Restoreadmin@firemail.cc is an email address that cyber criminals use to contact victims of STOP (DJVU) ransomware. Ransomware is a type of malware that blocks access to files by encrypting them, until the victim pays a ransom.
Restoreadmin@firemail.cc virus locks up the files using AES-RSA technology, that makes it impossible to unlock the encrypted data by the victim without obtaining a key and a decryptor, which is the only way to decrypt affected files. It can be obtained only in the case of payment of the required ransom through cryptocurrency wallet. The ransomware virus encrypts almost of database, videos, documents, music, web application-related files, archives and images, including common as:
.ai, .xf, .ff, .desc, .zip, .z3d, .cr2, .ods, .mdf, .zdb, .1st, .itm, .dmp, .dbf, .xls, .rb, .z, .rim, .bkp, .odb, .ncf, .epk, .rwl, .vpp_pc, .xpm, .yal, .kdb, .p7b, .3ds, .pptm, .sb, .der, .iwd, .sum, .odc, .png, .fos, .wbmp, .ntl, .0, .cer, .webp, .wbz, .xls, .psk, .wdb, .wpe, .ibank, .flv, .wma, .xmmap, .xml, .wpa, .zip, .wpd, .tax, .y, .wmv, .sidd, .xdb, .vfs0, .x3f, .wmv, .hplg, .sql, .gho, .xbdoc, .kdc, .w3x, .txt, .xar, .wp6, .mcmeta, .xlsx, .forge, .p12, .docm, .psd, .wbd, .1, .ltx, .wmf, .wotreplay, .wbk, .wbc, .vdf, .sr2, .wps, .wri, .lbf, .mdbackup, .p7c, .iwi, .odm, .pem, .wav, .big, .slm, .itdb, .ztmp, .mdb, .icxs, .xll, .xwp, .wsh, .pfx, .pef, .wsd, .ybk, .hkdb, .erf, .qdf, .asset, .xyw, .blob, .dcr, .tor, .bik, .xlsb, .jpg, .docx, .bsa, .wsc, .xlsm, .mpqge, .2bp, .t12, .wpl, .jpeg, .mddata, .odp, .wp, .wb2, .zif, .sis, .wp7, .vpk, .xmind, .mef, .layout, .wn, .js, .syncdb, .arw, .odt, .qic, .m4a, .wgz, .x, .vcf, .mrwref, .pkpass, .cfr, .rgss3a, .bay, .pptx, .wot, .cas, .pst, .dazip, .wp5, .apk, .r3d, .d3dbsp, .mp4, .3dm, .pak, .mov, .snx, .wire, .eps, .bkf, .sidn, .kf, .wpw, .css, .doc, .3fr, .nrw, .sie, .bc6, .jpe, .py, .xbplate, .fpk, .wma, .rofl, .db0, .xlsm, .wpb, .xld, .wm, .raf, .xlgc, .wmo, .xxx, .xlsx, .avi, .fsh, .esm, .crw, .cdr, .wps, .bc7, .lrf, .crt, .zw, .wpg, .wpt, .dng, .map, .indd, .wbm, .wcf, .wmd, .xlk, .pdf, .rtf, .accdb, .litemod, wallet, .menu, .pdd, .arch00, .dba, .raw, .xx, .dxg, .das, .m2, .t13, .wpd, .yml, .wdp, .ws, .dwg, .xdl, .x3f, .csv, .ppt, .xyp, .re4, .sid, .srw, .x3d, .svg, .rw2, .sav, .mlx, .m3u, .zi, .itl, .xy3, .webdoc
When the encryption process is completed, all encrypted files will now have a new extension, which is added to the end of their name. The only thing is that the virus does not encrypt files located in the Windows system directories, files with the extension .ini, .bat, .sys, .dll, .lnk and files with the name _readme.txt. In each directory where there are encrypted files, Restoreadmin@firemail.cc virus leaves a file with the name _readme.txt. This file contains a ransom demand message that is written in English. In this message, Restoreadmin@firemail.cc ransomware authors demand a ransom in exchange for a key and a decryptor, which are necessary to decrypt the affected files.
Text presented in “_readme.txt”:
ATTENTION!
Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/################
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.To get this software you need write on our e-mail:
helpmanager@mail.chReserve e-mail address to contact us:
restoreadmin@firemail.ccYour personal ID:
Threat Summary
| Name | Restoreadmin@firemail.cc ransomware |
| Type | File locker, Ransomware, Filecoder, Crypto virus, Crypto malware |
| Ransom note | _readme.txt |
| Contact | restoreadmin@firemail.cc |
| Ransom amount | $980,$490 in Bitcoins |
| Detection Names | Trojan.GenericKDZ.67427, Trojan.Win32.Agent.4!c, Trojan:Win32/Cridex.ef819985, Trojan.Ransom.Stop, Win32:CoinminerX-gen [Trj], TR/AD.InstaBot.sarli, Ransom.Stop.MP4, W32/Trojan.ZAVK-3801, W32/Kryptik.HPDO!tr |
| Symptoms | Encrypted files. Your photos, documents and music have different extension appended at the end of the file name. Files called such as ‘_readme.txt’, or ‘_readme’ in each folder with at least one encrypted file. |
| Distribution ways | Spam mails that contain malicious links. Drive-by downloading (when a user unknowingly visits an infected web page and then malware is installed without the user’s knowledge). Social media posts (they can be used to entice users to download malware with a built-in ransomware downloader or click a malicious link). Torrent web-sites. |
| Removal | To remove Restoreadmin@firemail.cc ransomware use the Restoreadmin@firemail.cc virus removal guide |
| Decryption | To decrypt Restoreadmin@firemail.cc ransomware use the steps |
If you become a victim of the ransomware attack, then the first thing you need to do is scan your computer for malware, find and remove Restoreadmin@firemail.cc virus completely. We recommend using free malware removal tools. Only after you are completely sure that the ransomware virus has been removed, start decrypting the files.
Quick links
- How to remove Restoreadmin@firemail.cc ransomware
- How to decrypt encrypted files
- How to restore encrypted files
How to remove Restoreadmin@firemail.cc ransomware
The following instructions will help you to delete Restoreadmin@firemail.cc crypto virus and other malicious software. Before doing it, you need to know that starting to delete the ransomware, you may block the ability to decrypt files by paying creators of the crypto malware requested ransom. Zemana Anti-malware, Kaspersky virus removal tool and Malwarebytes Anti-malware can detect different types of active ransomware viruses and easily remove it from your computer, but they can not recover encrypted files.
Use Zemana Anti-Malware to remove Restoreadmin@firemail.cc ransomware
Zemana is a complete package of anti malware tools that can help you remove Restoreadmin@firemail.cc virus. Despite so many features, it does not reduce the performance of your computer. Zemana AntiMalware (ZAM) has the ability to remove almost all the types of ransomware as well as trojans, worms, adware, browser hijackers, PUPs and other malicious software. Zemana Free has real-time protection that can defeat most malicious software and ransomware. You can run Zemana Anti-Malware (ZAM) with any other antivirus software without any conflicts.
Visit the following page to download Zemana install package named Zemana.AntiMalware.Setup on your PC system. Save it on your MS Windows desktop or in any other place.
159564 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Start the installer after it has been downloaded successfully and then follow the prompts to install this utility on your system.
During installation you can change some settings, but we recommend you don’t make any changes to default settings.
When installation is complete, this malicious software removal utility will automatically start and update itself. You will see its main window as shown in the figure below.
Now click the “Scan” button to perform a system scan with this tool for the Restoreadmin@firemail.cc ransomware virus, other kinds of potential threats such as malware and trojans. This task can take quite a while, so please be patient. While the utility is scanning, you can see how many objects and files has already scanned.
After Zemana Free has finished scanning, Zemana will show a scan report. Next, you need to click “Next” button.
The Zemana Anti-Malware will remove Restoreadmin@firemail.cc crypto malware, other kinds of potential threats like malicious software and trojans and move the selected threats to the Quarantine. When the task is done, you can be prompted to reboot your machine to make the change take effect.
Remove Restoreadmin@firemail.cc with MalwareBytes Free
You can uninstall Restoreadmin@firemail.cc ransomware virus automatically with a help of MalwareBytes. We recommend this free malware removal tool because it can easily uninstall ransomware, adware, malware and other unwanted apps with all their components such as files, folders and registry entries.
MalwareBytes Anti-Malware (MBAM) can be downloaded from the following link. Save it on your Windows desktop or in any other place.
317702 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
After the downloading process is done, close all applications and windows on your computer. Double-click the setup file called MBSetup. If the “User Account Control” prompt pops up like below, click the “Yes” button.
It will open the Setup wizard that will help you install MalwareBytes Free on your computer. Follow the prompts and don’t make any changes to default settings.
Once installation is finished successfully, click “Get Started” button. MalwareBytes will automatically start and you can see its main screen as displayed in the figure below.
Now click the “Scan” button to start checking your computer for the Restoreadmin@firemail.cc malware related folders,files and registry keys. This procedure can take some time, so please be patient. During the scan MalwareBytes Anti-Malware (MBAM) will search for threats exist on your machine.
When MalwareBytes Anti Malware completes the scan, MalwareBytes Anti Malware (MBAM) will produce a list of unwanted programs and ransomware. Make sure all threats have ‘checkmark’ and click “Quarantine” button. The MalwareBytes will delete Restoreadmin@firemail.cc crypto malware, other malicious software, worms and trojans and move the selected threats to the Quarantine. After the cleaning procedure is done, you may be prompted to reboot the PC system.
Use KVRT to remove Restoreadmin@firemail.cc ransomware virus from the computer
Kaspersky virus removal tool (KVRT) is a free removal utility that can be downloaded and run to delete ransomware, adware, spyware, trojans, worms, PUPs, malware and other security threats from your system. You can use this tool to search for threats even if you have an antivirus or any other security application.
Download Kaspersky virus removal tool (KVRT) from the link below. Save it on your Windows desktop.
123965 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the downloading process is done, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is finished, you will see the KVRT screen like below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan for the Restoreadmin@firemail.cc crypto virus and other malware. Depending on your PC, the scan may take anywhere from a few minutes to close to an hour. When a threat is found, the number of the security threats will change accordingly. Wait until the the scanning is complete.
When the checking is complete, KVRT will display you the results as displayed below.
Make sure to check mark the items that are unsafe and then click on Continue to begin a cleaning process.
How to decrypt encrypted files
Using the STOP decryptor is not difficult, just follow the few steps described below.
STOP Djvu decryptor
- Download STOP Djvu decryptor from here (scroll down to ‘New Djvu ransomware’ section).
- Run decrypt_STOPDjvu.exe.
- Add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
If during decryption of files, the decryptor reports that the files cannot be decrypted, then Restoreadmin@firemail.cc virus used an online key to encrypt them. Files encrypted with the online key cannot yet be decrypted. In this case, we recommend using the alternative methods listed below to restore the contents of encrypted files (see section ‘How to restore encrypted files’).
This video step-by-step guide will demonstrate How to decrypt files encrypted by the STOP Djvu ransomware.
How to restore encrypted files
Fortunately, there is little opportunity to restore documents, photos and music that have been encrypted by the Restoreadmin@firemail.cc crypto malware. Data restore software can help you! Many victims of various ransomware, using the steps described below, were able to recover their files. In our tutorial, we recommend using only free and tested utilities named PhotoRec and ShadowExplorer. The only thing we still want to tell you before you try to restore encrypted encrypted files is to check your computer for active ransomware. In our blog post we gave examples of which malicious software removal software can find and delete the Restoreadmin@firemail.cc crypto virus.
Restore encrypted files encrypted files using Shadow Explorer
In some cases, you have a chance to recover your personal files which were encrypted by the Restoreadmin@firemail.cc ransomware. This is possible due to the use of the utility called ShadowExplorer. It is a free program that designed to obtain ‘shadow copies’ of files.
Installing the ShadowExplorer is simple. First you’ll need to download ShadowExplorer by clicking on the following link. Save it on your MS Windows desktop or in any other place.
419282 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the downloading process is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed on the image below.
Start the ShadowExplorer tool and then choose the disk (1) and the date (2) that you want to restore the shadow copy of file(s) encrypted by the Restoreadmin@firemail.cc ransomware virus like below.
Now navigate to the file or folder that you wish to recover. When ready right-click on it and click ‘Export’ button as displayed in the figure below.
Restore encrypted files with PhotoRec
Before a file is encrypted, crypto malware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your documents, photos and music using file restore tools like PhotoRec.
Download PhotoRec on your Microsoft Windows Desktop from the following link.
After downloading is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the figure below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll display a screen as on the image below.
Select a drive to recover such as the one below.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music such as the one below.
Press File Formats button and select file types to recover. You can to enable or disable the restore of certain file types. When this is finished, press OK button.
Next, click Browse button to choose where restored personal files should be written, then click Search.
Count of recovered files is updated in real time. All restored personal files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is done, click on Quit button. Next, open the directory where recovered documents, photos and music are stored. You will see a contents like below.
All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
To sum up
We hope this information helped you remove Restoreadmin@firemail.cc ransomware virus, as well as restore (decrypt) encrypted files. If you need more help with ransomware related issues, go to here.
