What is a .Meds file? A file with the .meds extension is a file that has been affected by Meds ransomware that also known as crypto virus. All files with this extension become locked. Even if you remove ‘.meds’ or change this extension, file access will not be restored. The reason for this is that the files are not just blocked by changing their extension, but they are encrypted by a ransomware virus.

Files encrypted by .meds virus
Meds virus is a new ransomware. It uses complex digital algorithm in order to encrypt (lock) users’ data. The documents, photos and music will be decrypted only if a victim pay for the private key that will unlock these files. The Meds ransomware virus encrypts almost of files, including common as:
wallet, .p7c, .xyp, .pef, .mdb, .wot, .wps, .cas, .iwd, .xlsm, .sie, .xlgc, .kdc, .xf, .wp, .mddata, .x3f, .arw, .arch00, .pkpass, .wsc, .xyw, .docm, .wpa, .wbd, .sid, .wbz, .xls, .2bp, .sidd, .kdb, .wpb, .3ds, .qdf, .csv, .bkp, .3dm, .jpe, .ptx, .zdc, .xdb, .itdb, .tor, .vdf, .sb, .ws, .iwi, .pfx, .itm, .zabw, .cdr, .odm, .vcf, .esm, .pptx, .p7b, .srf, .odp, .lbf, .lrf, .wmv, .m3u, .syncdb, .mdf, .dmp, .y, .1st, .psk, .raf, .bar, .rim, .ybk, .wcf, .wmd, .xls, .bc6, .db0, .itl, .wp4, .xlsm, .docx, .jpg, .gho, .dxg, .mov, .qic, .cfr, .xlk, .wps, .dng, .mef, .big, .wma, .svg, .litemod, .epk, .wm, .doc, .png, .wpt, .t12, .odb, .odc, .map, .snx, .sis, .t13, .xdl, .xml, .blob, .mdbackup, .ysp, .mp4, .w3x, .js, .ncf, .wav, .wdb, .3fr, .ppt, .gdb, .x, .xar, .pdf, .z, .zdb, .crt, .yal, .z3d, .p12, .slm, .sav, .xld, .pdd, .asset, .bik, .xpm, .pst, .raw, .eps, .wp6, .sidn, .sum, .cr2, .kf, .ltx, .vfs0, .hkx, .wpd, .txt, .xmind, .zip, .rofl, .xmmap, .der, .zw, .7z, .wbmp, .pem, .zi, .ibank, .ztmp, .wmv, .x3f, .fpk, .bsa, .dba, .xxx, .d3dbsp, .mrwref, .wgz, .wsh, .mpqge, .css, .bay, .dazip, .xlsx, .erf, .bc7, .xy3, .wpw, .rw2, .das, .orf, .sql, .wotreplay, .zip, .avi, .mlx, .wpd, .wb2, .mcmeta, .ff, .webp, .py, .wn, .nrw, .rtf, .1, .wp5, .xwp, .vtf, .layout, .webdoc, .dwg, .xbplate, .pak, .wp7, .wbm, .zif, .jpeg, .rwl, .wbk, .yml, .indd, .rb, .tax, .xbdoc, .odt, .hvpl, .srw, .vpk, .forge, .wri, .psd, .m2, .cer, .xx, .dcr, .wpl, .re4, .pptm, .ods, .wmo, .wbc, .wpg, .wmf, .upk, .wma, .hplg, .dbf, .rar
After penetrating a computer, the virus sequentially encrypts all files, even those located on connected external and network drives. When the file is encrypted, its extension changes to ‘.Meds’. This is done so that the victim immediately noticed the result of the ransomware virus. So that the victim can determine the reason why the extension was changed, why suddenly the files stopped opening in regular programs, the Meds virus, in each folder with at least one encrypted file, creates a document with the name ‘_readme.txt’. In this document, the authors of the virus report that the only way to return the files – is to pay a ransom. Text presented in the ransom note:
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-ZFjRnJfc9f Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: gorentos@bitmessage.ch
Threat Summary
Name | Meds |
Type | Crypto malware, Filecoder, File locker, Ransomware, Crypto virus |
Encrypted files extension | .meds |
Ransom note | _readme.txt |
Contact | gorentos@bitmessage.ch, gerentoshelp@firemail.cc |
Ransom amount | $490,$980 in Bitcoins |
Symptoms | Your files fail to open. Your files have new extension appended at the end of the file name. Files named like ‘_readme.txt’, ‘READ-ME’, or ‘_readme” in every folder with an encrypted file. Ransom note with cybercriminal’s ransom demand and instructions. |
Distribution methods | Phishing email scam that attempts to scare users into acting impulsively. Drive-by downloads from a compromised web site. Social media, such as web-based instant messaging applications. Malvertising campaigns. |
Removal | To remove Meds ransomware use the removal guide |
Decryption | To decrypt Meds ransomware use the steps |
In this article, in addition to a brief description of the virus and its harmful effects, we will also describe in detail several ways to quickly remove the virus, but more importantly, we will give instructions that will allow you to restore all your files absolutely free.
Quick links
- How to remove Meds ransomware virus
- How to decrypt .meds files
- How to restore .meds files
- How to protect your computer from Meds crypto malware?
- Finish words
How to remove Meds ransomware
After a detailed analysis of the ransomware virus by our team, as well as several groups of other experts, it was determined that, unfortunately, removing the Meds virus manually is very difficult. Most experts advise using special tools (malware removal software) that will quickly and easily detect, block and completely remove the virus from the computer. We advise you to do it right now, every minute that this ransomware is on your computer can lead to even greater harm. To remove Meds virus, you can use the utilities listed below. We recommend using not one program, but a minimum of two, to be sure that ransomware virus has been completely removed.
Remove Meds virus with Zemana Anti-Malware (ZAM)
Zemana AntiMalware can find all kinds of malware, including ransomware, as well as a variety of Trojans, viruses and rootkits. After the detection of the Meds crypto virus, you can easily and quickly uninstall it.
Zemana Anti-Malware (ZAM) can be downloaded from the following link. Save it on your MS Windows desktop or in any other place.
160325 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After downloading is complete, close all windows on your system. Further, start the set up file called Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as displayed on the image below, click the “Yes” button.
It will show the “Setup wizard” that will assist you install Zemana AntiMalware (ZAM) on the machine. Follow the prompts and do not make any changes to default settings.
Once installation is done successfully, Zemana Free will automatically launch and you may see its main window similar to the one below.
Next, click the “Scan” button to perform a system scan with this tool for the Meds ransomware, other malware, worms and trojans. During the scan Zemana Anti-Malware (ZAM) will find threats exist on your machine.
When the checking is done, Zemana will display a list of all threats found by the scan. Make sure to check mark the threats which are unsafe and then click “Next” button.
The Zemana will remove Meds ransomware virus and other security threats and add threats to the Quarantine. After that process is finished, you may be prompted to restart your personal computer.
Remove Meds ransomware virus with MalwareBytes AntiMalware (MBAM)
Remove Meds crypto malware manually is difficult and often the ransomware is not completely removed. Therefore, we recommend you to use the MalwareBytes that are completely clean your PC. Moreover, this free program will help you to remove malicious software, PUPs, trojans and worms that your system can be infected too.
- MalwareBytes Anti Malware can be downloaded from the following link. Save it on your Windows desktop.
Malwarebytes Anti-malware
319538 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- At the download page, click on the Download button. Your browser will show the “Save as” dialog box. Please save it onto your Windows desktop.
- When downloading is complete, please close all programs and open windows on your computer. Double-click on the icon that’s called mb3-setup.
- This will start the “Setup wizard” of MalwareBytes Anti-Malware onto your computer. Follow the prompts and don’t make any changes to default settings.
- When the Setup wizard has finished installing, the MalwareBytes Anti-Malware (MBAM) will launch and show the main window.
- Further, click the “Scan Now” button to scan for Meds ransomware related folders,files and registry keys. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your system and the speed of your personal computer. When a threat is detected, the count of the security threats will change accordingly.
- Once MalwareBytes has completed scanning, it will display the Scan Results.
- Once you’ve selected what you want to remove from your PC press the “Quarantine Selected” button. Once disinfection is finished, you may be prompted to restart the computer.
- Close the Anti-Malware and continue with the next step.
Video instruction, which reveals in detail the steps above.
Scan your PC and uninstall Meds ransomware virus with KVRT
KVRT is a free removal utility that may be downloaded and use to delete crypto viruses, adware software, malware, potentially unwanted software, trojans and other threats from your machine. You can use this utility to search for threats even if you have an antivirus or any other security program.
Download Kaspersky virus removal tool (KVRT) on your personal computer from the following link.
125029 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After downloading is done, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is finished, you will see the KVRT screen like below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button . KVRT utility will begin scanning the whole personal computer to find out Meds ransomware virus and other known infections. Depending on your computer, the scan may take anywhere from a few minutes to close to an hour. While the utility is scanning, you may see how many objects and files has already scanned.
When the checking is done, a list of all items detected is prepared as displayed in the figure below.
Next, you need to click on Continue to begin a cleaning procedure.
How to decrypt .meds files
As we already wrote in our article, at the moment there is no way to decrypt .meds files without using a special program and encryption key. This program and key can only be obtained from virus developers. If you try to pick up the key yourself, use programs to find the key, try decryptors from other ransomware, all this will lead to only one thing, you will completely damage your files.
Even if you are in a panic state now, you are faced with the fact that your files are locked. Photos and documents suddenly became unavailable – this is not a reason to follow the instructions of fraudsters. All experts say one thing – never pay the ransom! If you transfer money to the developers of the virus, then you will push them to create a new virus. In addition, there is no guarantee that after receiving a ransom from you, scammers will send you decryptor and a key to decrypt .meds files.

Files encrypted by .meds virus
Therefore, we recommend that you do the following (all steps are described in our manual). Place all the important encrypted files on a separate disk (make sure that it also has a ransom demand file), completely remove the virus, and then try to restore the files using several methods developed by our team.
How to restore .meds files
To recover encrypted .meds files, our team has developed detailed instructions, which are given below. To follow them, you do not need any in-depth knowledge of computer technology, you just need to use several free and well-known programs.
Restore .meds encrypted files using Shadow Explorer
In order to recover .meds photos, documents and music encrypted by the Meds crypto virus from Shadow Volume Copies you can run a tool named ShadowExplorer. We recommend to use this way as it is easier to find and restore the previous versions of the encrypted files you need in an easy-to-use interface.
Download ShadowExplorer on your computer by clicking on the following link.
422260 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the downloading process is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown on the image below.
Double click ShadowExplorerPortable to start it. You will see the a window as displayed in the following example.
In top left corner, choose a Drive where encrypted personal files are stored and a latest restore point as on the image below (1 – drive, 2 – restore point).
On right panel look for a file that you wish to restore, right click to it and select Export as displayed below.
Use PhotoRec to restore .meds files
Before a file is encrypted, the Meds ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your photos, documents and music using file restore apps like PhotoRec.
Download PhotoRec from the link below. Save it directly to your Microsoft Windows Desktop.
Once the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown in the figure below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll display a screen as shown in the following example.
Choose a drive to recover as on the image below.
You will see a list of available partitions. Select a partition that holds encrypted personal files as displayed in the following example.
Click File Formats button and choose file types to recover. You can to enable or disable the restore of certain file types. When this is complete, click OK button.
Next, click Browse button to choose where recovered photos, documents and music should be written, then click Search.
Count of recovered files is updated in real time. All recovered personal files are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the restore is done, click on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents like the one below.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your computer from Meds crypto malware?
Most antivirus applications already have built-in protection system against the ransomware. Therefore, if your system does not have an antivirus application, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Use HitmanPro.Alert to protect your computer from Meds ransomware virus
HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Click the following link to download HitmanPro Alert. Save it to your Desktop so that you can access the file easily.
Once downloading is complete, open the file location. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. Once the utility is launched, you’ll be shown a window where you can choose a level of protection, like below.
Now press the Install button to activate the protection.
Finish words
Once you have finished the tutorial outlined above, your computer should be clean from Meds ransomware virus and other malware. Your computer will no longer encrypt your photos, documents and music. Unfortunately, if the steps does not help you, then you have caught a new variant of crypto malware, and then the best way – ask for help here.