IT security professionals discovered a new variant of ransomware that called ‘Vesad virus‘. It appends the .vesad file extension to encrypted file names. Read below a brief summary of information related to this ransomware and how to restore or decrypt .vesad files for free.
Once installed, the Vesad virus begins searching for attached disks and even networked drives containing web application-related files, documents, images, archives, music, videos and database. The files that will be encrypted include the following file extensions:
.xlsm, .wpe, .x, .hkx, .iwd, .forge, .xls, .xyw, .orf, .qic, .wbz, .wbm, .wp5, .wdb, .wotreplay, .wcf, .map, .dng, .docm, .itm, .yal, .dazip, .raf, .eps, .rw2, .ltx, .x3d, .wsh, .bkf, .dbf, .js, .iwi, .wsc, .zif, .mlx, .nrw, .ibank, .mov, .rofl, .epk, .xmmap, .ncf, .wbd, .rgss3a, .z3d, .srf, .mddata, .xlgc, .wma, .xy3, .pem, .wmv, .wmf, .accdb, .ptx, .cdr, .vtf, .odb, .z, .wps, .re4, .zip, .7z, .xlsm, .lrf, .erf, .lbf, .srw, .pfx, .rwl, .wpb, .xar, .dmp, .flv, .t13, .xxx, .svg, .xll, .docx, .menu, .das, .cas, .vpk, .xlsx, .2bp, .odt, .fsh, .cfr, .wpl, .syncdb, .asset, .xmind, wallet, .zdc, .xf, .png, .xbdoc, .wp4, .wmd, .jpeg, .m4a, .litemod, .zw, .bc7, .wpt, .wire, .t12, .arch00, .mpqge, .tor, .wps, .sql, .ybk, .x3f, .bc6, .wri, .m3u, .psd, .pptx, .xml, .bay, .itdb, .wmo, .wm, .raw, .odc, .xdl, .w3x, .wbc, .mrwref, .pak, .wn, .layout, .wdp, .lvl, .dba, .3dm, .ws, .ntl, .slm, .xx, .kdc, .p12, .gho, .snx, .xwp, .wgz, .jpg, .zdb, .mcmeta, .bkp, .kdb, .wpa, .wpg, .hplg, .vcf, .y, .odm, .icxs, .db0, .ai, .sidn, .xls, .dwg, .wp, .tax, .3fr, .wsd, .ods, .crw, .bar, .rar, .rim, .cr2, .r3d, .py, .fpk, .css, .xyp, .wpd, .xpm, .zi, .desc, .xbplate, .xlsx, .1, .mef, .webdoc, .cer, .pdf, .kf, .ysp, .wpd, .p7b, .xlk, .0, .sb, .rtf, .doc, .qdf, .wpw, .mdbackup, .mp4, .avi, .wp6, .webp, .big, .mdf, .indd, .dxg, .hkdb, .itl, .wbk, .dcr, .pef, .sidd, .apk, .bsa, .blob, .xld, .pdd, .wot, .xlsb, .csv, .vpp_pc, .wmv, .hvpl, .fos, .rb, .wav, .esm, .txt, .jpe, .bik, .upk, .zabw, .d3dbsp, .wma, .sid, .1st, .sr2, .m2, .wb2, .wp7, .ff, .gdb, .pst, .pkpass, .xdb
Upon encryption, all encrypted photos, documents and music will then be appended with the .vesad extension (e.g., ‘photo.jpg is renamed to ‘photo.jpg.vesad’). Ransomware leaves a ransom note named ‘_readme.txt’ with instructions for extortion and ransom payment, threatening destruction of files if payment is not made. The ransom note directs victims to make payment online in Bitcoins.
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-hvv30uAtTY Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
Name | Vesad |
Type | File locker, Crypto virus, Ransomware, Crypto malware, Filecoder |
Encrypted files extension | .vesad |
Ransom note | _readme.txt |
Contact | @datarestore (telegram), gorentos@firemail.cc, gorentos@bitmessage.ch |
Ransom amount | $980, $490 in Bitcoins |
Symptoms | Encrypted documents, photos and music. Files are encrypted with a .vesad file extension. Your file directories contain a ‘ransom note’ file that is usually a .html, .jpg or .txt file. Your desktop is locked with a message about How to pay to unlock your system. |
Distribution ways | Phishing emails that look like they come from a reliable source. Malicious downloads that happen without a user’s knowledge when they visit a compromised web-site. Social media posts (they can be used to mislead users to download malware with a built-in ransomware downloader or click a malicious link). USB flash drive and other removable media. |
Removal | To remove Vesad ransomware use the removal guide |
Decryption | To decrypt Vesad ransomware use the steps |
Follow our tutorial below to detect and remove Vesad virus from your machine as well as recover (decrypt) encrypted personal files for free.
Quick links
- How to remove Vesad file virus
- How to decrypt .vesad files
- Use STOPDecrypter to decrypt .vesad files
- How to restore .vesad files
- How to protect your computer from Vesad ransomware virus?
- Finish words
How to remove Vesad file virus
Is your Microsoft Windows personal computer infected with Vesad virus? Then don’t worry, in the tutorial listed below, we’re sharing best malware removal tools which has the ability to remove .Vesad file virus and other malware from your personal computer for free.
Remove Vesad ransomware with Zemana Anti-malware
Zemana Anti-malware highly recommended, because it can detect security threats such Vesad ransomware, trojans, spyware and other malicious software that most ‘classic’ antivirus apps fail to pick up on. Moreover, if you have any Vesad removal problems which cannot be fixed by this utility automatically, then Zemana Anti-malware provides 24X7 online assistance from the highly experienced support staff.
Now you can install and use Zemana Anti Malware to remove Vesad virus from your internet browser by following the steps below:
Visit the following page to download Zemana Anti-Malware (ZAM) setup file called Zemana.AntiMalware.Setup on your machine. Save it to your Desktop.
164114 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Run the install package after it has been downloaded successfully and then follow the prompts to install this utility on your machine.
During setup you can change certain settings, but we suggest you don’t make any changes to default settings.
When installation is finished, this malicious software removal utility will automatically start and update itself. You will see its main window as shown below.
Now click the “Scan” button to begin scanning your system for .Vesad file virus and other security threats. This process may take some time, so please be patient.
After the scan is finished, Zemana Anti Malware (ZAM) will show a list of all items detected by the scan. Make sure all items have ‘checkmark’ and click “Next” button.
The Zemana Free will remove Vesad crypto malware related files, folders and registry keys. When that process is finished, you can be prompted to reboot your PC to make the change take effect.
Run MalwareBytes Anti-Malware (MBAM) to remove .Vesad file virus
Manual Vesad virus removal requires some computer skills. Some files and registry entries that created by crypto malware can be not completely removed. We recommend that run the MalwareBytes that are fully free your machine of .Vesad file virus. Moreover, this free program will help you to remove malware, trojans, adware and worms that your computer can be infected too.
MalwareBytes can be downloaded from the following link. Save it directly to your Microsoft Windows Desktop.
326466 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once downloading is finished, close all applications and windows on your PC. Double-click the install file named mb3-setup. If the “User Account Control” prompt pops up like below, click the “Yes” button.
It will open the “Setup wizard” that will help you setup MalwareBytes Anti-Malware on your personal computer. Follow the prompts and do not make any changes to default settings.
Once installation is complete successfully, press Finish button. MalwareBytes Anti-Malware (MBAM) will automatically start and you can see its main screen like below.
Now click the “Scan Now” button . MalwareBytes utility will start scanning the whole PC system to find out Vesad crypto virus, other malware, worms and trojans. This procedure can take some time, so please be patient. When a malicious software, adware or PUPs are detected, the number of the security threats will change accordingly.
After MalwareBytes has finished scanning, MalwareBytes Free will create a list of malicious software. Once you’ve selected what you wish to delete from your computer click “Quarantine Selected” button. The MalwareBytes Anti Malware will delete .Vesad file virus related files, folders and registry keys. Once the procedure is finished, you may be prompted to restart the PC system.
We advise you look at the following video, which completely explains the procedure of using the MalwareBytes Free to remove adware software, browser hijacker and other malware.
Scan and clean your personal computer of ransomware virus with KVRT
If MalwareBytes anti-malware or Zemana anti-malware cannot remove .Vesad file virus, then we advises to use the KVRT. KVRT is a free removal tool for ransomware viruses, adware, potentially unwanted apps, trojans and spyware.
Download Kaspersky virus removal tool (KVRT) from the following link.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the download is done, double-click on the KVRT icon. Once initialization process is complete, you will see the Kaspersky virus removal tool screen like below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next press Start scan button . KVRT application will scan through the whole personal computer for .Vesad file virus and other malware. This process can take quite a while, so please be patient. During the scan Kaspersky virus removal tool will scan for threats present on your machine.
Once that process is complete, KVRT will display you the results as on the image below.
Make sure all threats have ‘checkmark’ and click on Continue to start a cleaning procedure.
How to decrypt .vesad files
Vesad file virus encourages victim to contact it’s developers in order to decrypt all documents, photos and music. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins).
We do not recommend paying a ransom, as there is no guarantee that you will be able to decrypt your photos, documents and music. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
With some variants of Vesad file virus, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .vesad files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos, .dotmap. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.vesad).
Please check the twitter post for more info.
How to restore .vesad files
In some cases, you can recover files encrypted by .Vesad file virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted personal files.
Use ShadowExplorer to recover .vesad files
An alternative is to recover your photos, documents and music from their Shadow Copies. The Shadow Volume Copies are copies of files and folders that MS Windows 10 (8, 7 and Vista) automatically saved as part of system protection. This feature is fantastic at rescuing files that were locked by Vesad crypto virus. The steps below will give you all the details.
Installing the ShadowExplorer is simple. First you’ll need to download ShadowExplorer from the following link. Save it on your MS Windows desktop or in any other place.
438828 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the downloading process is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed in the following example.
Double click ShadowExplorerPortable to start it. You will see the a window as shown below.
In top left corner, select a Drive where encrypted documents, photos and music are stored and a latest restore point like below (1 – drive, 2 – restore point).
On right panel look for a file that you wish to restore, right click to it and select Export as shown in the following example.
Use PhotoRec to recover .vesad files
Before a file is encrypted, the Vesad file virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your personal files using file restore software such as PhotoRec.
Download PhotoRec by clicking on the link below.
Once the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the following example.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll open a screen as shown on the image below.
Select a drive to recover like below.
You will see a list of available partitions. Choose a partition that holds encrypted documents, photos and music as shown below.
Press File Formats button and choose file types to restore. You can to enable or disable the recovery of certain file types. When this is done, press OK button.
Next, press Browse button to choose where restored files should be written, then click Search.
Count of recovered files is updated in real time. All restored personal files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is done, click on Quit button. Next, open the directory where recovered files are stored. You will see a contents as shown in the following example.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from Vesad ransomware virus?
Most antivirus programs already have built-in protection system against the ransomware. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Use HitmanPro.Alert to protect your system from Vesad ransomware
All-in-all, HitmanPro.Alert is a fantastic utility to protect your PC from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Windows OS from Microsoft Windows XP to Windows 10.
Download HitmanPro.Alert on your MS Windows Desktop from the following link.
Once the downloading process is done, open the file location. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. Once the tool is opened, you will be shown a window where you can choose a level of protection, as displayed on the image below.
Now press the Install button to activate the protection.
Finish words
Now your computer should be free of the Vesad crypto virus. Uninstall MalwareBytes and KVRT. We recommend that you keep Zemana Anti Malware (ZAM) (to periodically scan your machine for new malicious software). Moreover, to prevent crypto virus, please stay clear of unknown and third party applications, make sure that your antivirus application, turn on the option to stop or search for ransomware.
If you need more help with Vesad ransomware virus related issues, go to here.