A new variant of ransomware virus has been discovered by experienced security specialists. It appends the .docm file extension to encrypted files. This ransomware targets computers running Microsoft Windows by spam emails, malware or manually installing the ransomware. This post will provide you a brief summary of information related to this ransomware and how to restore (decrypt) encrypted personal files for free.
“.Docm ransomware” – ransomnote
What is ‘.Docm ransomware virus’? It is a malware that encrypts documents, photos and music using a hybrid encryption mode, preventing access to them. It will encrypt almost all types of files, including common as:
.xlsm, .litemod, .cr2, .gho, .wpb, .dbf, .kdc, .wmd, .layout, .wp, .desc, .iwd, .forge, .wpt, .zip, .webdoc, .der, .xyp, .py, .rim, .avi, .re4, .wpa, .mov, .d3dbsp, .dcr, .map, .pfx, .z, .png, .3ds, .wpe, .txt, .icxs, .p7c, .mp4, .docm, .lrf, .xx, .sb, .ods, .7z, .pem, .vdf, .wn, .apk, .sum, .xwp, .wbk, .kf, .wpd, .tor, .tax, .wsc, .wcf, .bkp, .rgss3a, .x3f, wallet, .cer, .wm, .ztmp, .js, .xml, .wmo, .xy3, .sql, .sidd, .docx, .cas, .mpqge, .dazip, .xbdoc, .ai, .yal, .xpm, .asset, .yml, .sid, .wpd, .lbf, .ppt, .wmv, .0, .sis, .m2, .p12, .wb2, .pdf, .wmf, .iwi, .x3d, .nrw, .wgz, .csv, .dba, .bar, .zip, .epk, .flv, .srw, .1st, .3dm, .xmind, .wbm, .crt, .wbc, .zdb, .webp, .wpg, .svg, .wma, .xlsb, .vpk, .r3d, .indd, .mlx, .wpw, .wbz, .jpeg, .vfs0, .raf, .pef, .bik, .doc, .wsh, .rw2, .wp5, .zw, .xll, .ptx, .y, .wri, .xxx, .fsh, .rar, .wotreplay, .xbplate, .xmmap, .mdb, .rwl, .jpe, .wma, .odb, .rb, .css, .zif, .xls, .mrwref, .pak, .ff, .odc, .qdf, .ltx, .xls, .db0, .fos, .wps, .wmv, .vpp_pc, .arw, .rtf, .das, .xdb, .wav, .mdf, .itm, .wpl, .x, .xlsm, .eps, .wot, .pst, .wp6, .sidn, .big, .mddata, .orf, .itl, .slm, .wp4, .x3f, .srf, .ibank, .fpk, .snx, .psk, .odt, .xlsx, .mef, .w3x, .m3u, .odp, .2bp, .wp7
Upon successful encryption, it appends the .docm extension to the file name of its encrypted file. The ransomware also creates a text file called “Restore-My-Files.txt” in each folder. This file is a ransom demanding message. The ransomnote asks for money in the form of bitcoins. The content of the ransom instructions is below:
:-------------
All your files are Encrypted!
For data recovery needs decryptor.
How to buy decryptor:
----------------------------------------------------------------------------------------
| 1. Download Tor browser - https://www.torproject.org/ and install it.
| 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/
| 3. Follow the instructions on this page
----------------------------------------------------------------------------------------
Note! This link is available via "Tor Browser" only.
------------------------------------------------------------
Free decryption as guarantee.
Before paying you can send us 1 file for free decryption.
------------------------------------------------------------
alternate address - http://helpinfh6vj47ift.onion/
DO NOT CHANGE DATA BELOW
Threat Summary
| Name | .Docm ransomware |
| Type | Ransomware, Filecoder, Crypto virus, File locker |
| Encrypted files extension | .docm |
| Ransom note | Restore-My-Files.txt |
| Contact | decrmbgpvh6kvmti.onion, helpinfh6vj47ift.onion, fileshelp@cock.li |
| Ransom amount | $300-$1000 in Bitcoins |
| Symptoms |
|
| Removal | To remove .Docm ransomware use the removal guide |
| Decryption | To decrypt .Docm ransomware use the steps |
Use the step-by-step guide below to get rid of ransomware and try to restore encrypted personal files for free.
Quick links
- How to remove .Docm ransomware
- How to decrypt .docm files
- How to restore .docm files
- How to protect your PC from .Docm ransomware?
- Finish words
How to remove .Docm ransomware
There are a few solutions which can be used to remove .Docm ransomware. But, not all ransomware such as this ransomware virus can be completely removed using only manual methods. Most often you’re not able to delete any ransomware utilizing standard MS Windows options. In order to delete .Docm ransomware you need run reliable removal tools. Most IT security professionals states that Zemana Anti-malware, Malwarebytes or KVRT tools are a right choice. These free applications are able to look for and get rid of .Docm ransomware from your machine for free.
Automatically remove .Docm ransomware virus with Zemana Anti-malware
We recommend using the Zemana Anti-malware which are completely clean your computer of the ransomware. The utility is an advanced malware removal program made by (c) Zemana lab. It is able to help you remove potentially unwanted software, ransomware viruss, adware, malicious software, toolbars, ransomware and other security threats from your machine for free.
Download Zemana Anti-Malware (ZAM) on your Windows Desktop from the link below.
164990 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When the download is finished, close all apps and windows on your personal computer. Double-click the install file named Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as shown in the following example, click the “Yes” button.
It will open the “Setup wizard” which will help you setup Zemana AntiMalware on your system. Follow the prompts and do not make any changes to default settings.
Once installation is complete successfully, Zemana AntiMalware (ZAM) will automatically start and you can see its main screen as displayed below.
Now click the “Scan” button . Zemana Anti Malware tool will begin scanning the whole PC to find out .Docm ransomware virus and other security threats. A system scan can take anywhere from 5 to 30 minutes, depending on your PC system. While the Zemana Free tool is scanning, you can see count of objects it has identified as being infected by malware.
When the scanning is finished, the results are displayed in the scan report. Review the scan results and then click “Next” button. The Zemana Anti-Malware will remove .Docm ransomware and other malware and potentially unwanted apps. Once the procedure is finished, you may be prompted to reboot the PC.
How to automatically delete .Docm ransomware with MalwareBytes
We suggest using the MalwareBytes Free which are completely clean your computer of the ransomware. This free utility is an advanced malware removal application made by (c) Malwarebytes lab. This application uses the world’s most popular antimalware technology. It’s able to help you get rid of ransomware, trojans, malicious software, adware software, worms, and other security threats from your computer for free.
Installing the MalwareBytes Free is simple. First you’ll need to download MalwareBytes Free on your PC by clicking on the link below.
327228 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
When the downloading process is finished, run it and follow the prompts. Once installed, the MalwareBytes will try to update itself and when this procedure is complete, click the “Scan Now” button to detect .Docm ransomware virus and other security threats. This process may take quite a while, so please be patient. While the MalwareBytes is checking, you can see number of objects it has identified either as being malicious software. Review the results once the utility has complete the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply press “Quarantine Selected” button.
The MalwareBytes is a free application that you can use to get rid of all detected folders, files, services, registry entries and so on. To learn more about this malware removal utility, we suggest you to read and follow the guidance or the video guide below.
Run KVRT to get rid of .Docm ransomware virus
KVRT is a free portable program that scans your computer for adware, PUPs and ransomware viruss such as .Docm ransomware and allows remove them easily. Moreover, it will also help you delete any malicious web browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) by clicking on the following link.
129280 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the download is finished, double-click on the KVRT icon. Once initialization process is complete, you’ll see the KVRT screen like below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button . Kaspersky virus removal tool utility will begin scanning the whole computer to find out .Docm ransomware virus and other trojans and malicious apps. While the utility is checking, you can see how many objects and files has already scanned.
When KVRT has finished scanning, KVRT will open a list of found items as shown on the screen below.
Review the results once the tool has complete the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply press on Continue to begin a cleaning procedure.
How to decrypt .docm files
The .Docm ransomware encourages victim to contact it’s authors in order to decrypt all files. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins).
There is absolutely no guarantee that after pay a ransom to the authors of the .Docm ransomware virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
If you do not want to pay for a decryption key, then you have a chance to recover encrypted documents, photos and music. Use free utilities listed below (ShadowExplorer and PhotoRec).
How to restore .docm files
In some cases, you can restore files encrypted by .Docm ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted photos, documents and music.
Recover .docm encrypted files using Shadow Explorer
In some cases, you have a chance to restore your personal files which were encrypted by the .Docm ransomware virus. This is possible due to the use of the utility named ShadowExplorer. It is a free program which created to obtain ‘shadow copies’ of files.
Visit the page linked below to download the latest version of ShadowExplorer for MS Windows. Save it to your Desktop so that you can access the file easily.
439627 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown in the following example.
Launch the ShadowExplorer tool and then select the disk (1) and the date (2) that you want to restore the shadow copy of file(s) encrypted by the .Docm ransomware as shown in the following example.
Now navigate to the file or folder that you wish to recover. When ready right-click on it and press ‘Export’ button as shown on the screen below.
Use PhotoRec to restore .docm files
Before a file is encrypted, the .Docm ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your personal files using file recover software like PhotoRec.
Download PhotoRec on your MS Windows Desktop by clicking on the following link.
Once the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the image below.
Double click on qphotorec_win to run PhotoRec for Windows. It will open a screen as shown on the image below.
Select a drive to recover as shown in the figure below.
You will see a list of available partitions. Select a partition that holds encrypted personal files like below.
Click File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is complete, press OK button.
Next, click Browse button to choose where recovered files should be written, then press Search.
Count of recovered files is updated in real time. All recovered files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is done, press on Quit button. Next, open the directory where restored photos, documents and music are stored. You will see a contents as displayed below.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your PC from .Docm ransomware?
Most antivirus software already have built-in protection system against the ransomware. Therefore, if your personal computer does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Run HitmanPro.Alert to protect your PC system from .Docm ransomware
HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Visit the page linked below to download the latest version of HitmanPro.Alert for Windows. Save it directly to your MS Windows Desktop.
After the download is done, open the file location. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. Once the tool is started, you’ll be displayed a window where you can choose a level of protection, like below.
Now click the Install button to activate the protection.
Finish words
Now your computer should be clean of the .Docm ransomware virus. Uninstall KVRT and MalwareBytes Free. We advise that you keep Zemana AntiMalware (ZAM) (to periodically scan your machine for new malicious software). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to delete .Docm ransomware from your computer, then ask for help here.
