A file with the .carote extension is a file that has been affected by Carote ransomware. What is ransomware? Ransomware is a type of malware that blocks access to files, by encrypting them, until the user pays a ransom to the online criminals. In many cases, the ransom demand comes with a deadline. If the victim does not make a payment within this time frame, the amount will be higher or the encrypted documents, photos and music are gone forever.
Files ecnrypted by .carote virus
Carote ransomware virus known to encrypt almost all file types, including files with extensions:
.xmind, .sql, .wp5, .der, .vcf, .cdr, .bik, .bsa, .lbf, .xlsx, .litemod, .x3d, .pdf, .sav, .jpeg, .xyw, .re4, .m2, .wmf, .bkf, .m3u, .dba, .sidn, .wmv, .arw, .pptm, .odm, .wpl, .xlsb, .py, .x3f, .gho, .sr2, .wpt, .wbc, .rb, .1, .zw, .xlsm, .itl, .db0, .cas, .hplg, .wb2, .kf, .xlgc, .wotreplay, .wp6, .webdoc, .snx, .js, .apk, .zif, .zdb, .cer, .wm, .pst, .wmv, .mdb, .layout, .wn, .syncdb, .xdb, .ai, .0, .dng, .vfs0, .p7c, .cr2, .mpqge, .epk, .yml, .mcmeta, .wire, .hkx, .x3f, .ods, .mef, .nrw, .psk, .jpe, .xbplate, .raf, .kdb, .wpd, .wpe, .xyp, .webp, .wpa, .lvl, .xf, .d3dbsp, .iwi, .wp7, .pkpass, .wsc, .xwp, .xar, .z, .desc, .menu, .rwl, .rgss3a, .vpp_pc, .wma, .ibank, .mrwref, .dcr, .png, .pfx, .xxx, .vpk, .dazip, .zabw, .sum, .pak, .mp4, .ntl, .xy3, .wps, .bkp, .docx, .zi, .sis, .wbz, .wcf, .m4a, .pptx, .wp4, .xml, .jpg, .xpm, .wpd, .slm, .srw, .fos, .yal, .sb, .indd, .xlsx, .dxg, .svg, .z3d, .bar, .hkdb, .wav, .zdc, .big, .asset, .qdf, .mdf, .dbf, .wpb, .odc, .3dm, .xbdoc, .ws, .wbd, .pdd, .wot, .forge, .xld, .hvpl, .csv, .t13, .rtf, .fsh, .mdbackup, .ztmp, .wsd, .zip, .itm, .7z, wallet, .map, .ncf, .wbmp, .wp, .wdp, .ltx, .xlk, .gdb, .orf, .odb, .xmmap, .iwd, .xls, .pem, .rw2, .xx, .wma, .mlx, .lrf, .qic, .itdb, .eps, .1st, .tax, .wbm, .ptx, .raw, .y, .sie, .doc, .crt, .fpk, .vdf, .zip, .bay, .ppt, .w3x, .cfr, .rim, .xlsm, .wbk, .icxs, .das, .2bp, .txt
Upon encryption, all locked personal files will then be appended with the .carote extension (e.g., ‘photo.jpg is renamed to ‘photo.jpg.carote’). Ransomware leaves a ransom demanding message named ‘_readme.txt’ with instructions for extortion and ransom payment.
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-6tYZko8NMj Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
| Name | Carote |
| Type | File locker, Crypto virus, Ransomware, Crypto malware, Filecoder |
| Encrypted files extension | .carote |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch |
| Ransom amount | $980 in Bitcoins |
| Symptoms | Unable to open files. Your photos, documents and music have new extension appended at the end of the file name. Your file directories contain a ‘ransom note’ file that is usually a .txt file. You have received instructions for paying the ransom. |
| Distribution ways | Spam mails that contain malicious links. Drive-by downloading (when a user unknowingly visits an infected web page and then malware is installed without the user’s knowledge). Social media, such as web-based instant messaging applications. Malvertising campaigns. |
| Removal | To remove Carote ransomware use the removal guide |
| Decryption | To decrypt Carote ransomware use the steps |
Quick links
- How to remove Carote ransomware virus
- Decrypt .carote files with STOPDecrypter
- How to restore .carote files
- How to protect your machine from Carote ransomware virus?
How to remove Carote ransomware virus
There are a few methods that can be used to remove Carote. But, not all ransomware such as this crypto malware can be completely removed utilizing only manual ways. In many cases you’re not able to delete any ransomware utilizing standard MS Windows options. In order to uninstall Carote you need use reliable removal tools. Most IT security professionals states that Zemana Anti-malware, Malwarebytes or KVRT tools are a right choice. These free applications are able to look for and delete Carote crypto malware from your PC for free.
Remove Carote file virus with Zemana Free
Zemana is a free tool that performs a scan of your PC and displays if there are existing spyware, worms, adware, trojans, crypto malware and other malware residing on your system. If malicious software is found, Zemana Anti Malware can automatically remove it. Zemana Free doesn’t conflict with other anti-malware and antivirus applications installed on your machine.
- Zemana Anti Malware (ZAM) can be downloaded from the following link. Save it on your Windows desktop.
Zemana AntiMalware
164985 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- Once the download is finished, close all programs and windows on your system. Open a directory in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup.
- Further, click Next button and follow the prompts.
- Once setup is finished, click the “Scan” button to perform a system scan for the Carote ransomware virus related folders,files and registry keys. This process can take some time, so please be patient. When a malicious software, adware software or PUPs are detected, the count of the security threats will change accordingly.
- Once Zemana has finished scanning your PC system, Zemana AntiMalware (ZAM) will display a scan report. All detected items will be marked. You can remove them all by simply click “Next”. Once the cleaning procedure is finished, you can be prompted to reboot your PC.
Run MalwareBytes Free to remove Carote ransomware virus
We advise using the MalwareBytes that are completely clean your system of the crypto virus. This free utility is an advanced malware removal program created by (c) Malwarebytes lab. This program uses the world’s most popular antimalware technology. It’s able to help you delete ransomware, PUPs, malware, adware, toolbars, and other security threats from your PC for free.
Installing the MalwareBytes Free is simple. First you will need to download MalwareBytes on your PC by clicking on the link below.
327224 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
After downloading is finished, close all programs and windows on your machine. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup as shown in the figure below.
When the install starts, you’ll see the “Setup wizard” that will help you install Malwarebytes on your computer.
Once installation is done, you will see window like the one below.
Now press the “Scan Now” button . MalwareBytes utility will start scanning the whole PC to find out Carote ransomware, other kinds of potential threats such as malware and trojans. A scan can take anywhere from 10 to 30 minutes, depending on the count of files on your computer and the speed of your personal computer. While the utility is scanning, you may see how many objects and files has already scanned.
After MalwareBytes Anti Malware has finished scanning, you will be displayed the list of all found threats on your PC system. Review the scan results and then press “Quarantine Selected” button.
The Malwarebytes will now uninstall Carote ransomware virus and other security threats and add items to the Quarantine. When the process is complete, you may be prompted to restart your computer.
The following video explains step-by-step instructions on how to uninstall hijacker infection, adware software and other malicious software with MalwareBytes Anti Malware.
Double-check for crypto virus with KVRT
KVRT is a free portable program that scans your system for adware, PUPs and crypto malwares such as Carote and allows delete them easily. Moreover, it will also help you remove any malicious web-browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) on your PC system by clicking on the link below.
129279 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the downloading process is complete, double-click on the KVRT icon. Once initialization process is complete, you will see the Kaspersky virus removal tool screen as displayed on the screen below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button . KVRT application will scan through the whole PC system for the Carote ransomware and other malicious software. Depending on your personal computer, the scan may take anywhere from a few minutes to close to an hour. When a malicious software, adware or potentially unwanted apps are detected, the number of the security threats will change accordingly.
After the system scan is complete, you can check all items found on your system as displayed on the screen below.
When you are ready, press on Continue to start a cleaning task.
Decrypt .carote files with STOPDecrypter
With some variants of Carote file virus, it is possible to decrypt encrypted files using free tools listed below.
Michael Gillespie (@) released the Carote decryption tool named STOPDecrypter. It can decrypt .carote files if they were locked by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.
Carote decryption tool
STOPDecrypter is a program that can be used for Carote files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .carote files using this free tool.
- Installing the STOPDecrypter is simple. First you’ll need to download STOPDecrypter from the link below.
download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip - When downloading is complete, close all applications and windows on your system. Open a directory in which you saved it.
- Right-click on the icon that’s named STOPDecrypter.zip. Further, select ‘Extract all’ and follow the prompts.
- Once the extraction process is done, right click on STOPDecrypter, choose ‘Run as Admininstrator’. Select Directory and press Decrypt button.
If STOPDecrypter does not help you to decrypt .carote files, in some cases, you have a chance to recover your files, which were encrypted by crypto malware. This is possible due to the use of the tools called ShadowExplorer and PhotoRec. An example of recovering encrypted documents, photos and music is given below.
How to restore .carote files
In some cases, you can restore files encrypted by Carote ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted documents, photos and music.
Recover .carote encrypted files using Shadow Explorer
The Windows has a feature named ‘Shadow Volume Copies’ that can help you to restore .carote files encrypted by the Carote ransomware. The solution described below is only to recover encrypted files to previous versions from the Shadow Volume Copies using a free tool named the ShadowExplorer.
First, click the link below, then press the ‘Download’ button in order to download the latest version of ShadowExplorer.
439623 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once downloading is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown in the following example.
Double click ShadowExplorerPortable to launch it. You will see the a window like the one below.
In top left corner, choose a Drive where encrypted documents, photos and music are stored and a latest restore point as shown in the figure below (1 – drive, 2 – restore point).
On right panel look for a file that you wish to recover, right click to it and select Export like below.
Recover .carote files with PhotoRec
Before a file is encrypted, the Carote ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your files using file recover software like PhotoRec.
Download PhotoRec on your Windows Desktop from the link below.
After the downloading process is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will show a screen as shown in the following example.
Choose a drive to recover as displayed on the screen below.
You will see a list of available partitions. Choose a partition that holds encrypted personal files as shown in the figure below.
Press File Formats button and specify file types to recover. You can to enable or disable the restore of certain file types. When this is done, press OK button.
Next, click Browse button to select where restored photos, documents and music should be written, then press Search.
Count of recovered files is updated in real time. All restored files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is complete, click on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents as displayed on the image below.
All restored personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your machine from Carote ransomware virus?
Most antivirus apps already have built-in protection system against the ransomware. Therefore, if your machine does not have an antivirus application, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Use HitmanPro.Alert to protect your personal computer from Carote ransomware virus
All-in-all, HitmanPro.Alert is a fantastic tool to protect your computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Microsoft Windows operating system from MS Windows XP to Windows 10.
Download HitmanPro.Alert from the following link. Save it to your Desktop.
Once the downloading process is done, open the file location. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. After the utility is opened, you’ll be displayed a window where you can select a level of protection, as displayed on the image below.
Now press the Install button to activate the protection.
Finish words
Now your personal computer should be clean of the Carote crypto virus. Delete MalwareBytes Free and KVRT. We suggest that you keep Zemana Anti Malware (ZAM) (to periodically scan your computer for new malicious software). Make sure that you have all the Critical Updates recommended for Microsoft Windows OS. Without regular updates you WILL NOT be protected when new crypto malware, malicious programs and adware are released.
If you are still having problems while trying to uninstall Carote crypto malware from your machine, then ask for help here.
