols ransomware automatically through the use of MalwareBytes Anti Malware. We recommend this free malware removal tool because it can easily get rid of ransomware, adware, malware and other undesired apps with all their components such as files, folders and registry entries.
Visit the page linked below to download MalwareBytes Anti Malware (MBAM). Save it directly to your MS Windows Desktop.
326462 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
When downloading is done, close all windows on your PC. Further, run the file named mb3-setup. If the “User Account Control” prompt pops up as displayed below, click the “Yes” button.
It will open the “Setup wizard” that will help you setup MalwareBytes Free on the PC system. Follow the prompts and don’t make any changes to default settings.
Once installation is done successfully, click Finish button. Then MalwareBytes Anti-Malware (MBAM) will automatically launch and you may see its main window as on the image below.
Next, click the “Scan Now” button . MalwareBytes AntiMalware utility will begin scanning the whole system to find out Etols ransomware and other malware. This task can take quite a while, so please be patient. While the utility is scanning, you can see count of objects and files has already scanned.
Once that process is finished, MalwareBytes AntiMalware (MBAM) will create a list of malware. You may delete threats (move to Quarantine) by simply click “Quarantine Selected” button.
The MalwareBytes Free will remove Etols ransomware related files, folders and registry keys. Once finished, you can be prompted to reboot your computer. We recommend you look at the following video, which completely explains the procedure of using the MalwareBytes Free to remove hijackers, adware software and other malware.
Use KVRT to remove .Etols ransomware virus
The KVRT tool is free and easy to use. It may scan and remove ransomware such as .Etols ransomware, malware, trojans and worms in Windows OS. KVRT is powerful enough to find and delete malicious registry entries and files that are hidden on the personal computer.
Download Kaspersky virus removal tool (KVRT) on your PC from the link below.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the download is complete, double-click on the KVRT icon. Once initialization procedure is finished, you’ll see the Kaspersky virus removal tool screen as shown on the image below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button . Kaspersky virus removal tool utility will start scanning the whole computer to find out .Etols ransomware and other malware. This process can take some time, so please be patient. While the KVRT is scanning, you may see how many objects it has identified either as being malicious software.
As the scanning ends, KVRT will display a list of found threats like below.
Once you have selected what you wish to delete from your computer click on Continue to start a cleaning process.
How to decrypt .etols files
The .Etols ransomware virus encourages to make a payment in Bitcoins to get a key to decrypt files. Important to know, currently not possible to decrypt .etols files without the private key and decrypt program.
Never pay the ransom! You might feel that you have no other choice but to pay up and decrypt .etols photos, documents and music quickly. There is no guarantee that the authors of .Etols ransomware will live up to the word and give back your documents, photos and music.
With some variants of Etols ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .etols files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.etols).
Please check the twitter post for more info.
How to restore .etols files
In some cases, you can recover files encrypted by .Etols ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted files.
Use shadow copies to recover .etols files
In some cases, you have a chance to restore your photos, documents and music which were encrypted by the .Etols ransomware virus. This is possible due to the use of the utility named ShadowExplorer. It is a free program that created to obtain ‘shadow copies’ of files.
Installing the ShadowExplorer is simple. First you will need to download ShadowExplorer on your MS Windows Desktop from the link below.
438820 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as on the image below.
Run the ShadowExplorer tool and then select the disk (1) and the date (2) that you want to restore the shadow copy of file(s) encrypted by the .Etols ransomware as shown below.
Now navigate to the file or folder that you want to recover. When ready right-click on it and click ‘Export’ button as displayed in the figure below.
Use PhotoRec to restore .etols files
Before a file is encrypted, the .Etols ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your photos, documents and music using file restore applications such as PhotoRec.
Download PhotoRec on your personal computer from the link below.
When the downloading process is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the image below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll display a screen as displayed on the screen below.
Choose a drive to recover as on the image below.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music as on the image below.
Click File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is finished, press OK button.
Next, click Browse button to select where restored files should be written, then press Search.
Count of restored files is updated in real time. All restored photos, documents and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the restore is complete, click on Quit button. Next, open the directory where restored photos, documents and music are stored. You will see a contents as displayed in the figure below.
All restored files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your PC from .Etols ransomware?
Most antivirus apps already have built-in protection system against the ransomware. Therefore, if your personal computer does not have an antivirus application, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Use HitmanPro.Alert to protect your computer from .Etols ransomware virus
All-in-all, HitmanPro.Alert is a fantastic tool to protect your system from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of MS Windows operating system from MS Windows XP to Windows 10.
Installing the HitmanPro Alert is simple. First you will need to download HitmanPro Alert on your machine by clicking on the link below.
After the downloading process is complete, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. After the utility is started, you’ll be shown a window where you can select a level of protection, like below.
Now click the Install button to activate the protection.
Finish words
Now your personal computer should be free of the .Etols ransomware. Delete MalwareBytes Free and KVRT. We recommend that you keep Zemana (to periodically scan your PC for new malware). Moreover, to prevent ransomware virus, please stay clear of unknown and third party programs, make sure that your antivirus application, turn on the option to block or search for ransomware.
If you need more help with .Etols ransomware virus related issues, go to here.