What is Club file
.Club file extension is a file extension that is used by the latest variant of the Crysis/Dharma ransomware to mark files that have been encrypted. The Club ransomware is a malicious program that encrypts user files and demands a ransom for a key-decryptor pair that is necessary to decrypt the affected files. It uses a strong encryption system and a long key, which virtually eliminates the possibility of decrypting files without a key. Files encrypted with .[admin@stelsdatas.com].Club extension become useless, their contents cannot be read without the key that the criminals have.
Club ransom demand message
The full text of the Club ransom demand message is:
YOUR FILES ARE ENCRYPTED
Don’t worry,you can return all your files!
If you want to restore them, follow this link:email admin@stelsdatas.com YOUR ID –
If you have not been answered via the link within 12 hours, write to us by e-mail:admin@stelsdatas.club
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
What is Club ransomware
Club ransomware is one of the variants of Dharma/Crysis ransomware. This malware most often gets to the computer as part of other programs (torrents files, freeware, cracked apps and games) that have been downloaded by the user from the Internet. After its start, the ransomware begins to encrypt files using a key that is individual for each computer. Club uses a very strong encryption system, which eliminates the possibility of determining the key, even using a super computer. The encryption process is very fast, regardless of what is in the file, the virus can easily encrypt it. The Club ransomware can encrypt almost all files that are on the computer, including those located on network drives. The only thing that the virus does not encrypt is the files that are necessary for the Windows OS to function normally. Below we list the types of files that can be encrypted by the ransomware:
.1st, .kf, .zi, .der, .snx, .fos, .ntl, .wbk, .p7c, .t13, .png, .wcf, .mdbackup, .tor, .rwl, .xlgc, .bc6, .wot, .xf, .ai, .hvpl, .big, .docm, .css, .wps, .raw, .odp, .m2, .sidn, .xpm, .psk, .wp6, .menu, .wgz, .mrwref, .ptx, .yml, .wpe, .re4, .srf, .zif, .dbf, .wpb, .wsh, .bik, .p12, .wpd, .doc, .wire, .wpl, .itm, .wbc, .pst, .2bp, .map, .dazip, .xmind, .wmo, .rtf, .layout, .rb, .psd, .xls, .wps, .wbmp, .sis, .jpeg, .arch00, .wb2, .slm, .wpw, .webp, .xyp, .xbplate, .tax, .asset, .dng, .vtf, .kdb, .svg, .blob, .crt, .lrf, .m3u, .zdb, .wn, .crw, .upk, .ws, .sie, .xlsb, .xdb, .3dm, .r3d, .bay, .zip, .wp5, .ppt, .x3d, .ltx, .z3d, .db0, .ibank, .0, .syncdb, .bc7, .fpk, .rar, .rw2, .pak, .wma, .7z, .yal, .wpa, .sav, .sid, .lbf, .xx, .x3f, .csv, .wmd, .forge, .rofl, .wbz, .bar, .wbm, .xlk, .cfr, .mlx, .wp7, .wmf, .rgss3a, .pdf, .wdp, .wmv, .pptm, .wbd, .kdc, .mp4, .p7b, .ysp, .erf, .xlsm, .xbdoc, .sb, .pfx, .arw, .wpg, .sr2, .wdb, .dba, .3ds, .py, .txt, .cdr, .xyw, .icxs, .vfs0, .vpp_pc, .wm, .ncf, .accdb, .wsc, .cas, .zabw, .rim, .mov, .odt, .y, .js, .bkf, .das, .eps, .xar, .bsa, .xml, .mpqge, .bkp, .wpd, .gdb, .wotreplay, .wsd, .cr2, .iwi, .ods, .jpg, .lvl, .docx, .odc, .x3f, .xlsx, wallet, .epk, .wav, .sidd, .sql, .wri, .odb, .cer, .srw, .vdf, .pdd, .pem, .wpt, .pptx, .xls
When the file is encrypted, ‘.id-USERID.[EMAIL-ADDRESS].club’ is added at the end of its name, that is, if you had a file of ‘document.docx’, then a file with the name ‘document.docx.id-USERID.[EMAIL-ADDRESS].club’ will appear in its place. If you change the file name, just delete the added extension, then nothing will change. The file will remain encrypted, and as before, this file will not be possible to open in the program with which it is associated.
Perhaps you found on your computer or its desktop a new file called ‘FILES ENCRYPTED.txt’, which for some reason is not encrypted. An example of such a file is given below.
all your data has been locked us
You want to return?
write email admin@stelsdatas.com or admin@stelsdatas.club
This file is very important, in addition to containing a ransom demand, it also contains information that allows you to contact intruders. According to the message, the victim is invited to contact the attackers using the given email address. In response, the authors of the virus will give a Bitcoin address to which the ransom must be transferred. Of course, you should understand that there is no guarantee that the attackers, after receiving the ransom, will provide you with the key necessary to decrypt your files. In addition, by paying the ransom, you will push attackers to create a new ransomware.
Threat Summary
| Name | Club ransomware, Club File Virus |
| Type | Filecoder, Crypto malware, File locker, Crypto virus, Ransomware |
| Encrypted files extension | .[admin@stelsdatas.com].club |
| Ransom note | FILES ENCRYPTED.txt |
| Contact | admin@stelsdatas.com, admin@stelsdatas.club |
| Ransom amount | $300-$1500 in Bitcoins |
| Detection Names | Trojan.Win32.Crusis.tqMs, Trojan.Ransom.Crysis, TrojWare.Win32.Crysis.D@6sd9xy, Trojan.Encoder.3953, Trojan.Ransom.Crysis.E, Trojan-Ransom.Win32.Crusis.to, Ransom.Crysis!1.A6AA (CLOUD), Trojan-Ransom.Win32.Crysis.a, Trojan.Win32.Ransom.94720.F |
| Symptoms | Cannot open files stored on the computer. Your files now have a odd extension. Your file directories contain a ‘ransom note’ file that is usually a .html, .jpg or .txt file. Desktop background is changed to the ransom note. |
| Distribution methods | Malicious e-mail spam. Drive-by downloading (when a user unknowingly visits an infected web-site and then malicious software is installed without the user’s knowledge). Social media posts (they can be used to force users to download malicious software with a built-in ransomware downloader or click a suspicious link). Cybercriminals use misleading advertisements to distribute malware with no user interaction required. |
| Removal | Club ransomware removal guide |
| Recovery | Club File Recovery Guide |
As we have already said, the Club ransomware is not the first in its series. The fact that to date, antivirus companies have not created a way to decrypt files, and just have not found a 100% way to protect the user’s computers (otherwise how would you be on our site), indicates the complexity of the virus and the method that it uses to encrypt files. Nevertheless, you do not need to despair. There are several ways to find and remove Club ransomware, and there is also a chance to restore part or even all encrypted files to their original state. Below we will describe in detail how to do this.
How to remove Club ransomware virus, Restore .[admin@stelsdatas.com].club files
If you encounter the malicious actions of Club ransomware, and your files have been encrypted with ‘.[admin@stelsdatas.com].club’ extension, then you need to remove the virus or be 100% sure that there is no ransomware on your computer, and then proceed to restore the files. Both the virus removal process and the file recovery process will take a lot of time, so do not believe the magical instructions that say that this can be done very quickly. We definitely recommend, even if for some reason one of the methods proposed below did not suit you, try another one and try all of them. Perhaps one of them will help you. Feel free to ask questions in the special section on our website or in the comments below. In addition, we want to add that all the tools that we recommend using in our instructions are free and verified by security experts. And the last, before proceeding with the instructions, we advise you to read it thoroughly carefully, and then print or open it on a tablet or smartphone to have it always at hand.
How to remove Club ransomware
To remove Club ransomware, we recommend using free malware removal tools, which we will consider below. You can use them in the same order as we gave, or in the order as you like. Perhaps you think that this virus can be removed manually by using some magic OS functions or by pressing a few keys. Probably a professional or computer specialist with great knowledge will be able to, but We recommend you use malware removal tools. They will do all the work for you, and most importantly they will prevent damage to system files that you might accidentally do. Of course, if you have an antivirus, you can use it first, but if it missed this ransomware, then your trust in it is greatly undermined.
Use Zemana Anti Malware (ZAM) to remove Club ransomware virus
Zemana Anti Malware (ZAM) highly recommended, because it can scan for security threats such as ransomware, other malicious software and trojans which most ‘classic’ antivirus apps fail to pick up on. Moreover, if you have any Club ransomware removal problems which cannot be fixed by this utility automatically, then Zemana Anti Malware (ZAM) provides 24X7 online assistance from the highly experienced support staff.
Click the following link to download the latest version of Zemana Anti-Malware (ZAM) for MS Windows. Save it on your MS Windows desktop or in any other place.
164987 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After downloading is done, close all apps and windows on your computer. Open a directory in which you saved it. Double-click on the icon that’s called Zemana.AntiMalware.Setup as on the image below.
When the installation begins, you will see the “Setup wizard” that will help you install Zemana AntiMalware (ZAM) on your system.
Once install is complete, you will see window as displayed below.
Now press the “Scan” button to search for Club ransomware related folders,files and registry keys. A scan may take anywhere from 10 to 30 minutes, depending on the count of files on your computer and the speed of your personal computer. During the scan Zemana Anti-Malware (ZAM) will scan for threats exist on your computer.
After finished, you’ll be shown the list of all detected threats on your computer. Once you’ve selected what you want to delete from your PC system click “Next” button.
The Zemana Free will uninstall Club ransomware, other kinds of potential threats like malicious software and trojans.
Remove Club ransomware with MalwareBytes Anti Malware
Manual Club ransomware virus removal requires some computer skills. Some files and registry entries that created by the crypto virus can be not completely removed. We suggest that run the MalwareBytes that are completely free your PC of ransomware. Moreover, this free application will help you to delete malware, spyware, adware software and trojans that your personal computer may be infected too.
Visit the page linked below to download the latest version of MalwareBytes AntiMalware for MS Windows. Save it on your Windows desktop.
327224 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
After the download is done, close all software and windows on your computer. Open a directory in which you saved it. Double-click on the icon that’s named MBSetup as shown on the screen below.
When the installation starts, you will see the Setup wizard which will help you set up Malwarebytes on your computer.
Once setup is complete, you will see window like below.
Now click the “Scan” button to start scanning your system for the Club crypto virus, other malware, worms and trojans. This process can take quite a while, so please be patient. When a malicious software, adware or PUPs are found, the count of the security threats will change accordingly.
Once finished, MalwareBytes Anti-Malware (MBAM) will prepare a list of unwanted apps and ransomware. Once you’ve selected what you want to remove from your computer click “Quarantine” button.
The Malwarebytes will now remove Club ransomware and other security threats and move the selected threats to the program’s quarantine. Once the process is complete, you may be prompted to restart your computer.
The following video explains few simple steps on how to uninstall browser hijacker, adware and other malware with MalwareBytes AntiMalware (MBAM).
Remove Club ransomware from system with KVRT
If MalwareBytes and Zemana could not find or remove Club crypto malware, then we recommends to use Kaspersky virus removal tool (KVRT). KVRT is a free removal utility for ransomware, worms, spyware, trojans, adware, PUPs and other malware.
Download Kaspersky virus removal tool (KVRT) on your Microsoft Windows Desktop by clicking on the link below.
129279 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After downloading is finished, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is done, you will see the KVRT screen as displayed below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to search for Club ransomware and other malicious software. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your computer and the speed of your personal computer. While the tool is checking, you can see number of objects and files has already scanned.
When Kaspersky virus removal tool is finished scanning your system, the results are displayed in the scan report as displayed in the following example.
Next, you need to click on Continue to start a cleaning process.
How to decrypt .club files
All files with the ‘.club’ extension are encrypted. Their contents cannot be unlocked simply by removing this extension or completely changing the filename. Unfortunately, as we already reported in this article, there is currently no way to decrypt files. The reason for this is the complexity of the encryption algorithm that the authors of Club virus use. In principle, this is what the attackers sought. But this does not mean that you have no choice and you need to pay a ransom for your files.
Never pay the ransom! Any security expert will tell you this. Of course, there is a chance that by paying a ransom, Club virus authors will allow you to unlock your files, but there is no guarantee. Moreover, you should understand that when you pay a ransom, you unknowingly push the attackers to create new, even more destructive viruses.
Do not forget that besides you, thousands more people around the world have lost their files, that is, you are not alone. Antivirus companies, security experts are working on something that will allow you to decrypt .club files. Perhaps in the future an universal method will be developed that will allow all victims to unlock all their data.
Of course, as soon as a way to decrypt the files appears, we will post a message about this to this article or to our facebook account. Therefore, we recommend that you follow the updates.
How to recover .club files
As we wrote above, you cannot decrypt files encrypted with this virus. But you can use a different way, there is a small chance to restore .club files without decrypting them. Programs created for searching and recovering lost and deleted data can help you with this. We offer you to use the following free programs: PhotoRec and ShadowExplorer. Only two things that I want to say additionally. First, before restoring files, you must be 100% sure that there is no ransomware on the computer. We recommend using free malware removal tools that we examined in this article. Second, and what is very important! The less you use your computer after ransomware infection, the higher the chance that you will be able to recover encrypted files.
Use shadow copies to recover .club files
First of all, try to recover your files using a free tool called ShadowExplorer. This program will allow you to recover your files from Shadow Volume Copies. These copies are created automatically by the OS when you work with your files. Unfortunately, very often, the virus automatically deletes all these copies and thus prevents the user from recovering encrypted files. Nevertheless, in some cases, the ransomware cannot delete all copies, and the user gets the opportunity to quickly restore all files. Therefore, our opinion, you should definitely try this method!
ShadowExplorer can be downloaded from the following link. Save it to your Desktop.
439627 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After the downloading process is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed in the following example.
Double click ShadowExplorerPortable to start it. You will see the a window as displayed in the figure below.
In top left corner, select a Drive where encrypted photos, documents and music are stored and a latest restore point as shown below (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export as on the image below.
This video step-by-step guide will demonstrate How to recover encrypted files using Shadow Explorer.
Restore .[admin@stelsdatas.com].club files with PhotoRec
Another really working way to recover your encrypted files is to use a program named PhotoRec. It is created to recover deleted or lost files. Does the virus block this method? Fortunately, the Club virus cannot block it in any way. Why is this possible you ask. This is possible for the reason that when you delete files using the standard OS function, these files are not actually deleted. Just the Windows marks them as deleted and does not show them in the list of files. The program that we suggest you use, finds deleted files, including files that were deleted by the ransomware, and recovers them.
Download PhotoRec from the following link.
Once the downloading process is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the following example.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will display a screen as shown below.
Choose a drive to recover as displayed below.
You will see a list of available partitions. Choose a partition that holds encrypted files like below.
Press File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.
Next, press Browse button to choose where restored documents, photos and music should be written, then click Search.
Count of recovered files is updated in real time. All restored photos, documents and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is done, click on Quit button. Next, open the directory where restored files are stored. You will see a contents as on the image below.
All restored personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.
This video step-by-step guide will demonstrate How to recover encrypted files using PhotoRec.
How to protect your computer from Club ransomware
Most antivirus software already have built-in protection system against the crypto virus. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert. All-in-all, HitmanPro.Alert is a fantastic tool to protect your PC system from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Microsoft Windows operating system from Windows XP to Windows 10.
Installing the HitmanPro.Alert is simple. First you’ll need to download HitmanPro.Alert from the link below. Save it on your Microsoft Windows desktop.
When the download is finished, open the file location. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. When the tool is opened, you’ll be shown a window where you can choose a level of protection, like the one below.
Now click the Install button to activate the protection.
Finish words
This guide was created to help all victims of Club ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to recover .Club files. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Club related issues, go to here.
