What is Void file extension
.Void file extension is a file extension that is used by a new malware. Security researchers called this new malware “Void ransomware”. ‘Void’ is very similar in its characteristics to other ransomware. It also encrypts files, and then renames them. The filename of the encrypted file consists of its old name and the “.[EMAIL][ID-USERID].void” extension appended to the right. Criminals demand a ransom for a key-decryptor pair, which is necessary to unlock encrypted data.
Currently, there are two known variants of the Void ransomware, which differ in the extension added to the encrypted files: “.[xtredboy@protonmail.com][ID-***] .Void”, “.[USDATAdecrypt@gmail.com][ID-***].void”, “.[SupportVoid@elude.in][ID-***].void”;
What is Void ransomware
Void ransomware is a new malware that belongs to the category of ransomware. It appends the ‘.Void’ extension to each file that it encrypts using a complex encryption mechanism (AES + RSA Algorithm). As other ransomware, it can use the same distribution methods (spam emails, adware, cracks, key generators and so on). Upon execution, the Void ransomware collects information about the computer and then proceeds to encrypt the files located on it. The following common file types can be encrypted:
.wbm, .bik, .x3d, .raf, .xlsb, .bar, .sidn, .wpl, .wb2, .hkdb, .xdb, .xml, .map, .wpd, .fos, .jpg, .r3d, .xll, .rtf, .tax, .sr2, .odc, .xbplate, wallet, .dwg, .fsh, .erf, .lbf, .xy3, .raw, .sid, .wsc, .ai, .asset, .dcr, .wdb, .bkf, .vfs0, .t12, .wgz, .cas, .wmd, .psk, .wdp, .cfr, .zw, .xlsx, .m3u, .vtf, .sql, .pak, .itdb, .7z, .ppt, .xlgc, .yal, .apk, .ncf, .dng, .zabw, .y, .zip, .jpe, .qdf, .cer, .pkpass, .wsh, .xdl, .mdb, .mrwref, .3dm, .lvl, .wbz, .odb, .webp, .bsa, .sidd, .pem, .ysp, .arw, .bkp, .ff, .docx, .esm, .qic, .1st, .pptm, .png, .mdf, .iwd, .mlx, .zif, .wav, .m2, .wpw, .xxx, .crw, .svg, .indd, .css, .xbdoc, .litemod, .dazip, .wp6, .m4a, .mdbackup, .wn, .3fr, .wma, .cdr, .rgss3a, .kf, .dmp, .srf, .eps, .ltx, .rw2, .pdf, .rb, .avi, .x3f, .xar, .odt, .srw, .wbc, .doc, .p7b, .vpk, .tor, .zdb, .js, .rim, .cr2, .pst, .webdoc, .wpg, .xmind, .sb, .wbk, .yml, .kdb, .ibank, .wp7, .der, .flv, .xwp, .vdf, .fpk, .xld, .rwl, .t13, .wmv, .wpe, .xls, .x3f, .xlsm, .sis, .accdb, .layout, .mef, .wsd, .dba, .hplg, .db0, .bc7, .bay, .ptx, .mp4, .wmf, .1, .big, .txt, .pptx, .rofl, .vcf, .pfx, .xf, .crt, .wcf, .xlsx, .xyp, .desc, .p7c, .ybk, .mov, .w3x, .mpqge, .wpd, .icxs, .nrw, .snx, .0, .d3dbsp, .kdc, .arch00, .xlk, .wps, .wp, .hvpl, .psd, .wmv, .wotreplay, .jpeg, .ws, .pdd, .xpm, .das, .odp, .wire, .wpb, .gdb, .forge, .re4, .3ds, .lrf, .hkx, .menu, .upk, .sie, .bc6, .sum, .wp4, .odm, .wmo, .wot, .wp5, .orf, .dbf, .xmmap, .wbmp, .slm, .z3d, .iwi, .blob, .ods, .ztmp, .wm, .2bp, .py, .mddata, .docm, .itl, .xyw, .x
No files will be skipped. All documents, photos, archives located on local disks, system disks and connected network drives will be encrypted. The Void ransomware encrypts the contents of all disks file by file. Each file that has been encrypted is marked, the ransomware appends the ‘.[EMAIL][ID-USERID].void’ extension to its name. That is, as soon as a document with the name ‘document.doc’ is encrypted, it will immediately be renamed to ‘document.doc.[EMAIL][ID-USERID].void’. If you remove this extension, the file will remain locked. The associated program will not be able to read its contents.
The Void ransomware creates a file with the name “Decryption-Info.HTA” on the infected computer. This file contains a message from the ransomware authors. The full text of this file is:
Your Files has Been Encrypted
Your Files Has Been Encrypted with AES + RSA Algorithm
If You Need Your Files You Have To Pay Decryption Price
You can Send Some Little Files Less Than 1MB for Test (The Test Files Should not Contain valuable Data Like Databases Large Excel Sheets or Backups
After 48 Hour Decryption Price Will be Doubled so You Better Contact us Before Times Up
Using Recovery Tools or 3rd Party Application May cause Damage To Your Files And increase price
The Steps You Should Do To Get Your Files Back:
1- Contact Email on Files And Send ID on The Files Then Do agreement on a Price
2- Send Some Files for Decryption Test ( Dont Pay to Anyone Else who is Not Able to Decrypt Your Test Files!)
After Geting Test Files Pay The price in Bitcoin And Get Decryption Tool + RSA key
Your Case ID :***
Our Email : xtredboy@protonmail.com
In Case Of No Answer : Encryptedxtredboy@protonmail.com
Criminals use the “Decryption-Info.HTA” file to demand ransom from the Void ransomware victims. The ransom demand message said that the victim’s files are encrypted. The ransomware authors demand a ransom in exchange for a key and a decryptor. Attackers offer to decrypt some little files for free, but these files should not contain any valuable information. Of course, decryption of some small files cannot guarantee that, after paying the ransom, the victim will be able to recover files affected with the ransomware.
Threat Summary
Name | Void ransomware |
Type | Ransomware, Crypto virus, Crypto malware, File locker, Filecoder |
Encrypted files extension | .void |
Ransom note | Decryption-Info.HTA |
Contact | xtredboy@protonmail.com, Encryptedxtredboy@protonmail.com, USDATAdecrypt@gmail.com, SupportVoid@elude.in, SoporteVoid@tutanota.com |
Ransom amount | $500-$1500 in Bitcoins |
Symptoms | Personal files won’t open. Files are encrypted with a .void file extension. Files named like ‘Decryption-Info.HTA’, ‘#_README_#’, ‘_DECRYPT_’ or ‘recover’ in each folder with at least one encrypted file. You have received instructions for paying the ransom. |
Distribution ways | Phishing Emails that is carefully made to trick a victim into opening an attachment or clicking on a link that contains a malicious file. Drive-by downloads from a compromised website. Social media, like web-based instant messaging programs. Misleading web-sites. |
Removal | Void ransomware removal guide |
Recovery | Void File Recovery Guide |
The fact that to date, antivirus companies have not created a method to decrypt files encrypted by the Void ransomware. Nevertheless, you do not need to despair. There are several ways to find and remove Void ransomware, and there is also a chance to restore part or even all encrypted files to their original state. Below we will describe in detail how to do this.
How to remove Void ransomware, Restore .Void files
If you encounter the malicious actions of Void ransomware, and your files have been encrypted with ‘.Void’ extension, then you need to remove the virus or be 100% sure that there is no ransomware on your computer, and then proceed to restore the files. Both the ransomware removal process and the file recovery process will take a lot of time, so do not believe the magical instructions that say that this can be done very quickly. We definitely recommend, even if for some reason one of the methods proposed below did not suit you, try another one and try all of them. Perhaps one of them will help you. Feel free to ask questions in the special section on our website or in the comments below. In addition, we want to say that all the tools that we recommend using in our instructions are free and verified by security experts. And the last, before proceeding with the instructions, we advise you to read it thoroughly carefully, and then print or open it on a tablet or smartphone to have it always at hand.
- How to remove Void ransomware virus
- How to decrypt .void files
- How to restore .void files
- How to protect your computer from Void ransomware
How to remove Void ransomware virus
There are not many good and free malware removal tools with high detection ratio. The effectiveness of malware removal utilities depends on various factors, mostly on how often their virus/malware signatures DB are updated in order to effectively detect modern worms, trojans, ransomware and other malware. We suggest to run several programs, not just one. These programs that listed below will allow you remove all components of the Void crypto virus from your disk and Windows registry.
Remove Void ransomware with Zemana
Zemana Free is a complete package of anti-malware utilities that can help you delete Void ransomware virus. Despite so many features, it does not reduce the performance of your computer. Zemana can be used to remove almost all the forms of malware including ransomware, trojans, worms, adware, hijackers, potentially unwanted apps and other malicious software. Zemana has real-time protection that can defeat most malicious software and crypto malware. You can use Zemana with any other anti-virus without any conflicts.
Installing the Zemana Free is simple. First you will need to download Zemana from the link below. Save it on your Windows desktop.
164107 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After downloading is finished, close all applications and windows on your computer. Open a directory in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup similar to the one below.
When the installation starts, you will see the “Setup wizard” which will allow you install Zemana Free on your computer.
Once installation is done, you will see window as displayed in the following example.
Now click the “Scan” button . Zemana program will scan through the whole computer for the Void ransomware, other malware, worms and trojans. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your PC and the speed of your machine. While the Zemana Anti Malware is checking, you can see how many objects it has identified either as being malicious software.
After finished, Zemana AntiMalware (ZAM) will display you the results. Once you’ve selected what you wish to delete from your PC system click “Next” button.
The Zemana Anti Malware (ZAM) will remove Void crypto virus and other security threats and move the selected items to the Quarantine.
Remove Void virus with MalwareBytes Free
If you are having issues with the Void ransomware removal, then download MalwareBytes AntiMalware. It’s free for home use, and identifies and removes various unwanted programs that attacks your computer or degrades PC performance. MalwareBytes can remove adware, potentially unwanted apps as well as malware, including ransomware and trojans.
Download MalwareBytes Free by clicking on the following link.
326460 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once the downloading process is complete, close all software and windows on your personal computer. Double-click the setup file called mb3-setup. If the “User Account Control” dialog box pops up like below, click the “Yes” button.
It will open the “Setup wizard” which will help you install MalwareBytes Free on your computer. Follow the prompts and do not make any changes to default settings.
Once installation is complete successfully, press Finish button. MalwareBytes Anti Malware will automatically start and you can see its main screen as displayed in the following example.
Now click the “Scan Now” button to perform a system scan for the Void crypto malware, other malware, worms and trojans. A scan may take anywhere from 10 to 30 minutes, depending on the count of files on your system and the speed of your system. When a malware, adware or PUPs are found, the number of the security threats will change accordingly. Wait until the the checking is finished.
Once the scanning is done, MalwareBytes AntiMalware (MBAM) will display a scan report. Next, you need to click “Quarantine Selected” button. The MalwareBytes Anti Malware (MBAM) will delete Void ransomware related folders,files and registry keys. After disinfection is finished, you may be prompted to restart the machine.
We recommend you look at the following video, which completely explains the process of using the MalwareBytes Anti Malware (MBAM) to remove adware software, browser hijacker infection and other malware.
If the problem with Void ransomware virus is still remained
If you have already used some malicious software removal tools, they found and removed malicious software, then in order to be 100% sure that the computer no longer has Void crypto virus, we recommend using the Kaspersky virus removal tool (KVRT). This utility, as its name suggests, is designed by the Kaspersky lab and uses the core of the Kaspersky Antivirus. Unlike the Kaspersky Antivirus, KVRT has a smaller size and, most importantly, it can work together with an already installed antivirus software. This tool has great capabilities and therefore we advise using KVRT in the last turn to be sure that the Void crypto malware has been removed.
Download Kaspersky virus removal tool (KVRT) from the link below. Save it on your Microsoft Windows desktop or in any other place.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When downloading is complete, double-click on the KVRT icon. Once initialization process is finished, you’ll see the Kaspersky virus removal tool screen like below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan with this tool for the Void crypto malware and other malicious software. A system scan may take anywhere from 5 to 30 minutes, depending on your system. While the tool is scanning, you may see number of objects and files has already scanned.
When the system scan is finished, Kaspersky virus removal tool will display you the results as shown below.
Once you’ve selected what you wish to remove from your PC press on Continue to start a cleaning process.
How to decrypt .void files
Files with the extension ‘.void’ are encrypted files. In other words, the contents of these files are locked. Their contents cannot be read even if you rename files or change their extension. Unfortunately, today there is no way to decrypt files encrypted by Void ransomware virus, because to decrypt them you need a unique key, and this key is in the hands of criminals.
Never pay the ransom! Nevertheless, everyone has to remember that paying the developers of the Void ransomware virus who are threatening you is a terrible idea. You can pay this money, but there is no guarantee that your files will be yours again. That is the reason why you should consider other options (that do not involve paying the makers of the Void ransomware) in order to decrypt locked personal files. There still are some ways to defuse crypto malware without paying ransom, so you would not need to pay hackers and you would not let them reach their goal.
Fortunately, there are several alternative methods that do not require the use of a key and therefore allow you restore the contents of encrypted files. Try to recover the encrypted files using free tools listed below.
How to restore .void files
If all your files are encrypted with .void file extension, then you only have one thing left, use alternative methods to restore the contents of the encrypted files. There are several alternative methods that may allow you to restore the contents of encrypted files. These methods of file recovery do not use decryption, so there is no need for a key and decryptor. Before you begin, you must be 100% sure that the computer does not have active ransomware. Therefore, if you have not yet checked your computer for ransomware, do it right now, use free malware removal tools or return to step 1 above.
Use ShadowExplorer to restore .void files
A free tool named ShadowExplorer is a simple solution to use the ‘Previous Versions’ feature of MS Windows 10 (8, 7 , Vista). You can recover your documents, photos, and music encrypted by Void ransomware from Shadow Copies for free. Unfortunately, this method does not always work due to the fact that the ransomware almost always deletes all Shadow copies.
ShadowExplorer can be downloaded from the following link. Save it to your Desktop so that you can access the file easily.
438808 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown on the screen below.
Launch the ShadowExplorer utility and then choose the disk (1) and the date (2) that you wish to restore the shadow copy of file(s) encrypted by the Void crypto virus as displayed in the figure below.
Now navigate to the file or folder that you wish to recover. When ready right-click on it and press ‘Export’ button as shown in the figure below.
Restore .void files with PhotoRec
There is another way to recover the contents of the encrypted files. This method is based on using data recovery tools. We recommend using a tool called PhotoRec. It has all the necessary functions and is completely free.
Download PhotoRec on your Windows Desktop from the link below.
When the download is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will show a screen as displayed on the screen below.
Choose a drive to recover like below.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music like below.
Click File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is done, click OK button.
Next, click Browse button to select where restored personal files should be written, then press Search.
Count of restored files is updated in real time. All restored files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is done, click on Quit button. Next, open the directory where restored personal files are stored. You will see a contents similar to the one below.
All recovered personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your computer from Void ransomware
Most antivirus apps already have built-in protection system against the crypto malware. Therefore, if your PC system does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert. HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
HitmanPro.Alert can be downloaded from the following link. Save it directly to your MS Windows Desktop.
When the downloading process is complete, open the file location. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. Once the utility is launched, you’ll be shown a window where you can choose a level of protection, as shown in the figure below.
Now press the Install button to activate the protection.
To sum up
This guide was created to help all victims of the Void ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .Void files; how to recover the encrypted files. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Void virus related issues, go to here.
I do not recommend paying void ransomware or voidcrypt.
My files was encrypted by void ransomware.
After the conversation we had a deal. I’ve paid the price after agreement about the possibility of the payment, but they wrote that they was changed the idea and I need to pay the same price one more time. They don’t give my money back and don’t want to decryption my files. I can show all letters with them. His contact email DECRPToffice@gmail.com but i received answer from decrpt@tutanota.com
Hi i can help for decrypt VOID Ransomware please post
hi my all data is been converted in .void and I will be lost my job if I am unable to recover can you please help me in this here is sample file please help me I really need
Today there is no way to decrypt files without the private key that the Void ransomware authors have.