This week, IT security researchers has received reports of yet another ransomware named ‘.Guvara ransomware‘. This ransomware virus spreads via spam emails and malware files and appends the .guvara file extension to encrypted files. Read below a brief summary of information related to this ransomware and how to restore or decrypt .guvara files for free.
Files encrypted by ‘.guvara ransomware’
The .Guvara ransomware is a variant of Vengisto@india.com ransomware. It affects all current versions of MS Windows OS such as the Windows 10, Windows 8, Windows 7, Windows Vista and Windows XP. This ransomware virus uses a strong encryption algorithm with long key to eliminate the possibility of brute force a key that will allow to decrypt encrypted personal files. The .Guvara ransomware ransomware encrypts almost of files, including common as:
.zip, .p12, .xdb, .qic, .srw, .sidn, .sb, .lbf, .srf, .bc6, .docm, .wpw, .wbmp, .cdr, .mdbackup, .sum, .icxs, .vpp_pc, .lvl, .dwg, .epk, .zabw, .pdf, .wpg, .dmp, .xy3, .3ds, .vtf, .wpe, .dbf, .yal, .sie, .x3f, .xyw, .xlsx, .wot, .t13, .hvpl, .flv, .xml, .zif, .tax, .jpeg, .mp4, .der, .litemod, .p7c, .wsh, .dba, .mlx, .m2, .xx, .snx, .wma, .desc, .upk, .xbdoc, .xlsb, .xls, .zw, .xpm, .dazip, .pak, .pem, .xlsm, .wgz, .xbplate, .xdl, .xls, .xlk, .wire, .ntl, .gho, .hkx, .forge, .crw, .layout, .0, .wotreplay, .itm, .lrf, .zi, .raf, .odm, .xmmap, .1st, .hkdb, .xlgc, .bsa, .wri, .vpk, .bar, .kf, .py, .rwl, .3dm, .js, .pkpass, .webdoc, .crt, .xf, .wmf, .ncf, .mdb, .pst, .qdf, .wp6, .rim, .yml, .xlsx, .esm, .zdb, .doc, .xll, .dcr, .sav, .wps, .ff, .wsc, .sidd, .sr2, .fpk, .d3dbsp, .wav, .pptx, .wbk, .xar, .1, .css, .sid, .mpqge, .m4a, .sql, .menu, .zdc, .r3d, .rtf, .docx, .apk, .avi, .wb2, .xwp, .mrwref, .p7b, .cer, .cas, .eps, .map, .wbm, .wpd, wallet, .wbc, .csv, .nrw, .wpb, .wpd, .wps, .ztmp, .png, .xxx, .itdb, .rb, .wp, .wpl, .xmind, .big, .pef, .syncdb, .asset, .odt, .tor, .pdd, .arch00, .wmv, .t12, .xld, .db0, .m3u, .mef, .vcf, .wma, .ws, .vfs0, .7z, .odp, .y, .webp, .wp7, .ptx, .ods, .accdb, .orf
When encrypting a file it will add the .guvara extension to each encrypted file name to identify that the file has been encrypted. For example, a file named sample.doc would be encrypted and renamed to sample.doc.guvara.
When the encryption procedure is complete, the malware leaves a ransomnote named ‘_readme.txt’ with instructions on how to purchase a private key to decrypt all files. An example of the ransomnote is:
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-xuSAEnnA8P Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: vengisto@india.com Reserve e-mail address to contact us: vengisto@firemail.cc Your personal ID:
Use the step-by-step steps below to remove .Guvara ransomware and as well as restore (decrypt) encrypted documents, photos and music for free.
Table of contents
- How to remove .Guvara ransomware
- How to decrypt .guvara files
- Use STOPDecrypter to decrypt .guvara files
- How to restore .guvara files
- How to protect your computer from .Guvara ransomware?
- To sum up
How to remove .Guvara ransomware
Even if you have the up-to-date classic antivirus installed, and you have checked your personal computer for viruses and removed anything found, you need to do the instructions below. The .Guvara ransomware virus removal is not simple as installing another antivirus. Classic antivirus applications are not developed to run together and will conflict with each other, or possibly crash Microsoft Windows. Instead we recommend complete the steps below an use Zemana Anti-malware, Malwarebytes or Kaspersky Virus Removal Tool, which are free software dedicated to search for and remove malicious software such as .Guvara ransomware. Use these utilities to ensure the ransomware virus is removed.
How to remove .Guvara ransomware with Zemana Anti-malware
Zemana AntiMalware (ZAM) can scan for all kinds of malicious software, including ransomware, as well as a variety of Trojans, viruses and rootkits. After the detection of the .Guvara ransomware, you can easily and quickly remove it.
Zemana can be downloaded from the following link. Save it on your Microsoft Windows desktop or in any other place.
165026 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When the download is finished, close all windows on your PC system. Further, run the set up file named Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as shown on the screen below, click the “Yes” button.
It will open the “Setup wizard” which will help you install Zemana on the computer. Follow the prompts and do not make any changes to default settings.
Once setup is finished successfully, Zemana Anti-Malware will automatically start and you can see its main window as shown on the screen below.
Next, click the “Scan” button . Zemana Anti Malware (ZAM) tool will begin scanning the whole PC system to find out .Guvara ransomware related files, folders and registry keys. Depending on your computer, the scan can take anywhere from a few minutes to close to an hour. While the tool is scanning, you can see how many objects and files has already scanned.
After the scan is done, Zemana will display you the results. Next, you need to press “Next” button.
The Zemana Anti-Malware will begin to remove .Guvara ransomware virus and other malicious software and trojans. After the procedure is finished, you can be prompted to reboot your PC system.
How to remove Guvara ransomware with MalwareBytes Anti Malware (MBAM)
You can remove Guvara ransomware virus automatically through the use of MalwareBytes AntiMalware (MBAM). We suggest this free malware removal utility because it may easily get rid of ransomware virus, trojans, malicious software and other unwanted software with all their components such as files, folders and registry entries.
MalwareBytes Anti-Malware can be downloaded from the following link. Save it to your Desktop so that you can access the file easily.
327257 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once the download is finished, close all windows on your computer. Further, open the file named mb3-setup. If the “User Account Control” dialog box pops up as displayed below, press the “Yes” button.
It will open the “Setup wizard” that will allow you install MalwareBytes on the machine. Follow the prompts and don’t make any changes to default settings.
Once installation is finished successfully, click Finish button. Then MalwareBytes Anti Malware (MBAM) will automatically launch and you may see its main window like below.
Next, press the “Scan Now” button to locate Guvara ransomware and other security threats. A system scan can take anywhere from 5 to 30 minutes, depending on your PC system. While the MalwareBytes Anti-Malware (MBAM) application is checking, you can see number of objects it has identified as threat.
Once the scan is complete, MalwareBytes Anti-Malware will open a list of found items. In order to delete all threats, simply click “Quarantine Selected” button.
The MalwareBytes Anti Malware (MBAM) will remove Guvara ransomware virus and other kinds of potential threats and move threats to the program’s quarantine. When the clean-up is done, you may be prompted to restart your machine. We recommend you look at the following video, which completely explains the process of using the MalwareBytes Anti Malware (MBAM) to remove hijackers, adware software and other malicious software.
Run KVRT to delete .Guvara ransomware from the computer
If MalwareBytes anti-malware or Zemana anti-malware cannot delete this ransomware, then we suggests to run the KVRT. KVRT is a free removal utility for ransomware viruss, adware, PUPs and toolbars.
Download Kaspersky virus removal tool (KVRT) from the link below.
129289 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the downloading process is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is finished, you’ll see the KVRT screen as displayed in the figure below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button . KVRT utility will start scanning the whole computer to find out .Guvara ransomware virus . A system scan can take anywhere from 5 to 30 minutes, depending on your personal computer. While the Kaspersky virus removal tool is checking, you can see how many objects it has identified either as being malicious software.
Once KVRT completes the scan, you can check all threats found on your computer like below.
Next, you need to press on Continue to begin a cleaning procedure.
How to decrypt .guvara files
The .Guvara ransomware virus offers victim to contact it’s authors in order to decrypt all files. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins).
We don’t recommend paying a ransom, as there is no guarantee that you will be able to decrypt your documents, photos and music. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
Files encrypted by ‘.guvara ransomware’
With some variants of Guvara ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .guvara files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.guvara).
Please check the twitter post for more info.
How to restore .guvara files
In some cases, you can restore files encrypted by .Guvara ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted photos, documents and music.
Restore .guvara encrypted files using Shadow Explorer
A free tool named ShadowExplorer is a simple solution to use the ‘Previous Versions’ feature of Microsoft Windows 10 (8, 7 , Vista). You can restore .guvara personal files encrypted by the .Guvara ransomware virus from Shadow Copies for free.
Installing the ShadowExplorer is simple. First you will need to download ShadowExplorer from the following link. Save it on your Windows desktop or in any other place.
439656 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once the download is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as on the image below.
Run the ShadowExplorer tool and then select the disk (1) and the date (2) that you wish to recover the shadow copy of file(s) encrypted by the .Guvara ransomware as shown in the following example.
Now navigate to the file or folder that you wish to restore. When ready right-click on it and click ‘Export’ button as shown on the image below.
Run PhotoRec to restore .guvara files
Before a file is encrypted, the .Guvara ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your documents, photos and music using file recover software like PhotoRec.
Download PhotoRec by clicking on the link below.
Once the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will show a screen as displayed on the screen below.
Select a drive to recover like below.
You will see a list of available partitions. Choose a partition that holds encrypted files as shown below.
Click File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is finished, press OK button.
Next, click Browse button to choose where recovered files should be written, then click Search.
Count of recovered files is updated in real time. All restored documents, photos and music are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the restore is finished, click on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as shown in the following example.
All restored files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your computer from .Guvara ransomware?
Most antivirus apps already have built-in protection system against the ransomware. Therefore, if your PC does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Run HitmanPro.Alert to protect your machine from .Guvara ransomware virus
HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Visit the page linked below to download the latest version of HitmanPro Alert for Windows. Save it directly to your MS Windows Desktop.
After the downloading process is finished, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. When the utility is started, you’ll be shown a window where you can choose a level of protection, as on the image below.
Now press the Install button to activate the protection.
To sum up
Now your computer should be clean of the .Guvara ransomware virus. Remove MalwareBytes Anti Malware (MBAM) and KVRT. We recommend that you keep Zemana Anti-Malware (to periodically scan your system for new malicious software). Moreover, to prevent ransomware, please stay clear of unknown and third party programs, make sure that your antivirus program, turn on the option to stop or search for ransomware.
If you need more help with .Guvara ransomware virus related issues, go to here.
