A new variant of Vengisto@firemail.cc ransomware has been discovered by cyber security professionals. It appends the .berost file extension to encrypted files. This ransomware targets computers running Microsoft Windows by spam emails, malicious software or manually installing the ransomware. Read below a brief summary of information related to this ransomware and how to restore or decrypt .berost files for free.
Files encrypted by .berost ransomware
What is ‘Berost ransomware’? It is a malicious software that encrypts documents, photos and music until a ransom is paid to the cyber criminal. Once installed, the Berost ransomware virus will scan the computer for certain file types and encrypt them. It will encrypt almost of files, including:
.raw, .xyw, .dxg, .crt, .srw, .sav, .qic, .vfs0, .rtf, .sidn, .crw, .y, .webdoc, .re4, .sr2, .vcf, .raf, .jpe, .wpg, .css, .svg, .wp5, .xwp, .apk, .vdf, .zabw, .0, .bik, .wdp, .zif, .ptx, .7z, .mef, .wp4, .mdf, .dba, .eps, .wp7, .snx, .mdb, .mlx, .forge, .dcr, .pef, .m2, .wbk, .wri, .pptm, .bkp, .wbm, .docx, .orf, .w3x, .m4a, .pst, .xlsb, .xf, .xlk, .pak, .ztmp, .avi, .bar, .xld, .cdr, .bc7, .xls, .wpt, .psd, .wbmp, .vpk, .kdc, .sidd, .d3dbsp, .wpa, .lbf, .tor, .wmf, .odb, .asset, wallet, .mrwref, .erf, .wmd, .accdb, .3ds, .srf, .kdb, .ibank, .wsc, .zdc, .doc, .zdb, .r3d, .wpd, .mcmeta, .dbf, .wp6, .wma, .xlsm, .ppt, .esm, .wire, .bc6, .ysp, .wbc, .sb, .xy3, .x3f, .xdl, .xlgc, .xx, .wav, .js, .mpqge, .iwi, .sid, .rwl, .xyp, .wot, .sql, .wpl, .rar, .menu, .wsh, .ws, .dmp, .rgss3a, .tax, .webp, .iwd, .x3f, .yml, .xlsx, .big, .t13, .itl, .fos, .z, .mov, .ltx, .wcf, .xdb, .wps, .png, .psk, .wmv, .syncdb, .xar, .map, .wpb, .zi, .txt, .pem, .flv, .nrw, .dwg, .rb, .mp4, .pkpass, .vtf, .cfr, .litemod, .itdb, .db0, .p7c, .wpw, .odm, .wotreplay, .lrf, .x, .wdb, .bay, .wm, .bsa, .py, .xmind, .zip, .p7b, .xll, .fpk, .odc, .das, .wn, .epk, .kf, .m3u, .x3d, .rw2, .rim, .rofl, .qdf, .odt, .ncf, .pfx, .zip, .sum, .wbd, .hkx, .der, .desc, .xls
When the ransomware encrypts a file, it will add the .berost extension to each encrypted file. This means that a document file named ‘example.doc‘, when encrypted, becomes ‘example.doc.berost‘.
Once the ransomware finished enciphering of all personal files, it will drop a file called “_readme.txt” with ransomnote on how to decrypt all files. You can see an one of the variants of the ransom instructions below:
Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-2jkyb95pOj Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: vengisto@firemail.cc Reserve e-mail address to contact us: gorentos@bitmessage.ch Our Telegram account: @datarestore Your personal ID:
Threat Summary
| Name | .Berost ransomware |
| Type | Ransomware, Filecoder, Crypto virus, File locker |
| Encrypted files extension | .berost |
| Ransom note | _readme.txt |
| Contact | vengisto@firemail.cc, gorentos@bitmessage.ch, @datarestore (Telegram) |
| Ransom amount | $490, $980 in Bitcoins |
| Symptoms |
|
| Removal | To remove .Berost ransomware use the removal guide |
| Decryption | To decrypt .Berost ransomware use the steps |
Therefore it is very important to follow the guidance below without a wait. The few simple steps will allow you to remove .Berost ransomware virus. What is more, the step-by-step instructions below will help you restore (decrypt) encrypted personal files for free.
Quick links
- How to remove .Berost ransomware
- How to decrypt .berost files
- Use STOPDecrypter to decrypt .berost files
- How to restore .berost files
- How to protect your personal computer from .Berost ransomware virus?
- Finish words
How to remove .Berost ransomware
Manual removal does not always help to completely remove the .Berost ransomware virus, as it is not easy to identify and remove components of ransomware and all malicious files from hard disk. Therefore, it’s recommended that you use malware removal tool to completely delete .Berost ransomware virus off your computer. Several free malicious software removal tools are currently available that can be used against the ransomware. The optimum solution would be to run Zemana Anti-malware, Malwarebytes Free and Kaspersky Virus Removal Tool.
How to remove .Berost ransomware with Zemana Anti-malware
Zemana Anti-malware is a tool which can get rid of ransomware viruses, adware, trojans, worms and other malware from your computer easily and for free. Zemana Anti-malware is compatible with most antivirus software. It works under Windows (10 – XP, 32 and 64 bit) and uses minimum of PC system resources.
Installing the Zemana Free is simple. First you’ll need to download Zemana Anti Malware on your Microsoft Windows Desktop from the following link.
164987 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After the download is finished, close all windows on your computer. Further, open the install file called Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as displayed on the screen below, click the “Yes” button.
It will show the “Setup wizard” which will help you install Zemana Free on the computer. Follow the prompts and do not make any changes to default settings.
Once setup is done successfully, Zemana AntiMalware (ZAM) will automatically launch and you may see its main window like below.
Next, click the “Scan” button to perform a system scan for the .Berost ransomware and other security threats. Depending on your machine, the scan can take anywhere from a few minutes to close to an hour. When a malicious software, adware software or potentially unwanted applications are found, the number of the security threats will change accordingly.
After the scan get finished, you will be displayed the list of all detected items on your PC system. In order to remove all threats, simply click “Next” button.
The Zemana will remove .Berost ransomware virus and other security threats and move threats to the program’s quarantine. When the task is finished, you may be prompted to restart your PC system.
How to remove Berost ransomware with MalwareBytes Free
Remove Berost ransomware virus manually is difficult and often the ransomware virus is not completely removed. Therefore, we suggest you to use the MalwareBytes Free that are fully clean your system. Moreover, this free program will allow you to remove malicious software, PUPs, toolbars and adware that your PC can be infected too.
MalwareBytes Anti Malware (MBAM) can be downloaded from the following link. Save it on your Desktop.
327226 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
When the download is finished, close all programs and windows on your computer. Double-click the install file named mb3-setup. If the “User Account Control” prompt pops up like below, click the “Yes” button.
It will open the “Setup wizard” that will help you setup MalwareBytes Free on your computer. Follow the prompts and do not make any changes to default settings.
Once installation is complete successfully, press Finish button. MalwareBytes Anti Malware (MBAM) will automatically start and you can see its main screen like below.
Now click the “Scan Now” button to perform a system scan for the Berost ransomware and other security threats. A system scan may take anywhere from 5 to 30 minutes, depending on your computer. While the MalwareBytes Free program is scanning, you can see count of objects it has identified as threat.
After the scanning is finished, MalwareBytes will create a list of malware. Review the scan results and then press “Quarantine Selected” button. The MalwareBytes Free will delete Berost ransomware virus and other security threats and add threats to the Quarantine. After that process is finished, you may be prompted to reboot the system.
We advise you look at the following video, which completely explains the process of using the MalwareBytes Free to remove adware, browser hijacker and other malware.
Run KVRT to delete .Berost ransomware
KVRT is a free removal tool that can scan your computer for a wide range of security threats such as the .Berost ransomware virus, adware, trojans as well as other malware. It will perform a deep scan of your computer including hard drives and MS Windows registry. When a malware is detected, it will allow you to remove all found threats from your PC by a simple click.
Download Kaspersky virus removal tool (KVRT) from the following link. Save it on your Desktop.
129279 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the download is done, double-click on the Kaspersky virus removal tool icon. Once initialization process is done, you’ll see the Kaspersky virus removal tool screen as displayed on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan for the .Berost ransomware and other known infections. Depending on your system, the scan can take anywhere from a few minutes to close to an hour. While the KVRT is checking, you can see number of objects it has identified either as being malware.
Once the checking is complete, Kaspersky virus removal tool will produce a list of unwanted programs adware as shown on the image below.
Once you have selected what you want to remove from your computer press on Continue to start a cleaning process.
How to decrypt .berost files
The .Berost ransomware virus encourages to make a payment in Bitcoins to get a key to decrypt documents, photos and music.
Should you pay the ransom? A majority of cyber threat analysts will reply immediately that you should never pay a ransom if infected by ransomware! If you choose to pay the ransom, there is no 100% guarantee that you can decrypt all photos, documents and music!
Files encrypted by .berost ransomware
With some variants of Berost ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .berost files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.berost).
Please check the twitter post for more info.
How to restore .berost files
In some cases, you can recover files encrypted by .Berost ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted photos, documents and music.
Recover .berost encrypted files using Shadow Explorer
An alternative is to restore .berost personal files from their Shadow Copies. The Shadow Volume Copies are copies of files and folders that MS Windows 10 (8, 7 and Vista) automatically saved as part of system protection. This feature is fantastic at rescuing files that were locked by .Berost ransomware virus. The instructions below will give you all the details.
ShadowExplorer can be downloaded from the following link. Save it on your Desktop.
439627 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the downloading process is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed on the screen below.
Double click ShadowExplorerPortable to launch it. You will see the a window as shown in the following example.
In top left corner, choose a Drive where encrypted personal files are stored and a latest restore point as displayed on the image below (1 – drive, 2 – restore point).
On right panel look for a file that you want to recover, right click to it and select Export as shown below.
Use PhotoRec to restore .berost files
Before a file is encrypted, the .Berost ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your documents, photos and music using file recover programs like PhotoRec.
Download PhotoRec from the following link. Save it on your MS Windows desktop.
Once the download is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll open a screen as shown below.
Select a drive to recover as shown on the screen below.
You will see a list of available partitions. Choose a partition that holds encrypted files as displayed in the figure below.
Click File Formats button and select file types to recover. You can to enable or disable the recovery of certain file types. When this is complete, click OK button.
Next, click Browse button to select where restored documents, photos and music should be written, then click Search.
Count of recovered files is updated in real time. All restored photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is complete, click on Quit button. Next, open the directory where recovered documents, photos and music are stored. You will see a contents as displayed below.
All recovered personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your personal computer from .Berost ransomware virus?
Most antivirus applications already have built-in protection system against the ransomware virus. Therefore, if your PC system does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Run HitmanPro.Alert to protect your PC from .Berost ransomware virus
All-in-all, HitmanPro.Alert is a fantastic utility to protect your personal computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Windows OS from MS Windows XP to Windows 10.
HitmanPro.Alert can be downloaded from the following link. Save it on your Desktop.
Once downloading is done, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. When the utility is opened, you’ll be displayed a window where you can select a level of protection, as shown below.
Now click the Install button to activate the protection.
Finish words
Now your computer should be clean of the .Berost ransomware virus. Remove KVRT and MalwareBytes Anti-Malware. We recommend that you keep Zemana (to periodically scan your computer for new malicious software). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to get rid of .Berost ransomware virus from your PC, then ask for help here.
