A new variant of ransomware virus has been discovered by experienced security professionals. It appends the .skymap file extension to encrypted files. This ransomware targets computers running Microsoft Windows by spam emails, malicious software or manually installing the ransomware. This blog post will provide you with all the things you need to know about ransomware virus, how to remove .Skymap ransomware from your PC system and how to restore (decrypt) encrypted personal files for free.
The .Skymap ransomware is a variant of crypto viruses. It affects all current versions of MS Windows OS like the Windows 10, Windows 8, Windows 7, Windows Vista and Windows XP. This ransomware virus uses very strong hybrid encryption with a large key to eliminate the possibility of brute force a key which will allow to decrypt encrypted documents, photos and music. The .Skymap ransomware virus encrypts almost of files, including common as:
.xls, .w3x, .fos, .x3f, .mdbackup, .ods, .itl, .wma, .yml, .mddata, .pfx, .z, .mcmeta, .accdb, .wot, .zabw, .7z, .ncf, .zdc, .pptm, .xf, .map, .odb, .tor, .ysp, .docx, .iwi, .m4a, .qic, .blob, .mef, .wsd, .wps, .m2, .upk, .wb2, .xls, .t13, .jpg, .vdf, .rtf, .snx, .arch00, .wbd, .mdb, .x3f, .mlx, .slm, .wbm, .webp, .z3d, .ppt, .apk, .qdf, .cer, .xy3, .0, .xlk, .bik, .wpt, .xlgc, .bc6, .png, .raw, .layout, .fpk, .hkx, .xpm, .p7c, .dmp, .m3u, .wp, .xyp, .rgss3a, .itm, .ltx, .doc, .xar, .xdb, .xwp, .xmmap, .wsh, .wps, .crt, .orf, .wbk, .t12, .lbf, .dwg, .d3dbsp, .der, .xll, .odt, .dxg, .dcr, .pkpass, .rwl, .p7b, .rw2, .wm, .rar, .mp4, .py, .cr2, .ptx, .xlsm, .wcf, .bkp, .cas, .wpl, .pem, .wpg, .bay, .crw, .wotreplay, .ibank, .vpk, .xlsb, .erf, .wp4, .xmind, .wdb, .sql, .sidd, .jpeg, .eps, .wmd, .flv, .vcf, .x3d, .ff, .desc, .r3d, .zip, .itdb, .cdr, .avi, .xbdoc, .mdf, .pdd, .dazip, .xxx, .ztmp, .tax, .dba, .bc7, .litemod, .wpe, .3fr, .lvl, .xld, .db0, .asset, .1, .pptx, .ws, .js, .zif, .svg, .sr2, .mpqge, .sav, .wmv, .wpa, .menu, .xyw, .csv, .wmf, .wp5, .x, .bsa, .wpb, .xbplate, .das, .odp, wallet, .mrwref, .2bp, .wbc, .sis, .bkf, .sid, .raf, .xdl, .dng, .webdoc, .sidn, .wmv, .wma, .3ds, .xlsx, .cfr, .wmo, .wdp, .zip, .css, .wav, .ntl, .kdb, .kf, .kdc, .txt, .y, .indd, .wp7, .sie, .forge, .wire, .hplg, .zi, .odm, .srw, .psd, .srf, .gdb, .wpd, .jpe, .wbmp, .pst, .vpp_pc, .wsc
When encrypting a file it will add the .skymap extension to each encrypted file name to identify that the file has been encrypted. For example, a file named sample.doc would be encrypted and renamed to sample.doc.skymap.
When the encryption procedure is finished, the malware leaves a ransom instructions called ‘_readme.txt’ with instructions on how to purchase a private key to decrypt all files. You can see an one of the variants of the ransom instructions below:
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-2jkyb95pOj Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
Name | .Skymap ransomware |
Type | Ransomware, Filecoder, Crypto virus, File locker |
Encrypted files extension | .skymap |
Ransom note | _readme.txt |
Contact | gorentos@bitmessage.ch, @datarestore (telegram) |
Ransom amount | $980, $490 in Bitcoins |
Symptoms |
|
Removal | To remove .Skymap ransomware use the removal guide |
Decryption | To decrypt .Skymap ransomware use the steps |
In the tutorial below, I have outlined few methods that you can use to remove .Skymap ransomware virus from your PC system and restore (decrypt) .skymap files using free software.
Quick links
- How to remove .Skymap ransomware
- How to decrypt .skymap files
- Use STOPDecrypter to decrypt .skymap files
- How to restore .skymap files
- How to protect your personal computer from .Skymap ransomware virus?
- Finish words
How to remove .Skymap ransomware
The following instructions will help you to remove .Skymap ransomware and other malicious software. Before doing it, you need to know that starting to delete the ransomware, you may block the ability to decrypt personal files by paying authors of the ransomware requested ransom. Zemana Anti-malware, KVRT and Malwarebytes Anti-malware can detect different types of active ransomware infections and easily remove it from your PC system, but they can not recover encrypted documents, photos and music.
Remove .Skymap ransomware with Zemana Anti-malware
Zemana Anti-malware highly recommended, because it can detect security threats such the .Skymap ransomware, trojans and other malware which most ‘classic’ antivirus apps fail to pick up on. Moreover, if you have any .Skymap ransomware removal problems which cannot be fixed by this tool automatically, then Zemana Anti-malware provides 24X7 online assistance from the highly experienced support staff.
Visit the following page to download the latest version of Zemana Anti Malware for MS Windows. Save it on your Windows desktop.
164114 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When downloading is done, close all windows on your machine. Further, start the set up file called Zemana.AntiMalware.Setup. If the “User Account Control” prompt pops up like below, click the “Yes” button.
It will open the “Setup wizard” which will assist you install Zemana Anti-Malware on the machine. Follow the prompts and do not make any changes to default settings.
Once install is done successfully, Zemana Free will automatically launch and you can see its main window as shown on the image below.
Next, press the “Scan” button . Zemana utility will begin scanning the whole computer to find out the .Skymap ransomware virus and other security threats. This procedure may take quite a while, so please be patient.
Once the scan get completed, Zemana Anti Malware will display a scan report. Review the results once the tool has complete the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click “Next” button.
The Zemana AntiMalware (ZAM) will remove .Skymap ransomware virus and other security threats and add items to the Quarantine. When that process is finished, you can be prompted to restart your computer.
Remove .Skymap ransomware virus with MalwareBytes Free
We suggest using the MalwareBytes Free that are fully clean your computer of the ransomware. This free utility is an advanced malicious software removal program designed by (c) Malwarebytes lab. This application uses the world’s most popular anti malware technology. It is able to help you remove ransomware virus, trojans, malware, adware software, worms, and other security threats from your system for free.
Visit the following page to download MalwareBytes Anti-Malware. Save it directly to your Windows Desktop.
326466 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once downloading is finished, close all programs and windows on your machine. Double-click the setup file named mb3-setup. If the “User Account Control” dialog box pops up as displayed in the following example, click the “Yes” button.
It will open the “Setup wizard” which will help you set up MalwareBytes Free on your PC system. Follow the prompts and do not make any changes to default settings.
Once setup is finished successfully, press Finish button. MalwareBytes will automatically start and you can see its main screen as displayed on the screen below.
Now press the “Scan Now” button to begin scanning your system for the .Skymap ransomware and other security threats. This process can take some time, so please be patient. While the MalwareBytes AntiMalware is scanning, you can see number of objects it has identified either as being malicious software.
Once the checking is complete, MalwareBytes Free will show a list of all threats detected by the scan. Once you have selected what you wish to get rid of from your PC system click “Quarantine Selected” button. The MalwareBytes Free will remove .Skymap ransomware virus related files, folders and registry keys. After the clean up is finished, you may be prompted to restart the computer.
We suggest you look at the following video, which completely explains the procedure of using the MalwareBytes to remove adware, browser hijacker infection and other malicious software.
Double-check for ransomware virus with KVRT
KVRT is a free removal utility that can scan your PC for a wide range of security threats like the .Skymap ransomware, trojans, potentially unwanted programs as well as other malware. It will perform a deep scan of your computer including hard drives and Microsoft Windows registry. When a malware is detected, it will help you to remove all found threats from your system with a simple click.
Download Kaspersky virus removal tool (KVRT) by clicking on the following link.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the download is finished, double-click on the KVRT icon. Once initialization process is finished, you’ll see the KVRT screen as displayed in the figure below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan for the .Skymap ransomware and other known infections. This task can take some time, so please be patient. When a malware, adware software or potentially unwanted programs are found, the number of the security threats will change accordingly. Wait until the the scanning is done.
When KVRT has finished scanning, KVRT will display a list of all items detected by the scan as shown on the image below.
All detected items will be marked. You can delete them all by simply press on Continue to start a cleaning task.
How to decrypt .skymap files
The .Skymap ransomware virus encourages to make a payment in Bitcoins to get a key to decrypt personal files.
If your photos, documents and music have been locked by the .Skymap ransomware, We recommends: do not to pay the ransom. If this malware make money for its makers, then your payment will only increase attacks against you. Of course, decryption without the private key is not possible, but that does not mean that the .Skymap ransomware must seriously disrupt your live.
With some variants of the Skymap ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .skymap files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos, .dotmap. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.skymap).
Please check the twitter post for more info.
How to restore .skymap files
In some cases, you can recover files encrypted by .Skymap ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted files.
Use shadow copies to recover .skymap files
In order to recover .skymap documents, photos and music encrypted by the .Skymap ransomware from Shadow Volume Copies you can use a tool named ShadowExplorer. We recommend to use this method as it is easier to find and restore the previous versions of the encrypted files you need in an easy-to-use interface.
Visit the page linked below to download the latest version of ShadowExplorer for Windows. Save it on your Desktop.
438827 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After the downloading process is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown on the screen below.
Launch the ShadowExplorer utility and then choose the disk (1) and the date (2) that you wish to recover the shadow copy of file(s) encrypted by the .Skymap ransomware as displayed on the image below.
Now navigate to the file or folder that you want to restore. When ready right-click on it and click ‘Export’ button as shown below.
Restore .skymap files with PhotoRec
Before a file is encrypted, the .Skymap ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your files using file recover apps such as PhotoRec.
Download PhotoRec on your MS Windows Desktop by clicking on the link below.
After the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll show a screen as shown in the figure below.
Select a drive to recover as displayed below.
You will see a list of available partitions. Select a partition that holds encrypted personal files as displayed in the figure below.
Press File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is done, click OK button.
Next, press Browse button to select where restored personal files should be written, then click Search.
Count of restored files is updated in real time. All restored personal files are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the restore is complete, click on Quit button. Next, open the directory where restored documents, photos and music are stored. You will see a contents as displayed on the image below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your personal computer from .Skymap ransomware virus?
Most antivirus software already have built-in protection system against the ransomware. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Run HitmanPro.Alert to protect your computer from .Skymap ransomware
All-in-all, HitmanPro.Alert is a fantastic tool to protect your machine from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Microsoft Windows operating system from Microsoft Windows XP to Windows 10.
Visit the page linked below to download the latest version of HitmanPro Alert for MS Windows. Save it on your Windows desktop.
Once downloading is done, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. After the utility is launched, you’ll be shown a window where you can select a level of protection, as displayed on the screen below.
Now click the Install button to activate the protection.
Finish words
Now your system should be free of the .Skymap ransomware. Uninstall Kaspersky virus removal tool and MalwareBytes Anti Malware (MBAM). We recommend that you keep Zemana (to periodically scan your system for new malicious software). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to remove .Skymap ransomware from your machine, then ask for help here.