.Conficker File Virus – Remove and Restore Files (Update September 2017)

.Conficker File Virus – Remove and Restore Files (Update September 2017)

Article created to help you remove the Conficker ransomware and restore .conficker encrypted files on your computer.

A ransomware virus has appeared in the wild, created with the same name as the original Conficker virus back in 2008-2009. The virus, detected in April 2017 encrypts files on the computers infected by it, after which drops behind a ransom note, named Decrypt.txt, demanding victims to pay a hefty ransom fee (0.5 BTC) to get their files back to working state. In case your computer has been infected by the Conficker ransomware infection, reccomendations are to read the following article thoroughly.

Threat Summary



Short DescriptionEncrypts important files and asks for 0.5 BTC ransom payoff to be made.

SymptomsFiles are encrypted with the .conficker file extension and an added decrypt.txt ransom note is added.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Conficker


Malware Removal Tool

User ExperienceJoin our forum to Discuss Conficker.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.Conficker File Virus – Update September 2017

A seemingly new variant of the Conficker file virus has been discovered by a few malware researchers. The picture of the ransom note message remains unchanged and identical to the variant described in this article. The new itertion of the virus is the Samarat Ransomware with .Samarat extension. Samarat is based on the HiddenTear open-source project.

.Conficker File Virus – How Does It Spread

For the distribution of the Conficker ransomware infection, the cyber-criminals behind the virus may take advantage of multiple different set of tools used in combination. These tools may include malicious web links, compromised e-mail addresses, fake e-mail accounts, exploit kits, web injectors, fake updates, self-extracting archives and others. Such may be used via spamming software to spread spam e-mails on a massive scale. Usually the spammed messages have deceitful character and they often aim to get users to either open an attachment on the e-mail or click on a malicious web link.

Other methods of spreading this malware may also include it’s uploading on torrent websites or software downloading sites that are suspicious or compromised. The virus may pose as a legitimate activator for different software, a key generator or a game crack.

.Conficker Ransomware – Infection Process

The infection process of Conficker is achieved by a dropper or a similar type of intermediary malware that is obfuscated and can successfully evade antivirus software. The way the infection works is once the user opens a malicious file or web link, the virus may drop it’s malicious files on several Windows directories, like the following:

  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalLow%
  • %SystemDrive%
  • %Windows%
  • %System32%

The files are mostly executable and they also include the ransom note of Conficker. They are reported to be the following:

  • ransomwarefineched.exe
  • Decrypt.txt
  • C_o_N_F_i_c_k_e_r Decryptor.exe
  • winrar Setup 2017.exe
  • winrar 2017.exe
  • conficker.exe

In addition to dropping it’s malicious files, Conficker ransomware may compromise the Windows Registry Editor, creating malicious registry values in some of the following sub-keys:


After the modification of the sub-keys is performed, the Conficker ransomware may now run when Windows boots up.

Among the activities of Conficker ransomware may me multiple others, like the deletion of any backups as well as shadow volume copies. This is achievable by executing the vssadmin and bcedit commands on Windows Command Prompt in quiet mode without the user noticing, for example:

After this has been completed, the Conficker ransomware may begin the encryption process.

Conficker Virus – Encryption

The process of encrypting files is orchestrated with the assistance of an encryption algorithm which aims to encode the files by replacing blocks of data in them. Once this is done, the files seem corrupt and can no longer be opened. After the encryption process is complete, the Conficker threat may change the extensions of the encrypted files, making them appear like the following:

Encrypted File.txt.conficker

For the encryption process, Conlicker ransomware may target important files, carefully avoiding Windows system files, so that the OS is intact. Among the encrypted files may be the following file extensions:


After the encryption process is complete, the Conficker virus may change the wallpaper on the affected computer and in addition to this drop a ransom note, named decrypt.txt. Both the wallpaper and the ransom note have the same message:

C_o_N_F_i_c_k_e_r R_A_N_S_O_M_W_A_R_E
Attention! Attention! Attention! Your Files has been encrypted By C_o_N_F_i_c_k_e_r R_A_N_S_O_M_W_A_R_E
Send 0.5 Bitcoin To @ 1sUCn6JYa7B96t4nZz1tX5muU2W5YxCmS @
If Send 0.5 Bitcoin We will send you the decryption key C_o_N_F_i_c_k_e_r Decryptor

Remove Conficker Virus and Restore .conficker Encrypted Files

Before beginning the removal process of Conficker ransomware, recommendations are to backup the encrypted files first. After this, advices are to focus on following the removal instructions down below. They are carefully designed to help you get rid of the malicious files by first isolating Conficker in Safe Mode. For maximum effectiveness and proper removal, security experts recommend downloading and installing an advanced anti-malware program. It will automatically remove all malicious files related to Conficker ransomware and protect the system against future infections as well.

For the restoration of files encrypted by Conficker ransomware, we advise using the methods in step “2. Restore files encrypted by Conficker” below. They are no guarantee all the files will be restored but you may recover a big portion of them, at least until a decryptor is released for free.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share