.boris Files Virus – How to Remove (+Decrypt Files for Free)
THREAT REMOVAL

.boris Files Virus – How to Remove (+Decrypt Files for Free)

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

This article has been made to help you remove the .boris files virus from your computer and decrypt files, encrypted by it.

The .boris ransomware virus is the type of infection, aimed at encrypting the files on the computers infected by it and leaving them no longer able to be opened by the victim. The ransomware then drops a README.txt ransom note in which demands are made to pay a hefty ransom sum in order to get the encrypted files restored back to their working state. The .boris files virus is the type of threat that you should not underestimate and remove on sight. If your computer has been infected by the .boris files virus, we recommend that you read this article and learn how you can remove the .boris files virus from your PC and how you can decrypt the files, encrypted by this ransomware for free.

Threat Summary

Name.boris Virus
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on the computers, comporomised by it and demands from victims to pay ransom to get them back.
SymptomsThe files on the compromised computer are encrypted with an added .boris file extension.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .boris Virus

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .boris Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.


.boris HiddenTear Ransomware – Activity Overview:

.boris Files Ransomware – How Does It Spread

.boris Files Ransomware – How Does It Spread


The .boris files virus is the type of ransomware, whose main goal is to infect your comptuer without noticing in order to use the important files in it against you. To reach this end goal, the .boris files virus may use different methods of infection with the main one seems to be to use malicious files that are obfuscated (hidden) from antivirus and other protection software to avoid detection. These files may pretend that they are important documents sent to you via e-mail, such as:

  • Invoices.
  • Receipts.
  • Online banking documents.
  • Other important documetns.

In addition to this, the e-mails may appear as if they come from large companies and contain external link from which the victim downloads the attachment. One example is the fake Dropbox e-mail underneath, which when compared to the original one seems very close to it:

Besides via e-mail, you may become a victim of the .boris files virus by downloading and running a file by yourself, while thinking it is a legitimate program, like;

  • A portable version of often used software.
  • Crack.
  • Patch.
  • Key generator.
  • Software license activator.


.boris Files Virus – Analysis

.boris Files Virus – Analysis


The .boris file ransomware is the type of virus, which will drop it’s malicious files on the computers of victims. The following IOCs have been detected in association with this malware after infection:

→ f213e54c8520e7458751020edf15a5ea
e10edfbbf16d48d70eeded0b1cb8c1cb

According to researchers, this ransomware is a variant of the notorious HiddenTear ransomware family. After infection, the malicious files may be dropped in the following Windows directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

Among the files dropped is the README.txt ransom note, whose main purpose is to notify the victim of the unfortunate circumstances that have unfolded:

Your files are encrypted! If you want to restore data email decode77@sfletter.com:

The virus then may set registry entries in the Run and RunOnce Windows registry sub-keys and may also execute the following commands as administrator in Windows Command Prompt in order to delete the backups on your PC:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet


.boris File Ransomware – Encryption Process

.boris File Ransomware – Encryption Process


In order to encrypt the files on your computer. Th .boris HiddenTear variant firstly scans for them based on their file extensions. The malware may look for the most often used file types, which are believed to be the following:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”

During the encryption, the .boris HiddenTear variant encodes blocks of data on the original files and this makes them to appear corrupt. After encryption, the malware adds the .boris file extension, along with the e-mail it uses and the files start to appear like the following:

Fortunately for victims, this virus is now decryptable. Keep reading this article to learn how to remove it and decrypt your files for free.

Remove .boris HiddenTear and Decrypt Encrypted Files for Free

In order to remvoe this variant of HiddenTear ransomware, we suggest that you follow the manual or automatic removal instructions below. They have been created to best help you delete this malware based on how much experience you have with it. If you lack experience in malware removal, for maximum effectiveness, security experts strongly advise to use an advanced anti-malware software. It will scan for and automatically get rid of this infection from your computer at a click of a button, while in the same time ensure that your PC stays protected in the future as well.

After removing the .boris files virus from your computer, we suggest that you follow the ”HiddenTear(.boris) Decryption Instructions”underneath the removal accordion below.

Avatar

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...