.armage Files Virus - How to Remove and Restore Files

.armage Files Virus – How to Remove and Restore Files

This article has been created with the purpose to help explain what is the .armage files virus, what are .armage files and how to remove the malware associated with them and try to restore as many of them as you can.

A new ransomware infection, going by the name Armage ransomware has been detected by security researcher Leo to encrypt the files on the computers that have been targeted and infected by it. After doing the encryption, Armage ransomware drops a ransom note, called Notice.txt which has instructions on how to pay a hefty ransom fee in BitCoin and other cryptocurrencies in order to recover the encoded files and get them to work again. If you computer has been infected by the .armage files virus, we recommend that you read this article and learn how to remove this virus and restore as many files as possible.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on the compromised computers shortly after which extort victims to pay ransom and decrypt the files.
SymptomsThe files on the compromised computers are encrypted with an added .armage file extension and a ransom note, called Notice.txt is also dropped on victim PCs.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Armage


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Armage.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.armage Ransomware – How Does It Infect

For the .armage files virus to infect the computers of it’s victims, the virus may use a wide variety of infection tactics. The .armage ransomware virus may come in your hard drive as a result of two main tactics – either you having to download the malicious payload by yourself or if the cyber-criminals have somehow managed to convince you into downloading or executing the payload. The third-scenario is if you PC has previously been hacked by other viruses that may download the payload of the malware onto your computer.

If the malware has entered your computer as a result of you having to download it’s malicious payload by yourself, be advised that it may have been hiding behind an executable or other type of file that only seems to be legitimate at first glance. Such types of files are often downloaded objects of interest, like:

  • Setups of programs the user is looking for.
  • Tools, patches, cracks or other software license activators.
  • Key generators.
  • Portable versions of programs.

In addition to this, the .armage files virus may also arrive via your e-mail, by being masked as a reputable attachment from a company which is well-known by everyone to increase the trust in victims. Such e-mails are cleverly thought out, for example:

In addition to spam e-mails the ransomware may also come downloaded via other malware that has previously infect your PC, such as Trojans, Worms, Rootkits and other, more advanced viruses, that have Read & Write permissions over Windows and control over your computer network. Either way, the main indicator of compromise that has been associated with Armage ransomware has been detected to be the following:

SHA256: 67697dcd8493f287a880cff6165b903bfe1daf3b55814e90de879cd1fb8df004
Size: 809.5 KB

.armage Files Virus – Activity

Once infected your computer, the .armage files virus may connect to a remote host and download it’s malicious payload files. The files may be one main executable file that encrypts the data on your PC and other support files and they might be spread in different directories across your computer. The directories in which the files, dropped by Armage ransomware may reside are usually the following:

  • %Local%
  • %AppData%
  • %Temp%
  • %LocalLow%
  • %Roaming%

In addition to dropping the files on your computer, the Armage ransomware also drops it’s ransom note file, called Notice.txt and it has the following contents:

Your files had been encrypted Please send me $100 to get your files back
Send your information includes Security code, Computer name and Username to truongquocvifigmail.com
Your security code is: {CODE HERE}
After receiving password, run TQVDecrypt on your desktop to decrypt files

After downloading the payload, the Armage ransomware infection performs series of unwanted activities on your computer among which may be to create mutexes, schedule tasks on your computer and modify registry entries, all with the purpose of ensuring that an unobstructed encryption takes place and that the ransomware obtains permissions to run as administrator on your computer.

If the Armage ransomware modifies your Windows Registry Editor, it will likely attack the Run and RunOnce registry sub-keys, located in the following keys:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In addition to this, the Armage ransomware may also delete the shadow volume copies on your computer and also stop Windows Recovery services. This usually occurs when the virus runs the following commands as an administrator in Windows Command Prompt:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

.armage Files Virus – File Encryption

Armage ransomware may first scan your computer for the files it wants to encrypt and the virus usually targets files that you use very often, while in the same time skipping important Windows files, so that you can still use your PC to it’s full extent. The files that may be encrypted by Armage ransomware may be of the following file types:

→ .psd, .jpeg, .docx, .doc, .arj, .tar, .7z, .rar, .zip, .tif, .jpg, .ai, .bmp, .png, .xlsx, .pptx, .accdb, .mdb, .rtf, .odt, .ods, .cd, .ldf, .mdf, .max, .dbf, .epf, .1cd, .md, .db, .pdf, .ppt, .xls, .cdr, .odb, .odg

To encrypt the files once they are detected, Armage ransomware may firstly create copies of the original files, but those copies may in fact be the encrypted siblings of the originals. Then, Armage ransomware generates a decryption key and deletes the original files. The files, encrypted by Armage ransomware are so far undecryptable and look like the following:

Remove Armage Ransomware and Restore .armage Encrypted Files

If you have become an unfortunate victim of this ransomware virus, a viable method to remove it is if you follow the removal instructions underneath this article. They have been made in order to show you how you can make sure this virus is gone from your computer either manually or automatically, depending on how much experience you have with deleting malware by yourself. If you lack such experience or want a fast and easy solution, be advised that experts often advise victims to remove ransomware viruses, like Armage safely and automatically by using an advanced anti-malware software. Such program will scan your computer for all of the malicious objects, belonging to Armage ransomware and remove them in a safe manner permanently, while using it’s real-time shields to make sure that your PC stays safe against future threats.

If you want to restore files, encrypted by Armage ransomware, we advise you to try the alternative tools for file recovery underneath this article in step “2. Restore files, encrypted by Armage” below. They have been created with the main goal to serve as a temporary substitute solution and help you recover as many encrypted files as possible, until researchers devise a decrypter that works 100%.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share