.Toec file extension is an extension indicates files that have been affected by malware belonging to the STOP ransomware family. Ransomware is malware created by criminals that locks files and encrypts them. These encrypted files cannot be decrypted without a private key, which is in the hands of attackers. Criminals demand a ransom in exchange for the private key, which is necessary to decrypt the files.
Toec is 179 version of the STOP ransomware. This variant does not differ much from previous versions. Similarly to them, it is distributed using cracks, adware, torrents, key generators and so on. Toec encrypts files on all drives connected to the computer. It doesn’t matter if it is a system drive or cloud storage, all files will be encrypted. It uses a complex algorithm and a long unique key to encrypt files. If at the time of file encryption the ransomware can communicate with a command server (C&C), then so called ‘online key’ is used, if there is no connection to the C&C, then an ‘offline key’ is used. This is very important, below we will explain in detail why.
Regardless of the fact that Toec tries to encrypt as many files as possible, it does not encrypt files in the main system directories, files with the following extensions: ‘.lnk, .ini, .bat, .sys, .dll’ and files named ‘_readme.txt’. All other contents of the victim’s computer will be encrypted. For example, files of the following types can be encrypted:
.wpb, .itdb, .m2, .xx, .ff, .ztmp, .ws, .mddata, .lbf, .psd, .t12, .vpk, .snx, .dcr, .gho, .wotreplay, wallet, .crt, .xlsm, .wire, .das, .vdf, .blob, .r3d, .sb, .wbmp, .tax, .accdb, .sidn, .ods, .wbc, .xlsx, .wgz, .layout, .d3dbsp, .csv, .nrw, .wma, .wb2, .xlsx, .iwd, .ltx, .docm, .upk, .xlsb, .der, .xbdoc, .cer, .esm, .zw, .txt, .sql, .wot, .qdf, .ppt, .7z, .rim, .sav, .arw, .3dm, .zip, .mdbackup, .srw, .mov, .zip, .svg, .xls, .bsa, .pak, .lrf, .arch00, .yml, .rtf, .kdb, .vtf, .hkx, .ysp, .yal, .wmv, .pdf, .pfx, .wpg, .jpg, .wbd, .xlgc, .re4, .itl, .pem, .pptx, .pst, .sie, .zdc, .odt, .gdb, .cas, .mef, .rwl, .y, .raw, .t13, .jpe, .xls, .wpe, .wpa, .zif, .eps, .erf, .p7c, .epk, .hplg, .xyw, .pkpass, .dbf, .map, .mdf, .xlsm, .pptm, .apk, .ybk, .xml, .w3x, .mcmeta, .rw2, .qic, .py, .hvpl, .xar, .wcf, .xdb, .rb, .wn, .wpd, .webdoc, .xlk, .flv, .sr2, .p12, .sidd, .ai, .xxx, .bay, .mpqge, .ptx, .kf, .dxg, .bc7, .cdr, .lvl, .mlx, .indd, .xyp, .odp, .odc, .dba, .wmv, .bik, .wpd, .zi, .fos, .fpk, .wsc, .vpp_pc, .mdb, .big, .wri, .3ds, .wav, .x, .asset, .dwg, .wp5, .wmo, .slm, .pef, .ibank, .wp4, .fsh, .wmf, .3fr, .p7b, .menu, .dng, .2bp, .hkdb, .rofl, .orf, .itm, .wpl, .kdc, .mp4, .0, .wsd, .xdl, .xpm, .xf, .docx, .wps, .wdb, .css, .odb, .wp7, .wbk, .xbplate, .sid, .cr2, .rar, .raf, .doc
Each file that has been affected and encrypted by the ransomware will be renamed. It will get a new filename, which consists of the old filename and extension ‘.toec’, added to the right. Thus, the file that was named ‘document.doc’, after it is encrypted, will receive the name ‘document.doc.toec’. The ransomware will encrypt all files in all directories that are on all available disks. In each directory where the files were encrypted, the ransomware leaves a file with the name ‘_readme.txt’. An example of the contents of such a file is given below.
The file ‘_readme.txt is a message from Toec creators. It is so called ‘ransom note’. In this message, the criminals report that the victim’s files were encrypted and the only way to decrypt them is to buy a unique key and decryptor. Attackers demand a ransom of $490. But this is only if the victim pays the ransom within 72 hours. Otherwise, the ransom increases to $980. The ransom note also contains a pair of email addresses of the attackers and a unique victim id (Personal ID) that determines which key was used to encrypt the files. Criminals promise to decrypt one file for free. To do this, they offer the victim to send them an email letter, which should contain the Personal ID, as well as the file that needs to be decrypted. In response to this letter, they will send a decrypted file and the address where the ransom should be sent. Even when the ability to decrypt files is confirmed, criminals cannot be trusted. There is no guarantee that after receiving the ransom, the criminals will send the key, which is necessary to decrypt the files.
|Type||Filecoder, File locker, Ransomware, Crypto malware, Crypto virus|
|Encrypted files extension||.toec|
|Ransom amount||$490;$980 if paid after 72 hours|
|Detection Names||RansomWin32/STOP, Trojan.TRCrypt, W32/Kryptik, Trojan RansomWin32-Stop|
|Symptoms||Files encrypted with ‘.toec’ extension. Unable to open documents, photos and music. Windows Explorer displays a blank icon for the file type. Files called such as ‘_readme.txt’, or ‘_readme’ in each folder with at least one encrypted file.|
|Distribution ways||Malicious e-mail spam, Cracks, Drive-by downloads from a compromised website, Torrents, Social media, Adware, Key generators|
|Removal||Toec removal guide|
|Decryption||Free Toec Decryptor|
In the ransom demand message, criminals state that it is not possible to decrypt files that have been encrypted. For the most part, this is true. That was until Emsisoft created a free STOP DJVU ransomware decryptor. Unfortunately, to date, this decryptor can only decrypt .toec files that have been encrypted with an offline key. If files are encrypted using an online key, then they can only be restored using alternative methods. Below we will show in detail how to use the free decryptor and what alternative methods for recovering encrypted files exist, as well as how to check the computer for malware and remove Toec ransomware.
- How to remove Toec ransomware
- How to decrypt .toec files
- How to restore .toec files
- How to protect your computer from Toec ransomware
How to remove Toec ransomware
If the computer that was attacked by the ransomware contains important data that you want to decrypt or recover using alternative methods, then before you do this you need to make sure that the computer does not contain malware. To do this, you need to check the computer with malware removal tools. We recommend using not one tool, but two or more. Below you can find some malware removal utilities and brief instructions on how to use them to find and remove Toec ransomware.
Remove Toec ransomware with Zemana Anti-Malware
Zemana Anti-Malware is a malware removal tool that performs a scan of your PC and displays if there are existing ransomware, spyware, trojans, adware,worms and other malware. If malware is detected, Zemana can automatically remove it. Zemana Anti Malware (ZAM) does not conflict with other anti-malware and anti-virus software installed on your computer.
Please go to the following link to download the latest version of Zemana Anti Malware (ZAM) for Windows. Save it to your Desktop.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When the download is done, launch it and follow the prompts. Once installed, the Zemana will try to update itself and when this process is done, click the “Scan” button to perform a system scan for Toec related folders,files and registry keys.
Make sure all items have ‘checkmark’ and click “Next” button.
The Zemana Free will remove Toec ransomware and move its components to the Quarantine.
Remove Toec ransomware with HitmanPro
HitmanPro is a malware removal tool. It can be downloaded and used to delete ransomware, trojans, spyware, adware and other malware from the computer. You can run this tool to detect and remove any security threats even if you have an anti-virus, anti-malware or any other security software.
First, please go to the following link, then press the ‘Download’ button in order to download the latest version of HitmanPro.
Category: Security tools
Update: June 28, 2018
After the download is done, open the file location. You will see an icon like below.
Double click the Hitman Pro desktop icon. After the tool is started, you will see a screen as shown on the screen below.
Further, click “Next” button . Hitman Pro program will scan through the whole PC system for Toec ransomware. This procedure can take some time, so please be patient. When that process is done, HitmanPro will create a list of unwanted apps and adware like below.
When you’re ready, click “Next” button. It will open a prompt, click the “Activate free license” button.
Remove Toec virus from machine with Kaspersky virus removal tool
Kaspersky virus removal tool (KVRT) is a free malware removal tool that is based on the Kaspersky Anti-Virus core. It can check your computer for a wide range of security threats. KVRT will perform a deep scan of your personal computer including hard drives and Microsoft Windows registry. When the ransomware is detected, it will help you to remove the found malware from your PC with a simple click.
Download Kaspersky virus removal tool (KVRT) on your Windows Desktop by clicking on the following link.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After downloading is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is done, you will see the Kaspersky virus removal tool screen like below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button . Kaspersky virus removal tool will scan through the whole machine for Toec malware and other known infections. This process may take quite a while, so please be patient. During the scan KVRT will look for threats present on your system.
When KVRT is complete scanning your PC system, you can check all items found on your personal computer as on the image below.
Next, you need to press on Continue to start a cleaning task.
How to decrypt .toec files
Files with the extension ‘.toec’ are encrypted files. In other words, all of these files are locked. Their contents cannot be read even if you rename files or change their extension. Fortunately, Emsisoft created a free decryption tool that can help anyone, who is the victim of the ransomware attack, decrypt encrypted files.
To decrypt .toec files, follow the steps below:
- Open the STOP Djvu decryptor page in a new tab/window.
- Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the ‘decrypt_STOPDjvu.exe’ file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
If this decryptor skips encrypted files, saying that they cannot be decrypted, then these files are encrypted with an online key. Unfortunately, at the moment, this decryptor can only decrypt files encrypted with an offline key. About what an offline key is, we wrote here.
How to determine which key was used to encrypt files
Open the ransom demand message (‘_readme.txt’ file), scroll down to the very end. There you will see a line with the text ‘Your personal ID’. Below it is your ID. There is another way to find out your personal ID. This method is more accurate, since it shows all IDs that correspond to the keys used to encrypt your files. Look at the contents of a file named ‘PersonalID.txt’. This file is located on drive ‘C’ in directory ‘SystemID’.
If there is an ID ending in ‘t1’, then you are lucky, your files are encrypted using an offline key, and when researchers find this key, you can decrypt your files. In this case, to decrypt the files, you need to use Free STOP Djvu Decryptor linked above. If your Personal ID does not end with ‘t1’, then the ransomware used an online key. Even in this case, it is possible to restore the content of encrypted files. We will talk about this in the next section of this article.
How to restore .toec files
If all your files are encrypted with an online key, or the free decryptor cannot decrypt the encrypted files, then you only have one thing left, use alternative methods to restore the contents of the encrypted files. These methods are few, but each of them may be the one that allows you to restore your important data. If you have not already done so, do it now – check your computer for malware. Before starting recovery of encrypted files, it is very important to be sure that Toec ransomware is completely deleted.
Use shadow copies to recover .toec files
A free tool named ShadowExplorer is a simple solution to use the ‘Previous Versions’ feature of MS Windows 10 (8, 7 , Vista). You can recover your photos, documents and music encrypted by Toec ransomware from Shadow Copies for free. Unfortunately, this method does not always work due to the fact that the ransomware almost always deletes all Shadow copies.
Installing the ShadowExplorer is simple. First you’ll need to download ShadowExplorer on your system from the following link.
Category: Security tools
Update: September 15, 2019
Once the downloading process is done, extract the saved file to a folder on your PC. This will create the necessary files as shown on the screen below.
Run the ShadowExplorerPortable application. Now choose the date (2) that you wish to restore from and the drive (1) you wish to recover files (folders) from as displayed on the screen below.
On right panel navigate to the file (folder) you want to restore. Right-click to the file or folder and click the Export button like below.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Recover .toec files with PhotoRec
There is another, unfortunately the last, way to recover the contents of encrypted files. This method is based on using data recovery software. We recommend using a program called PhotoRec. It has all the necessary functions and is completely free.
Download PhotoRec on your PC system by clicking on the link below.
Category: Security tools
Update: March 1, 2018
When the download is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will display a screen as displayed below.
Choose a drive to recover as on the image below.
You will see a list of available partitions. Choose a partition that holds encrypted personal files as shown in the following example.
Click File Formats button and specify file types to recover. You can to enable or disable the restore of certain file types. When this is finished, click OK button.
Next, click Browse button to select where recovered personal files should be written, then click Search.
Count of restored files is updated in real time. All recovered files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is done, press on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as on the image below.
All restored personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from Toec ransomware
Most antivirus software already have built-in protection system against the ransomware. As an extra protection, run the HitmanPro.Alert. It’s a fantastic utility to protect your personal computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files.
Installing the HitmanPro.Alert is simple. First you will need to download HitmanPro Alert on your Desktop from the following link.
Category: Security tools
Update: March 6, 2019
Once downloading is finished, open the file location. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. After the tool is opened, you will be displayed a window where you can choose a level of protection, such as the one below.
Now click the Install button to activate the protection.
In this article, we have provided all the basic information about Toec ransomware, how to delete it, how to decrypt .toec files, and what alternative methods exist for recovering the contents of encrypted files. If new information about the ransomware appears, we will immediately update this article. Therefore, we recommend that you follow the updates here or on Facebook. If you have any questions or need additional help, write to us.