Cyber security experts discovered a new variant of Mosteros@firemail.cc ransomware that named ‘Forasom ransomware‘. It appends the .forasom file extension to encrypted file names. This article will provide you with all the things you need to know about ransomware, how to remove .Forasom ransomware from your system and how to recover (decrypt) encrypted files for free.
What is ‘Forasom ransomware virus’? It is a malicious software that encrypts photos, documents and music using a strong encryption method, preventing access to them. It will encrypt almost all types of files, including common as:
.re4, .7z, .sie, .wma, .wps, .lrf, .map, .wpl, .1st, .wbc, .ai, .wsh, .der, .lbf, .vcf, .ptx, .zip, .x3f, .sum, .sb, .cfr, .wcf, .sr2, .db0, .t12, .kf, .wp6, .eps, .wmo, .mdb, .ltx, .wdp, .mpqge, .wbk, .dcr, .jpeg, .p7b, .xml, .mdf, .wma, .sis, .sidd, .wav, .dbf, .2bp, .wsc, .ncf, .esm, .pdd, .fos, .wbz, .pptm, .raw, .pfx, .x3f, .big, .psd, .icxs, .p12, .mlx, .ybk, .litemod, .xmind, .zdc, .wp7, .0, .xlgc, .zif, .wpa, .xwp, .js, .ff, .zdb, .bik, .tor, .m2, .raf, .orf, .ntl, .arch00, .odc, .wmf, .flv, .yml, .mp4, .cdr, .pst, .sav, .wpb, .svg, .t13, .mddata, .py, .sql, wallet, .snx, .apk, .wmd, .d3dbsp, .mcmeta, .srf, .xlsx, .vdf, .bsa, .wp5, .sidn, .pkpass, .zi, .pdf, .dmp, .wire, .forge, .y, .lvl, .1, .png, .zw, .xyp, .accdb, .ysp, .kdc, .vfs0, .asset, .nrw, .crt, .dwg, .itm, .p7c, .3ds, .vpp_pc, .qdf, .pem, .dba, .mdbackup, .itdb, .xlsb, .xdl, .indd, .xls, .xlsm, .r3d, .xx, .bkp, .hkx, .x3d, .wpt, .xls, .m4a, .fpk, .xmmap, .bar, .avi, .xpm, .bc6, .xar, .mef, .webp, .rtf, .odm, .xyw, .syncdb, .wot, .xxx, .wbd, .hkdb, .wmv, .odb, .wp, .wp4, .bkf, .wn, .ibank, .xlsx, .wotreplay, .xdb, .fsh, .wbm, .wmv, .xld, .psk, .3dm, .pak, .layout, .erf, .wps, .odp, .yal, .ztmp, .webdoc, .ods, .wpe, .srw, .jpg, .rwl, .zip, .blob, .bc7, .wm, .txt, .x, .vpk, .arw, .zabw, .iwi, .hplg, .slm, .vtf, .rar, .wbmp, .docx, .wpd, .wgz, .pptx, .itl, .odt, .z, .xbplate, .wpw, .w3x, .docm, .wpd, .csv, .wdb, .wb2, .rofl, .xbdoc, .xll, .rim, .dng, .ws, .wsd, .pef, .cas, .wpg, .cr2, .menu, .desc, .z3d, .gho, .rw2, .css, .xy3, .mov, .jpe, .m3u, .sid, .upk, .ppt, .xlsm, .mrwref, .xf, .crw, .bay, .das, .dazip, .xlk, .kdb, .rgss3a
Upon successful encryption, it appends the .forasom extension to the file name of its encrypted file. The ransomware also creates a text file called “_readme.txt” in each folder. This file is a ransom instructions. The ransom note asks for money in the form of bitcoins. The content of the ransom demanding message is below:
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-2jkyb95pOj Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
Name | Forasom ransomware |
Type | Ransomware, Filecoder, Crypto virus, File locker |
Encrypted files extension | .forasom |
Ransom note | _readme.txt |
Contact | mosteros@firemail.cc, gorentos@bitmessage.ch, @datarestore (Telegram) |
Ransom amount | $980, $490 in Bitcoins |
Symptoms |
|
Removal | To remove .Forasom ransomware use the removal guide |
Decryption | To decrypt .Forasom ransomware use the steps |
Use the step-by-step tutorial below to remove ransomware and try to restore (decrypt) encrypted personal files for free.
Quick links
- How to remove .Forasom ransomware
- How to decrypt .forasom files
- Use STOPDecrypter to decrypt .forasom files
- How to restore .forasom files
- How to protect your computer from .Forasom ransomware virus?
- Finish words
How to remove .Forasom ransomware
The .Forasom ransomware virus may hide its components which are difficult for you to find out and remove completely. This may lead to the fact that after some time, the ransomware virus once again infect your system and encrypt your documents, photos and music. Moreover, I want to note that it is not always safe to remove ransomware manually, if you don’t have much experience in setting up and configuring the MS Windows operating system. The best way to scan for and remove .Forasom ransomware virus is to use free malicious software removal software that are listed below.
Use Zemana Anti-malware to remove .Forasom ransomware virus
We suggest using the Zemana Anti-malware. You can download and install Zemana Anti-malware to find and get rid of .Forasom ransomware from your computer. When installed and updated, the malware remover will automatically scan and detect all threats present on the machine.
- Click the link below to download Zemana Free. Save it directly to your Windows Desktop.
Zemana AntiMalware
164104 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- At the download page, click on the Download button. Your web browser will open the “Save as” dialog box. Please save it onto your Windows desktop.
- After the download is complete, please close all software and open windows on your computer. Next, start a file named Zemana.AntiMalware.Setup.
- This will open the “Setup wizard” of Zemana Anti-Malware onto your personal computer. Follow the prompts and don’t make any changes to default settings.
- When the Setup wizard has finished installing, the Zemana Free will open and open the main window.
- Further, press the “Scan” button for checking your PC for the .Forasom ransomware virus and other malware and trojans. A system scan can take anywhere from 5 to 30 minutes, depending on your machine. While the Zemana Free program is checking, you may see how many objects it has identified as threat.
- As the scanning ends, you will be shown the list of all found threats on your system.
- Review the results once the tool has finished the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply press the “Next” button. The utility will start to remove .Forasom ransomware virus and other malicious software. After disinfection is finished, you may be prompted to reboot the PC.
- Close the Zemana Free and continue with the next step.
How to remove Forasom ransomware with MalwareBytes Anti-Malware
We recommend using the MalwareBytes Anti-Malware (MBAM) that are completely clean your computer of ransomware virus. This free utility is an advanced malware removal program made by (c) Malwarebytes lab. This program uses the world’s most popular anti-malware technology. It’s able to help you remove ransomware, trojans, malicious software, adware, worms, and other security threats from your computer for free.
MalwareBytes can be downloaded from the following link. Save it directly to your MS Windows Desktop.
326458 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
After the download is done, close all windows on your system. Further, open the file named mb3-setup. If the “User Account Control” prompt pops up as on the image below, click the “Yes” button.
It will open the “Setup wizard” which will help you install MalwareBytes on the computer. Follow the prompts and don’t make any changes to default settings.
Once install is finished successfully, click Finish button. Then MalwareBytes Anti Malware will automatically start and you may see its main window as displayed in the following example.
Next, click the “Scan Now” button to perform a system scan with this tool for the Forasom ransomware virus and other kinds of potential threats. This process may take quite a while, so please be patient. When a malicious software, adware or PUPs are detected, the number of the security threats will change accordingly.
When the system scan is finished, MalwareBytes Anti-Malware will open a list of all threats found by the scan. In order to remove all threats, simply press “Quarantine Selected” button.
The MalwareBytes Anti-Malware (MBAM) will remove Forasom ransomware virus and other malicious software and add threats to the Quarantine. After finished, you can be prompted to restart your computer. We recommend you look at the following video, which completely explains the procedure of using the MalwareBytes Free to remove browser hijackers, adware and other malware.
Run KVRT to get rid of .Forasom ransomware virus
KVRT is a free removal tool that may be downloaded and use to get rid of ransomware, adware, malicious software, trojans and other threats from your system. You may run this tool to detect threats even if you have an antivirus or any other security application.
Download Kaspersky virus removal tool (KVRT) by clicking on the following link. Save it on your Windows desktop or in any other place.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When downloading is complete, double-click on the Kaspersky virus removal tool icon. Once initialization process is complete, you’ll see the KVRT screen as displayed below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to perform a system scan for the .Forasom ransomware and other known infections. A system scan can take anywhere from 5 to 30 minutes, depending on your personal computer. While the tool is scanning, you can see how many objects and files has already scanned.
When finished, a list of all items found is produced as displayed on the image below.
You may remove items (move to Quarantine) by simply click on Continue to begin a cleaning task.
How to decrypt .forasom files
The .Forasom ransomware virus offers to make a payment in Bitcoins to get a key to decrypt personal files.
Never pay the ransom! You might feel that you have no other choice but to pay up and decrypt .forasom personal files quickly. There is no guarantee that the creators of .Forasom ransomware will live up to the word and give back your personal files.
With some variants of Forasom ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .forasom files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.forasom).
Please check the twitter post for more info.
How to restore .forasom files
In some cases, you can recover files encrypted by .Forasom ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted photos, documents and music.
Restore .forasom files with ShadowExplorer
In order to restore .forasom files encrypted by the .Forasom ransomware virus from Shadow Volume Copies you can use a utility called ShadowExplorer. We recommend to use this method as it is easier to find and recover the previous versions of the encrypted files you need in an easy-to-use interface.
Download ShadowExplorer on your MS Windows Desktop by clicking on the following link.
438805 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the downloading process is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown below.
Double click ShadowExplorerPortable to run it. You will see the a window as displayed in the figure below.
In top left corner, choose a Drive where encrypted files are stored and a latest restore point as displayed on the image below (1 – drive, 2 – restore point).
On right panel look for a file that you wish to recover, right click to it and select Export as displayed below.
Recover .forasom files with PhotoRec
Before a file is encrypted, the .Forasom ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file restore software such as PhotoRec.
Download PhotoRec on your personal computer by clicking on the following link.
Once the download is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will display a screen as on the image below.
Select a drive to recover as shown in the following example.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music as on the image below.
Press File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is complete, click OK button.
Next, click Browse button to select where restored files should be written, then click Search.
Count of restored files is updated in real time. All recovered photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is finished, press on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as shown in the figure below.
All recovered personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from .Forasom ransomware virus?
Most antivirus software already have built-in protection system against the ransomware virus. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Use HitmanPro.Alert to protect your computer from .Forasom ransomware virus
HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
HitmanPro Alert can be downloaded from the following link. Save it on your Microsoft Windows desktop.
When the downloading process is done, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. After the utility is started, you’ll be displayed a window where you can select a level of protection, like below.
Now click the Install button to activate the protection.
Finish words
Once you have finished the few simple steps shown above, your PC system should be clean from .Forasom ransomware and other malicious software. Your PC will no longer encrypt your personal files. Unfortunately, if the steps does not help you, then you have caught a new ransomware, and then the best way – ask for help here.