This week, computer security professionals has received reports of yet another ransomware called ‘Ferosas ransomware‘. This ransomware virus spreads via spam emails and malware files and appends the .ferosas file extension to encrypted files. Here’s everything you need to know about this ransomware, how to remove .Ferosas ransomware virus and how to restore (decrypt) encrypted personal files for free.
Files encrypted by “.ferosas ransomware”
What is ‘.Ferosas ransomware’? Ferosas ransomware is a malicious software that encrypts personal files until a ransom is paid to the cyber criminal. Once started, the .Ferosas ransomware virus will scan the personal computer for some file types and encrypt them. It will encrypt almost of files, including:
.wma, .bik, .sql, .7z, .qdf, .rwl, .sidn, .zw, .wp5, .xlsb, .indd, .pdd, .ncf, .docm, .bsa, .bc7, .sr2, .3fr, .arch00, .wbd, .webdoc, .accdb, .xdl, .menu, .wmv, .re4, .ai, .z, .x3f, .der, .doc, .xml, .wmd, .pptx, .map, .sis, .xld, .xbplate, .svg, .dba, .dcr, .crt, .rw2, .sav, .js, .rtf, .upk, .vpk, .t13, .bkp, .itdb, .x3d, .wbc, .zip, .xmmap, .wbz, .dwg, .0, .fos, .epk, .ysp, .bc6, .hkx, .cer, .mp4, .mlx, .tor, .m4a, .vpp_pc, .kdc, .xls, .odc, .ptx, .layout, .rim, .ws, .cfr, .xlsm, .jpe, .eps, .litemod, .wmv, .py, .srf, .ppt, .p7b, .wcf, .wgz, .png, .crw, .2bp, .wma, .wav, .hkdb, wallet, .lrf, .wb2, .mcmeta, .lbf, .x3f, .jpeg, .odt, .xyw, .xmind, .wpa, .nrw, .txt, .1, .bay, .3ds, .syncdb, .wpt, .icxs, .sidd, .yml, .itm, .x, .yal, .mdbackup, .pst, .rofl, .raw, .zdb, .apk, .y, .wdp, .m2, .pfx, .wps, .gdb, .mdb, .cas, .pef, .rgss3a, .xf, .lvl, .esm, .xlk, .mrwref, .flv, .wp, .vtf, .m3u, .ztmp, .slm, .wdb, .ntl, .vfs0, .hvpl, .hplg, .sie, .wn, .dmp, .qic, .rar, .wire, .kdb, .pem, .docx, .zdc, .xlsx, .sb, .xy3, .jpg, .cr2, .dxg, .db0, .sid, .rb, .odb, .wm, .zabw, .xdb, .r3d, .wp6, .srw, .mov, .t12, .pdf, .xbdoc, .xx, .wpd, .csv, .p7c, .iwi, .odp, .wsh, .wp7, .wbk, .wsd, .wmf, .1st, .arw, .pak, .wpd, .wsc, .xll, .p12, .psk, .css, .dng, .bkf, .xpm, .cdr, .ltx, .ods, .vdf, .avi, .ff, .psd, .wpb, .gho, .wpe, .wps, .itl, .fsh, .snx, .blob, .orf, .wbmp, .fpk, .xyp, .webp, .wot, .wri, .das, .zi, .mpqge, .asset, .zif, .mef, .wpw, .wpg, .wp4, .big, .xwp, .wotreplay, .xxx, .mddata, .z3d, .pkpass, .tax, .ybk, .iwd, .d3dbsp, .ibank, .wmo, .wbm, .desc, .bar, .xls, .dazip, .3dm, .w3x, .raf, .odm
Once a file is encrypted, its extension changed to .ferosas. Next, the ransomware virus creates a file named ‘_readme.txt’. This file contain a note on how to decrypt all encrypted files. An example of the ransom demanding message is:
Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-mVSS8cJcv3 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
| Name | .Ferosas ransomware |
| Type | Ransomware, Filecoder, Crypto virus, File locker |
| Encrypted files extension | .ferosas |
| Ransom note | _readme.txt |
| Ransom amount | $490, $980 in Bitcoins |
| Symptoms |
|
| Removal | To remove .Ferosas ransomware use the removal guide |
| Decryption | To decrypt .Ferosas ransomware use the steps |
Instructions that is shown below, will allow you to remove .Ferosas ransomware virus as well as recover encrypted files stored on your PC system drives.
Quick links
- How to remove .Ferosas ransomware
- How to decrypt .ferosas files
- Use STOPDecrypter to decrypt .ferosas files
- How to restore .ferosas files
- How to protect your PC system from .Ferosas ransomware?
- To sum up
How to remove .Ferosas ransomware
Most often it is not possible to remove the .Ferosas ransomware virus manually. For that reason, our team designed several removal solutions that we have combined in a detailed guide below. Therefore, if you’ve the .Ferosas ransomware on your computer and are currently trying to have it uninstalled then feel free to follow the few simple steps below in order to resolve your problem. Read this manual carefully, bookmark or print it, because you may need to close your web-browser or restart your system.
How to remove .Ferosas ransomware with Zemana Anti-malware
Zemana Anti-malware highly recommended, because it can detect security threats such as the .Ferosas ransomware, trojans and other malware that most ‘classic’ antivirus software fail to pick up on. Moreover, if you have any .Ferosas ransomware removal problems which cannot be fixed by this utility automatically, then Zemana Anti-malware provides 24X7 online assistance from the highly experienced support staff.
- Download Zemana AntiMalware on your PC by clicking on the following link.
Zemana AntiMalware
164986 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- At the download page, click on the Download button. Your web browser will open the “Save as” dialog box. Please save it onto your Windows desktop.
- Once downloading is finished, please close all software and open windows on your PC system. Next, start a file named Zemana.AntiMalware.Setup.
- This will open the “Setup wizard” of Zemana onto your PC system. Follow the prompts and don’t make any changes to default settings.
- When the Setup wizard has finished installing, the Zemana Free will launch and open the main window.
- Further, click the “Scan” button . Zemana Anti-Malware program will scan through the whole machine for the .Ferosas ransomware virus related files, folders and registry keys. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your machine and the speed of your PC system. During the scan Zemana Free will find threats exist on your machine.
- After the scan get completed, Zemana Anti Malware (ZAM) will prepare a list of undesired programs adware.
- Next, you need to click the “Next” button. The utility will remove .Ferosas ransomware and add items to the Quarantine. Once the procedure is finished, you may be prompted to restart the computer.
- Close the Zemana Free and continue with the next step.
How to remove Ferosas ransomware with MalwareBytes AntiMalware
We suggest using the MalwareBytes Free that are fully clean your computer of ransomware virus. This free utility is an advanced malware removal program designed by (c) Malwarebytes lab. This program uses the world’s most popular anti-malware technology. It is able to help you get rid of ransomware, trojans, malicious software, adware software, worms, and other security threats from your personal computer for free.
- MalwareBytes Free can be downloaded from the following link. Save it on your Windows desktop.
Malwarebytes Anti-malware
327224 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- When downloading is finished, close all applications and windows on your PC. Open a folder in which you saved it. Double-click on the icon that’s named mb3-setup.
- Further, press Next button and follow the prompts.
- Once setup is complete, click the “Scan Now” button to look for the Ferosas ransomware and other malware. When a malicious software, adware or potentially unwanted software are detected, the count of the security threats will change accordingly.
- As the scanning ends, MalwareBytes Free will show a list of all items found by the scan. Next, you need to press “Quarantine Selected”. After finished, you can be prompted to reboot your system.
The following video offers a step-by-step guidance on how to remove browser hijackers, adware software and other malware with MalwareBytes Free.
Scan and free your computer of ransomware with KVRT
If MalwareBytes anti malware or Zemana anti malware cannot remove this ransomware virus, then we advises to use the KVRT. KVRT is a free removal tool for ransomwares, adware, PUPs and toolbars.
Download Kaspersky virus removal tool (KVRT) on your personal computer by clicking on the following link.
129279 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the download is complete, double-click on the KVRT icon. Once initialization procedure is complete, you will see the KVRT screen as displayed in the figure below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to scan for .Ferosas ransomware virus and other trojans and harmful programs. A system scan can take anywhere from 5 to 30 minutes, depending on your computer. While the KVRT tool is scanning, you can see how many objects it has identified as being infected by malicious software.
Once the system scan is complete, KVRT will open a list of all threats detected by the scan as displayed on the screen below.
In order to delete all threats, simply press on Continue to begin a cleaning procedure.
How to decrypt .ferosas files
The .Ferosas ransomware offers victim to contact it’s makers in order to decrypt all files. These persons will require to pay a ransom (usually demand for $490-980 in Bitcoins).
We do not recommend paying a ransom, as there is no guarantee that you will be able to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware.
Files encrypted by “.ferosas ransomware”
With some variants of the Ferosas ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .ferosas files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos, .dotmap. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.ferosas).
Please check the twitter post for more info.
How to restore .ferosas files
In some cases, you can recover files encrypted by .Ferosas ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted documents, photos and music.
Recover .ferosas files with ShadowExplorer
If automated backup (System Restore) is enabled, then you can use it to recover all encrypted files to previous versions.
Click the link below to download ShadowExplorer. Save it on your Desktop.
439625 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as on the image below.
Double click ShadowExplorerPortable to run it. You will see the a window as displayed in the figure below.
In top left corner, choose a Drive where encrypted personal files are stored and a latest restore point as on the image below (1 – drive, 2 – restore point).
On right panel look for a file that you wish to recover, right click to it and select Export as displayed below.
Restore .ferosas files with PhotoRec
Before a file is encrypted, the .Ferosas ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your personal files using file restore software like PhotoRec.
Download PhotoRec by clicking on the following link.
When downloading is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for Windows. It will open a screen as displayed in the figure below.
Choose a drive to recover as shown on the screen below.
You will see a list of available partitions. Select a partition that holds encrypted files as shown below.
Press File Formats button and specify file types to recover. You can to enable or disable the restore of certain file types. When this is done, click OK button.
Next, click Browse button to choose where restored documents, photos and music should be written, then click Search.
Count of restored files is updated in real time. All recovered personal files are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is finished, press on Quit button. Next, open the directory where restored photos, documents and music are stored. You will see a contents as on the image below.
All restored files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your PC system from .Ferosas ransomware?
Most antivirus software already have built-in protection system against the ransomware virus. Therefore, if your system does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Use HitmanPro.Alert to protect your personal computer from .Ferosas ransomware
HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Download HitmanPro.Alert from the following link.
After downloading is finished, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. When the utility is started, you’ll be shown a window where you can choose a level of protection, as shown below.
Now click the Install button to activate the protection.
To sum up
Now your machine should be clean of the .Ferosas ransomware. Remove KVRT and MalwareBytes. We suggest that you keep Zemana Free (to periodically scan your personal computer for new malware). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to remove .Ferosas ransomware virus from your system, then ask for help here.
Help me please. I did not anything about .ferosas virus or how it can corrupt my system. And I now know after the damage is done. Every file has been renamed to .ferosas extension. I refreshed the windows and formatted C drive but it did not recover my data. My whole pc is gone. There was much important data related to my studies. And also some of the best soft wares and pc games gone.
Now that I read it I did receive a windows update message although from many days I have turned off the updates which was a surprise. I thought how it is self updating even though I have clicked the option to let me choose when to download and install updates but I did not gave it any attention. Also from the past week my computer would get stuck. Felt like it was using a lot of ram. It would heat up. But I also considered this as normal because there are some heavy games I ran on my laptop.
Now everything is f**ked up. :/ I refreshed the windows formatted the C drive. One notable thing is that once I knew I tried to delete those files causing everything. But I did not know it would damage my files. Self opening tabs in chrome were a major problem. It was due to 2 or 3 files which automatically installed. I will give you the details and I need help.
The files that auto-installed :-
SafeFinder, Dream trips (or tips), secure folder, secure drive.
I tried to remove them many times. Then I removed chrome. But the tabs kept opening in internet explorer.
Now there are no files I can access except drive C which has new windows and nothing in it. Even though everything is .ferosas format, its still heavy and my whole HDD space is filled with heavy .ferosas files that look identical to original files except it can not be opened.
There is a read me text everywhere in which he’s asking for money. Here is my ID as given by him :-
087OsdfghddOcmxbJwzJ2unTTtmlnMq7oIaHJOWLODNB1yJWwwV
For God’s sake HELP….!!!!
thanks patrik alot man,, struggled for two days.. tried alot of malware removers but this forum helped me … close to death man….. keep it 100% work done….