.Damage File Virus (Restore Files) - How to, Technology and PC Security Forum | SensorsTechForum.com

.Damage File Virus (Restore Files)

This article aims to help you remove Damage ransomware virus from your computer and hopefully restore the encrypted files with .damage extension.

A ransomware virus which encrypts the files on the computers it infects has been detected by malware researchers. The string is dubbed Damage, because it uses the same file extension after it renders the files on the computers it infects no longer openable. The virus then demands for a payoff to be made by contacting the cyber criminals via e-mail and getting the decryption key. In case you have become a victim of Damage ransomware, be advised that you should read this article to help you try and get the files back.

files and removing the virus. Keep reading this article to find out how to perform the removal and what are your options, regarding encrypted files.

Threat Summary



Short DescriptionThe virus encrypts files on the compromised computer and leaves instructions file on how to contact the e-mail [email protected] to get them back..
SymptomsFiles are encrypted with an added .damage file extension and can no longer be opened. A text file appears and has “[email protected]” in it’s name.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Damage


Malware Removal Tool

User ExperienceJoin our forum to Discuss Damage.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does Damage Ransomware Attack

Malware analysts have outlined several possible scenarios in relation to this ransomware infection. The most likely scenario is that this ransomware infection utilizes advanced tools, such as PTH (pass the hash) techniques as well as modified TeamViewer, PuTTy, mRemoteNG, TightNVC as well as several others. The Damage virus may use take advantage of these technologies with the one and only purpose to connect remotely (RDP) to both windows computers as well as servers using unsecured ports.

Another likely scenario is that this ransomware infection may use e-mail spam to replicate and cause damage. Such spam messages are usually sent to deceive users into opening a malicious e-mail attachment. Usually the deception is that there is something very important which is in the invoice. Once the user opens the attachment, the infection may take place and the virus may connect to a remote C2 server and download Damage ransomware’s payload.

Damage Ransomware – Further Analysis

Once an infection with damage ransomware takes place, the virus may download it’s payload. It consist s of:
A randomly named .tmp.exe file.
A text file containing [email protected] e-mail in its name plus the user name of the victim PC.

The Damage virus may drop these files in multiple Windows folders of importance:

  • %Startup%
  • %AppData%
  • %Temp%
  • %Local%
  • %LocalRow%

In addition to simply dropping the files, Damage ransomware may also automatically start the encryption file , believed to be the .tmp.exe file. This module is preconfigured to render the files no longer openable by replacing bytes of information from those files. Damage ransomware is also reported to attack only specific set of file types:

  • Microsoft Office documents.
  • Documents related to Adobe Reader.
  • Database files.
  • Image files.
  • Archives.
  • Audio files.
  • Video files.

After the encryption process by damage ransomware is complete, the virus makes the files look like the following:

But this is not all that is being done by the Damage virus. The threat also may input an administrative Windows command that deletes any backups as well as shadow volume copies from the infected machine. The command is known as vssadmin:

At the end of the encryption, this ransomware drops a text file with the following content:

{part of a decryption key}
end of secret_key
To restore your files – send e-mail to [email protected]

Remove Damage Ransomware and Restore Encrypted Files

For starters, before attempting any removal of Damage ransomware yourself, we recommend copying the encrypted files on another location on your computer. After this, it is advisable to follow the removal steps mentioned below. They are methodologically organized to help you take care of the removal process either yourself or automatically. The best way to remove Damage ransomware, however is automatically by using an advanced anti-malware software, which will not only detect all associated files and changed settings and remove them, but also protect your computer actively.

Regarding the restoration of the encrypted files, at the moment, there is no official working decryption tool for this iteration of Damage ransomware. However, do not despair because you may want to attempt and restore some of your files, by trying out the alternative tools in step “2. Restore files encrypted by Damage” below. Bear in mind that they are in no way guarantee you will get the data back, but users have reported on our forums, that they managed to restore at least some of the files, then again, it really depends on the situation.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share