This week, security specialists discovered a new ransomware. It is called ‘Truke file virus‘ and used malicious software to infect Microsoft Windows PCs. It encrypts documents, photos and music, adding the .truke file extension to the names of all encrypted files, on all attached computer drives and attached network drives a short time after the machine has been infected.
Truke ransomware virus encrypts personal files using an unbreakable ‘key’ that only the software authors knows. It forces you to pay a ransom to decrypt them. It can encrypt almost all types of files, including common as:
.pdf, .xxx, .accdb, .png, .hkdb, .xyw, .bik, .mdb, .wmv, .wp4, .lbf, .wire, .jpeg, .wmd, .pef, .xar, .2bp, .bsa, .desc, .ztmp, .1, .arw, .mpqge, .jpe, .zabw, .x3d, .map, .sb, .wbd, .d3dbsp, .wpb, .wdb, .0, .dwg, .dcr, .xlk, .srf, .lrf, .rwl, .re4, .sql, .zw, .asset, .iwi, .dba, .raf, .gdb, .wbm, .dxg, .xx, .xf, .ws, .wpw, .wbz, .mef, .tax, .x3f, .srw, .ybk, .pptm, .ai, .wpl, .xls, .wmv, .pem, .wpd, .rtf, .sum, .xld, .wb2, .ibank, .cas, .xlgc, .t13, .sidd, .w3x, .fpk, .menu, .indd, .psd, .mp4, .mdbackup, .vpp_pc, .der, .wotreplay, .qdf, .zdc, .arch00, .ppt, .jpg, .wot, .wma, .mlx, .yal, .sis, .dbf, .big, .p12, .itl, .bc7, .pdd, .p7c, .wpa, .txt, .sidn, .xlsb, .ptx, .bay, .pfx, .m4a, .flv, .wgz, .ncf, .zdb, .wp6, .xls, .py, .wbmp, .mcmeta, .mdf, .wp, .pak, .erf, .ysp, .r3d, .t12, .kdb, .xlsm, .ltx, .css, .zif, .xml, .wpe, .wmo, .docm, .psk, .xbdoc, .mrwref, .epk, .wri, .x3f, .doc, .bar, .xpm, .mddata, .webp, .hplg, .bc6, .wcf, .layout, .xmind, .cer, .3ds, .kdc, .qic, .xy3, .forge, .cfr, .x, .avi, .p7b, .dng, .wsh, .wpg, .rb, .js, wallet, .sie, .bkf, .docx, .ff, .lvl, .wmf, .syncdb, .wn, .nrw, .vpk, .apk, .zip, .rgss3a, .litemod, .7z, .odt, .sid, .odm, .xmmap, .wpd, .db0, .ods, .xlsm, .pkpass, .rw2, .dmp, .wsc, .vcf, .upk, .cdr, .slm
With the encryption work done, all encrypted files will now have the new .truke extension appended to them. Truke ransomware drops a file named ‘_readme.txt’. This file contains a ransomnote that is written in the English language. The ransom instructions directs victims to make payment to a cryptocurrency wallet in exchange for the keys needed to decrypt documents, photos and music.
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-8gklbDGTaZ Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
Name | Truke |
Type | Crypto malware, File locker, Ransomware, Crypto virus, Filecoder |
Encrypted files extension | .truke |
Ransom note | _readme.txt |
Contact | ferast@firemail.cc, @datarestore (telegram) |
Ransom amount | $980, $490 in Bitcoins |
Symptoms | When you try to open your file, Windows notifies that you do not have permission to open this file. Your files now have a different extension. Files called such as ‘_readme.txt’, ‘#_README_#’, ‘_DECRYPT_’ or ‘recover’ in each folder with at least one encrypted file.. New files on your desktop, with name variants of: ‘HOW_TO_DECRYPT.txt’, ‘DECRYPT.txt’ or ‘README.txt’. |
Distribution ways | Phishing email scam that attempts to scare users into acting impulsively. Malicious downloads that happen without a user’s knowledge when they visit a compromised web page. Social media posts (they can be used to trick users to download malware with a built-in ransomware downloader or click a malicious link). Flash Drives containing malware. |
Removal | To remove Truke file virus< use the removal guide |
Decryption | To decrypt .Truke files use the steps |
In the guide below, I have outlined few methods that you can use to remove Truke virus from your PC system and restore (decrypt) .truke files from a shadow volume copies or using file restore programs.
Quick links
- How to remove Truke file virus
- How to decrypt .truke files
- Use STOPDecrypter to decrypt .truke files
- How to restore .truke files
- How to protect your personal computer from Truke crypto virus?
- To sum up
How to remove Truke file virus
There are a few solutions which can be used to delete Truke file virus. But, not all ransomware such as this crypto virus can be completely deleted utilizing only manual ways. In many cases you are not able to delete any crypto virus using standard MS Windows options. In order to remove .Truke file virus you need use reliable removal tools. Most IT security experts states that Zemana Anti-malware, Malwarebytes or KVRT utilities are a right choice. These free programs are able to search for and remove Truke crypto malware from your system for free.
Run Zemana Anti Malware (ZAM) to remove Truke file virus
Zemana Free is a tool which can remove Truke file virus, other malware, adware, trojans, worms from your computer easily and for free. Zemana Anti Malware is compatible with most antivirus software. It works under Windows (10 – XP, 32 and 64 bit) and uses minimum of system resources.
-
- Installing the Zemana Anti-Malware is simple. First you’ll need to download Zemana AntiMalware (ZAM) from the following link.
Zemana AntiMalware
164114 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- Once you have downloaded the install file, make sure to double click on the Zemana.AntiMalware.Setup. This would start the Zemana installation on your personal computer.
- Select install language and click ‘OK’ button.
- On the next screen ‘Setup Wizard’ simply click the ‘Next’ button and follow the prompts.
- Finally, once the setup is finished, Zemana Free will start automatically. Else, if does not then double-click on the Zemana icon on your desktop.
- Now that you have successfully install Zemana Anti-Malware, let’s see How to use Zemana to remove Truke file virus from your computer.
- After you have started the Zemana Anti Malware, you will see a window as displayed on the screen below, just click ‘Scan’ button to perform a system scan with this tool for the ransomware virus.
- Now pay attention to the screen while Zemana scans your PC.
- After Zemana AntiMalware has finished scanning your machine, you’ll be displayed the list of all found threats on your machine. All detected threats will be marked. You can remove them all by simply click ‘Next’ button.
- Zemana Anti Malware may require a reboot machine in order to complete the Truke file virus removal process.
- If you want to fully remove crypto malware from your machine, then click ‘Quarantine’ icon, select all malicious software, adware, PUPs and other items and click Delete.
- Restart your system to complete the ransomware removal process.
- Installing the Zemana Anti-Malware is simple. First you’ll need to download Zemana AntiMalware (ZAM) from the following link.
Use MalwareBytes to remove Truke file virus
Remove Truke file virus manually is difficult and often the ransomware is not fully removed. Therefore, we suggest you to use the MalwareBytes Anti-Malware (MBAM) which are fully clean your computer. Moreover, this free application will help you to get rid of malicious software, trojans, worms and adware software that your machine can be infected too.
- Download MalwareBytes on your Windows Desktop by clicking on the link below.
Malwarebytes Anti-malware
326466 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- After the download is done, close all apps and windows on your machine. Open a file location. Double-click on the icon that’s named mb3-setup.
- Further, click Next button and follow the prompts.
- Once install is done, click the “Scan Now” button . MalwareBytes Anti-Malware (MBAM) program will scan through the whole system for the Truke file virus and other security threats. This process can take some time, so please be patient. During the scan MalwareBytes AntiMalware will locate threats present on your PC.
- When the system scan is finished, you will be displayed the list of all detected items on your PC system. Review the scan results and then click “Quarantine Selected”. When the clean-up is complete, you can be prompted to restart your system.
The following video offers a guide on how to delete browser hijacker infections, adware software and other malware with MalwareBytes.
Double-check for .Truke file virus with KVRT
The KVRT utility is free and easy to use. It can scan and delete ransomware virus like Truke file virus other malware, trojans and worms in Windows OS and thereby restore its settings. KVRT is powerful enough to find and delete malicious registry entries and files that are hidden on the computer.
Download Kaspersky virus removal tool (KVRT) on your Microsoft Windows Desktop by clicking on the following link.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once downloading is done, double-click on the KVRT icon. Once initialization process is done, you’ll see the KVRT screen as displayed in the following example.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button . Kaspersky virus removal tool application will scan through the whole machine for the Truke file virus and other malware. A scan may take anywhere from 10 to 30 minutes, depending on the number of files on your PC system and the speed of your machine.
After the scan is complete, it will display the Scan Results like below.
Once you’ve selected what you wish to delete from your computer press on Continue to begin a cleaning task.
How to decrypt .truke files
The Truke file virus uses very strong hybrid encryption with a large key. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a solution because of the big length of the key. Therefore, unfortunately, the only payment to the creators of the Truke crypto virus entire amount requested – the only method to try to get the decryption key and decrypt all your files.
If your files have been locked by the Truke file virus, We recommends: do not to pay the ransom. If this malicious software make money for its developers, then your payment will only increase attacks against you. Of course, decryption without the private key is not possible, but that does not mean that the Truke ransomware virus must seriously disrupt your live.
With some variants of .Truke file virus, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .truke files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos, .dotmap. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.truke).
Please check the twitter post for more info.
How to restore .truke files
In some cases, you can recover files encrypted by Truke file virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted photos, documents and music.
Use shadow copies to restore .truke files
A free utility named ShadowExplorer is a simple way to use the ‘Previous Versions’ feature of Windows 10 (8, 7 , Vista). You can restore .truke personal files encrypted by the Truke ransomware virus from Shadow Copies for free.
Installing the ShadowExplorer is simple. First you will need to download ShadowExplorer by clicking on the following link. Save it to your Desktop so that you can access the file easily.
438827 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the download is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown in the following example.
Start the ShadowExplorer tool and then select the disk (1) and the date (2) that you wish to recover the shadow copy of file(s) encrypted by the Truke ransomware as displayed in the figure below.
Now navigate to the file or folder that you want to recover. When ready right-click on it and click ‘Export’ button as on the image below.
Run PhotoRec to restore .truke files
Before a file is encrypted, the Truke ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your documents, photos and music using file restore applications such as PhotoRec.
Download PhotoRec from the link below.
Once the downloading process is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the following example.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll display a screen as displayed in the following example.
Select a drive to recover as displayed in the figure below.
You will see a list of available partitions. Select a partition that holds encrypted files as shown on the screen below.
Click File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is finished, click OK button.
Next, press Browse button to choose where restored files should be written, then click Search.
Count of restored files is updated in real time. All restored personal files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is complete, press on Quit button. Next, open the directory where restored files are stored. You will see a contents as shown in the following example.
All recovered personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your personal computer from Truke crypto virus?
Most antivirus programs already have built-in protection system against the crypto malware. Therefore, if your personal computer does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Run HitmanPro.Alert to protect your machine from Truke ransomware virus
All-in-all, HitmanPro.Alert is a fantastic tool to protect your computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of MS Windows OS from Microsoft Windows XP to Windows 10.
First, visit the page linked below, then click the ‘Download’ button in order to download the latest version of HitmanPro.Alert.
Once the downloading process is complete, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. When the utility is started, you’ll be displayed a window where you can select a level of protection, as shown in the figure below.
Now click the Install button to activate the protection.
To sum up
Now your computer should be clean of the Truke file virus. Delete MalwareBytes Anti Malware and KVRT. We advise that you keep Zemana AntiMalware (ZAM) (to periodically scan your personal computer for new malware). Make sure that you have all the Critical Updates recommended for MS Windows OS. Without regular updates you WILL NOT be protected when new ransomware, harmful applications and adware software are released.
If you are still having problems while trying to remove Truke file virus from your system, then ask for help here.