This week, cyber security specialists has received reports of yet another ransomware called ‘Myskle virus‘. This crypto malware spreads via spam emails and malware files and appends the .myskle file extension to encrypted files. Read below a brief summary of information related to this ransomware and how to restore or decrypt .myskle files for free.
The Myskle is a malicious software, that made to encrypt the files found on infected system using very strong hybrid encryption with a large key, appending the .myskle extension to all encrypted photos, documents and music. It can encrypt almost types of files, including the following:
.wpt, .ybk, .wot, .mp4, .vcf, .raf, .xld, .mpqge, .bay, .xlsx, .mdf, .pdf, .vdf, .qic, .wbd, .wbm, .2bp, .wpg, .xpm, .fpk, .crw, .zi, .wmv, .wotreplay, .3dm, .iwd, .eps, .sum, .dbf, .mlx, .bkp, .ysp, .xls, .erf, .blob, .fsh, .zip, .ltx, .wbc, .rb, .jpe, .asset, .mddata, .t13, .xlsm, .mef, .arch00, .ppt, .x, .itdb, .3fr, .rtf, .sav, .flv, .0, .cfr, .pkpass, .rim, .xlsm, .1st, .wpa, .ntl, .m3u, .x3d, .lvl, .wmv, .docx, .jpeg, .mcmeta, .cer, .rar, .vfs0, .wps, .itl, .rwl, .wdb, .dxg, .arw, .mdbackup, .bik, .psd, .wp4, .css, .syncdb, .odc, .pptm, .wp, .bc6, .xlgc, .wire, .zdb, .hplg, .cr2, .xlsb, .wpl, .wmo, .esm, .re4, .hvpl, .ztmp, .xmind, .xml, .xmmap, .ptx, .epk, .upk, .map, .z3d, .ibank, .raw, .vpk, .mov, .svg, wallet, .wbmp, .zif, .wpd, .wmd, .xy3, .t12, .zdc, .p7b, .dwg, .wav, .menu, .tax, .z, .layout, .cas, .wbz, .xbdoc, .wsd, .xar, .m2, .dng, .slm, .wm, .ai, .crt, .vtf, .wpw, .xlsx, .wp7, .sql, .lrf, .js, .wps, .xyw, .lbf, .1, .srf, .dmp, .3ds, .gdb, .wp6, .bar, .wsh, .der, .png, .indd, .mrwref, .y, .p12, .wb2, .desc, .csv, .sb, .icxs, .apk, .sis, .wn, .xls, .wpd, .xbplate, .db0, .hkdb, .psk, .ods, .x3f, .w3x, .xdb, .wpe, .7z, .itm, .bsa, .vpp_pc, .ws, .orf, .dba, .dazip, .m4a, .wbk, .litemod, .accdb, .wma, .qdf, .xll, .odp, .wma, .xxx, .bkf, .kdb, .yml, .docm, .wp5, .xwp, .wdp, .x3f, .yal, .sie, .sidn, .avi, .tor, .nrw, .big, .pdd, .kf, .xlk, .sr2, .wmf, .webdoc, .pfx, .wgz, .xf, .odm, .ncf, .wri, .wpb, .gho, .odt, .pptx, .dcr, .rw2, .py, .ff, .sid, .p7c, .pst
When encrypting a file it will add the .myskle extension to every encrypted file name to identify that the file has been encrypted. For example, a file called sample.doc would be encrypted and renamed to sample.doc.myskle.
When the encryption procedure is finished, the malware leaves a ransom instructions called ‘_readme.txt’ with instructions on how to purchase a private key to decrypt all documents, photos and music. An example of the ransomnote is:
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-BTtULebL7F Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: gorentos@bitmessage.ch
Threat Summary
Name | Myskle |
Type | File locker, Filecoder, Ransomware, Crypto malware, Crypto virus |
Encrypted files extension | .myskle |
Ransom note | _readme.txt |
Contact | @datarestore (telegram), stoneland@firemail.cc, gorentos@bitmessage.ch |
Ransom amount | $980, $490 in Bitcoins |
Symptoms | When you try to open your file, Windows notifies that you do not have permission to open this file. All of your documents, photos and music have a odd file extension appended to the filenames. Files called like ‘_readme.txt’, ‘#_README_#’, ‘_DECRYPT_’ or ‘recover’ in each folder with at least one encrypted file. You have received instructions for paying the ransom. |
Distribution ways | Malicious e-mail spam. Exploit kits (cybercriminals use crypto malware packaged in an ‘exploit kit’ that can find a vulnerability in PDF reader, MS Windows OS, Adobe Flash Player, Internet browser). Social media posts (they can be used to force users to download malware with a built-in ransomware downloader or click a misleading link). USB flash drive and other removable media. |
Removal | To remove Myskle ransomware use the removal guide |
Decryption | To decrypt Myskle ransomware use the steps |
Instructions that is shown below, will allow you to remove Myskle as well as restore encrypted photos, documents and music stored on your PC drives.
Quick links
- How to remove Myskle crypto malware
- How to decrypt .myskle files
- Use STOPDecrypter to decrypt .myskle files
- How to restore .myskle files
- How to protect your personal computer from Myskle ransomware virus?
- To sum up
How to remove Myskle crypto malware
Most commonly it’s not possible to remove the Myskle ransomware virus manually. For that reason, our team created several removal solutions which we have summarized in a detailed tutorial below. Therefore, if you’ve the Myskle crypto virus on your PC and are currently trying to have it deleted then feel free to follow the step-by-step guidance below in order to resolve your problem. Read it once, after doing so, please print this page as you may need to shut down your web-browser or restart your PC.
Use Zemana Anti-malware to remove .myskle ransomware
We suggest using the Zemana Anti-malware which are completely clean your personal computer of crypto virus. The tool is an advanced malicious software removal program created by (c) Zemana lab. It is able to help you delete PUPs, spyware, adware software, malicious software, toolbars, ransomware and other security threats from your computer for free.
Now you can install and use Zemana Free to get rid of Myskle from your web-browser by following the steps below:
Visit the page linked below to download Zemana Anti-Malware (ZAM) installer called Zemana.AntiMalware.Setup on your personal computer. Save it on your Desktop.
164113 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Run the installer after it has been downloaded successfully and then follow the prompts to install this utility on your PC.
During setup you can change some settings, but we suggest you don’t make any changes to default settings.
When installation is finished, this malware removal utility will automatically start and update itself. You will see its main window as shown on the screen below.
Now click the “Scan” button for checking your personal computer for the Myskle ransomware and other security threats. Depending on your PC, the scan can take anywhere from a few minutes to close to an hour.
As the scanning ends, the results are displayed in the scan report. Review the report and then click “Next” button.
The Zemana AntiMalware will start to get rid of Myskle ransomware and other security threats. After that process is finished, you can be prompted to reboot your system to make the change take effect.
Automatically remove Myskle virus with MalwareBytes Anti-Malware (MBAM)
If you’re having problems with the Myskle virus removal, then download MalwareBytes. It’s free for home use, and scans for and deletes various unwanted applications that attacks your computer or degrades computer performance. MalwareBytes Free can remove adware software, spyware, ransomware, worms, trojans and other malware.
MalwareBytes AntiMalware can be downloaded from the following link. Save it on your Windows desktop.
326464 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once the downloading process is done, run it and follow the prompts. Once installed, the MalwareBytes AntiMalware (MBAM) will try to update itself and when this task is finished, click the “Scan Now” button to perform a system scan for the Myskle ransomware virus, other kinds of potential threats such as malware and trojans. Depending on your system, the scan can take anywhere from a few minutes to close to an hour. During the scan MalwareBytes Anti-Malware (MBAM) will scan for threats present on your computer. You may delete threats (move to Quarantine) by simply click “Quarantine Selected” button.
The MalwareBytes is a free program that you can use to remove all detected folders, files, services, registry entries and so on. To learn more about this malicious software removal tool, we recommend you to read and follow the steps or the video guide below.
Remove Myskle virus from PC system with KVRT
KVRT is a free removal utility which can scan your computer for a wide range of security threats such as the Myskle ransomware, adware, potentially unwanted apps as well as other malware. It will perform a deep scan of your computer including hard drives and MS Windows registry. When a malware is detected, it will help you to remove all found threats from your computer with a simple click.
Download Kaspersky virus removal tool (KVRT) on your Windows Desktop from the link below.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once downloading is complete, double-click on the KVRT icon. Once initialization procedure is finished, you’ll see the KVRT screen as shown in the following example.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to look for Myskle crypto malware and other known infections. A system scan can take anywhere from 5 to 30 minutes, depending on your computer. When a threat is detected, the number of the security threats will change accordingly.
Once KVRT has finished scanning your PC, KVRT will show a screen that contains a list of malicious software that has been found as displayed in the figure below.
In order to get rid of all threats, simply press on Continue to start a cleaning procedure.
How to decrypt .myskle files
The Myskle crypto malware offers victim to contact it’s authors in order to decrypt all photos, documents and music. These persons will require to pay a ransom (usually demand for $980, $490 in Bitcoins).
Never pay the ransom! You might feel that you have no other choice but to pay up and decrypt .myskle files quickly. There is no guarantee that the developers of Myskle crypto malware will live up to the word and give back your photos, documents and music.
With some variants of the Myskle ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .myskle files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos, .dotmap. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.myskle).
Please check the twitter post for more info.
How to restore .myskle files
In some cases, you can recover files encrypted by Myskle crypto virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted documents, photos and music.
Recover .myskle files with ShadowExplorer
In order to recover .myskle photos, documents and music encrypted by the Myskle crypto malware from Shadow Volume Copies you can use a utility called ShadowExplorer. We recommend to use this solution as it is easier to find and restore the previous versions of the encrypted files you need in an easy-to-use interface.
Please go to the following link to download the latest version of ShadowExplorer for Microsoft Windows. Save it on your Desktop.
438827 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once downloading is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed on the screen below.
Launch the ShadowExplorer utility and then select the disk (1) and the date (2) that you wish to restore the shadow copy of file(s) encrypted by the Myskle ransomware as shown in the following example.
Now navigate to the file or folder that you want to recover. When ready right-click on it and press ‘Export’ button as shown on the image below.
Use PhotoRec to recover .myskle files
Before a file is encrypted, the Myskle ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your files using file restore apps such as PhotoRec.
Download PhotoRec by clicking on the following link.
Once the download is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed below.
Double click on qphotorec_win to run PhotoRec for Windows. It will open a screen as displayed below.
Choose a drive to recover as shown on the screen below.
You will see a list of available partitions. Choose a partition that holds encrypted documents, photos and music as shown below.
Press File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is complete, click OK button.
Next, click Browse button to choose where recovered photos, documents and music should be written, then press Search.
Count of recovered files is updated in real time. All recovered files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is done, click on Quit button. Next, open the directory where recovered documents, photos and music are stored. You will see a contents as on the image below.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your personal computer from Myskle ransomware virus?
Most antivirus programs already have built-in protection system against the crypto virus. Therefore, if your PC does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Use HitmanPro.Alert to protect your system from Myskle ransomware
All-in-all, HitmanPro.Alert is a fantastic tool to protect your computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of MS Windows operating system from Microsoft Windows XP to Windows 10.
HitmanPro Alert can be downloaded from the following link. Save it on your Windows desktop.
Once downloading is complete, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. When the tool is opened, you will be shown a window where you can select a level of protection, as shown on the image below.
Now click the Install button to activate the protection.
To sum up
After completing the step-by-step guidance shown above, your system should be clean from Myskle crypto virus and other malicious software. Your personal computer will no longer encrypt your photos, documents and music. Unfortunately, if the few simple steps does not help you, then you have caught a new ransomware virus, and then the best way – ask for help here.