# RESTORING FILES #.html is the ransom note file dropped by this ransomware virus which after infecting your computer will encrypt your files and hold them for ransom. The CryptoShield 1.0 virus which resembles CryptoWall ransomware by using the same ransom note is a very interesting type of ransomware and it may use the RSA-2048 encryption algorithm to replace bits of the encrypted files with symbols from the cipher. After this, the virus sends information to the cyber-criminals’ command and control servers and they become the only ones who seem to be able to unlock the files. Since this virus is new, we advise saving the encrypted files and trying to restore them using several alternative methods, like the ones mentioned in this article. But first, we advise reading the material below to learn more about it and how to remove CryptoShield 1.0 from your computer.
|Short Description||CryptoShield 1.0 may encrypt the files on the compromised computera using a sophicated encryption algorithm and then ask victims to pay a hefty ransom fee to get them back.|
|Symptoms||May encrypt files using RSA-2048, generating unique decryption key which is then communicated via POST traffic. Has a ransom note, named # RESTORING FILES #.html which is the same as CryptoWall ransom note.|
|Detection Tool|| See If Your System Has Been Affected by CryptoShield 1.0 |
Malware Removal Tool
|User Experience||Join our forum to Discuss CryptoShield 1.0.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
CryptoShield 1.0 Ransomware – How Does It Infect
What is particularly interesting about CryptoShield is that it is being spread via a very interesting method – the widely known RIG exploit kit. At the moment it is not clear which version of the exploit kit is used to cause an infection with CryptoShield 1.0, but it might as well be the latest RIG-V iteration.
This exploit kit may include the malicious files heavily obfuscated and arriving onto your computer in different forms:
→ .js, .wsf, .vbs, .hta, .htm, .html, .exe, .cmd, .bat, .swf, .svg, .doc, .docx, .xls
The files may be sent out via a variety of e-mail templates which may be spammed to the victim, claiming they are containing an invoice or other important document that has to be opened. Usually, most inexperienced users tend to open the attachments. If you want to learn how to protect yourself from such malicious e-mails in the future, please read the following article:
CryptoShield 1.0 – What Happens After Infection
After the malicious attachment is opened, the virus gets right down to business. It may create multiple malicious files, also known as modules and each of those files is responsible for different activities. The files may be dropped under different names in the following Windows folders:
After dropping the files, the CryptoShield 1.0 virus may create registry entries in Microsoft Windows’ Registry Editor. These values may have data with the location of the ransom note and the file that encrypts your data. They may be located in the following keys:
The purpose of this is to run those files when Windows starts.
After doing this, the CryptoShield 1.0 ransomware may begin to encrypt your files. For the encryption process, the virus may hunt down all important file types on the victim’s computer, like videos, documents, pictures, databases and others, for example:
→“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG” Source:fileinfo.com
After this, the CryptoShield 1.0 threat may render those files no longer able to be opened. Their original file icon becomes a blank and Windows cannot seem to find a program to open those files with. This is because the core structure of the files is altered.
After performing the encryption, a unique RSA decryption key is generated for each file or set of files. Then this unlocking key has been reported by malware researchers on Twitter to be sent via POST traffic to the cyber-criminals. This means that technically, you may be able to decrypt the encrypted files, by discovering the decryption key via using a network sniffer. For more information on how to use Wireshark network sniffer to detect a decryption key, please check the following article:
After finishing the encryption process, CryptoShield 1.0 may delete the encryption file to prevent malware researchers from reverse-engineering it and may leave a backdoor on the infected computer. This will result in the cyber-criminals still having malicious files onto your computer. In addition to all of these, the virus also makes it’s presence known, opening the ransom note, named “# RESTORING FILES #.html”. This note aims to explain the situation to the victim and “ask” him or her for money:
“NOT YOUR LANGUAGE? USE http://translate.google.com
What happened to you files?
All your files were encrypted by a strong encryption with RSA-2048 using CryptoShield 1.0.
More information about the encryption keys using RSA-2048 can be found here: https//en.wikipedia.org/wiki/RSA_(cryptosystem)
How did this happen ?
Specially for your PC was generated personal RSA-20478 KEY, both public and private.
ALL your FILES were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
What do I do?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start send email now for more specific instructions…”
The note continues with further instructions on how to contact the cyber-criminals via e-mail and negotiate the payoff. It is very similar to CryptoWall’s ransom message.
Remove CryptoShield 1.0 Virus and Restore Encrypted Files
As a conclusion, we advise you not to pay to cyber-criminals and either attempt the Wireshark file recovery method or other methods we have mentioned below in step “2. Restore Files Encrypted by CryptoShield 1.0”, after first backing up your files. But before all of this, the first thing to do is to remove CryptoShield 1.0 from your computer. To do this, we advise following the removal instructions we have posted below. But, you may also want to use an advanced anti-malware program for the removal, since this will help you remove all other objects, without manually having to look for them.