.CONTACTUS Files Virus - How to Remove and Restore Your Data
THREAT REMOVAL

.CONTACTUS Files Virus – How to Remove and Restore Your Data

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by .CONTACTUS Files Virus and other threats.
Threats such as .CONTACTUS Files Virus may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

This article has been created in order to help explain what is the .CONTACTUS ransomware virus and how to remove it from your computer plus restore files, encrypted by it.

A new ransomware infection, believed to be an updated variant of .PAUSA ransomware has been reported by security researchers to encrypt the files on the computers infected by it and then leave behind the .CONTACTUS file suffix. The ransomware also drops a ransom note, called !!!RESTORE_FILES!!!.txt which aims get victims to pay a hefty ransom fee to the cyber-criminals in order to get their files restored back to their working state.

Threat Summary

Name.CONTACTUS Files Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on your PC and then leaves behind a ransom note, asking you to pay ransom to restore files.
SymptomsFiles are encrypted with the .CONTACUS file extension added to them. A ransom note is dropped, known as !!!RESTORE_FILES!!!.txt
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .CONTACTUS Files Virus

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .CONTACTUS Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.CONTACTUS Ransomware – Spread

The .CONTACUS ransomware could infect victims computers using different methods. One of those methods is via a payload dropper file which is basically an intermediary malware, that is obfuscated and aims to evade various antivirus programs and other protection software. These types of files are usually dropped as a result of the infection file being uploaded on web pages and posing as a fake setup of a program, a fake document and even a fake license activator, such as cracks, patches and even key generator programs. Usually the websites on which these files are uploaded are torrent sites or software providing sites with low reputation.

.CONTACTUS Ransomware Virus – More Information

.CONTACTUS is the type of ransomware which aims to encrypt the files on your computer and then ask for a payment to be made in order to get the files of the virus back to normal again. It has so far been detected in quite the different versions, such as:

All of the variants use a ransom note which does not differ much among them. In this variant, the ransom note detected in question is called !!!RESTORE_FILES!!!.txt and it has the following message to victims:

All your important files were encrypted on this PC.
All files with .CONTACTUS extension are encrypted.
Encryption was produced using unique private key RSA-1024 generated for this computer.
To decrypt your files, you need to obtain private key + decrypt software.
To retrieve the private key and decrypt software, you need to CONTACTUS us by email [email protected] send us an email your !!!RESTORE_FILES!!!.txt file and wait for further instructions.
For you to be sure, that we can decrypt your files – you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Price for decryption $600 if you contact us first 72 hours.
Your personal id:
[redacted 40 characters] E-mail address to contact us:
[email protected]
Reserve e-mail address to contact us:
[email protected]

In addition to it’s ransom note, the virus also drops other files as a part of it’s payload, that may be located in the following Windows directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

Once these files are dropped on the victim’s computer, they may start to perform a set of unwanted activities, such as create mutexes, create copies of the virus, in case the original variants of the files are deleted on the victim PC. In addition to those activities, the .CONTACTUS files virus may also set a registry value string with data pointing out to it’s file that is responsible for the actual encryption process in the Run and RunOnce registry sub-keys in Windows. They are located as follows:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Besides this, the .CONTACUS ransomware virus may have one more trick up it’s sleeve. The malware may use a script that execues the following commands in Windows command prompt in order to delete the shadow volume copies of the infected computer:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

.CONTACTUS Files Virus – Encryption Process

In order for it to encrypt the files on the infected computers, the .CONTACTUS ransomware infection may initiate a system scam that checks your computer for often used file types, such as the following:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”

After this is done, the .CONTACUS ransomware may begin to alter data on the files, by using a combination of two main encryption algorithms:

  • AES (Advanced Encryption Standard), which generates an assymetric decryption key.
  • RSA (Rivest-Shamir-Adleman), that begins to create a unique decryption key for each file.

The files, encrypted by the .CONTACTUS files virus may appear like the following:

The two algorithms make it virtually impossible to break the encryption, because of the sheer randomness used by the encryption module of the ransomware. And even though it is difficult to decrypt files directly, because for this to happen, researchers do need to crack the ransomware’s code, security analysts strongly advise not to pay any ransom to the crooks. This is because of two main reasons – you cannot trust them to recover your files and paying only supports their criminal activity.

Remove .CONTACUS Ransomware and Restore Encrypted Files

In order to make sure that this ransomware virus is gone from your computer, it is strongly reccomended that you follow the removal instructions underneath this article. They have been created to help you delete the malicious objects of this virus either manually, by using the information in this article or automatically, if you want a fast and safe solution. For maxmimum effecitiveness, security researchers strongly advise to automatically remove the encrypted files of this ransomware infection, by using an advanced anti-malware software. It will automatically remove all of the malware-related files from your computer while in the same time ensuring that your PC remains protected against future threats as well.

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...