.everbe Files Virus – How to Remove and Restore Encrypted Data

.everbe Files Virus – How to Remove and Restore Encrypted Data

This article has been created in order to explain what is .everbe ransomware virus and how to remove it from your computer plus how to restore files, encrypted by it without having to pay the ransom.

The .everbe files virus is the type of ransomware infection which was recently detected by cyber-security experts to download various different types of malicious files on infected computers and run them with the end goal to “lock” the files on the infected PCs by it. This process is known as encryption and after it has finished the files on the encrypted computer can no longer be opened and the .everbe files virus drops a !=How_recovery_files=!.txt file, asking victims to pay a hefty ransom fee in order to get the files decrypted and working again. If your computer has been infected by the .everbe files virus, recommendations are to read the following article and learn how to remove this ransomware and restore the files, encrypted with the .everbe file extension.

Threat Summary

Name.everbe Files Virus
TypeRansomware, Cryptovirus
Short DescriptionThe .everbe files virus encrypts the files on the infected computer and drops a ransom note type of file, demanding a hefty ransom fee via negotiation with the crooks on their e-mail – everbe@airmail.cc.
SymptomsFiles are encrypted with the .everbe file suffix and the virus drops a ransom note file, called !=How_recovery_files=!.txt
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .everbe Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .everbe Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Update June 2018: A decryptor has been released for all variants of Everbe ransomware and can be found on the following Bleeping Computer – provided link.

How Does .everbe Files Virus Infect Computers

In order to propagate on the computers of victims, the .everbe ransomware infection aims to trick inexperienced victims to open it’s malicious types of files on the computer of victims. This can happen both passively and actively. If the hackers are not lazy, they use more active methods, such as sending spammed e-mail messages to victimized computers, whose primary purpose is to lie that they are legitimate. The e-mails often pretend as if they come from big companies, like:

  • PayPal.
  • DHL.
  • FedEx.
  • LinkedIn.
  • Facebook.

In addition to this, the ransomware virus may also infect victims via passive methods, such as upload fake files on torrent sites and software download websites, like:

  • Setups of programs.
  • Game patches or cracks.
  • Key generators.
  • Software license activators.

.everbe Files Virus – More Information

As soon as the .everbe files virus has infected your computer, the ransomware aims to drop it’s malicious payload on the computers of victims. This may result in various different types of files with often random names or names that imitate software to begin existing on the computers of victims. The files are believed to be located in some of the following Windows directories and the virus may either extract them offline or connect to a remote server to download them on the computer of the victim:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%
  • %Windows%

As soon as .everbe files virus has dropped it’s malicious files on the victim’s computer the virus may begin it’s malicious activity, which usually involves:

  • Interacting with mutexes.
  • Touching Windows system files.
  • Adding Windows registry entries with nefarious data, which makes the malicious files run automatically on system start.
  • Deleting system backups and saved shadow copies.
.everbe files virus may create registry entries with data which points to the actual location of the malicious file or the location of the ransom note in the Run and RunOnce sub-keys. The strings may be located in the following sub-keys:


The virus also drops it’s ransom note, called !=How_recovery_files=!.txt. It has the following contents:

Hi !
If you want restore your files write on email – everbe@airmail.cc
In the subject write – id-{custom ID}

In addition to this, the .everbe file ransomware may also run a script which executes the following commands as an administrator in Windows Command Prompt:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

.everbe Files Virus – How Does It Encrypt Files

In order for this ransomware infection to encrypt the maximum amount of files without damaging Windows, it may use the so called blacklist of folders in which it scans for files. Such list does not include important Windows folders, so that the infected computer is still usable and has internet. The types of files which the .everbe ransomware virus may scan for to encrypt may be the following:

→ .psd, .jpeg, .docx, .doc, .arj, .tar, .7z, .rar, .zip, .tif, .jpg, .ai, .bmp, .png, .xlsx, .pptx, .accdb, .mdb, .rtf, .odt, .ods, .cd, .ldf, .mdf, .max, .dbf, .epf, .1cd, .md, .db, .pdf, .ppt, .xls, .cdr, .odb, .odg

If the files on the victim’s computer have the file extensions which the virus scans for, the .everbe file suffix is implemented to them along with the e-mail of the cyber-criminals and the files become encrypted. Their encryption process results in them beginning to appear like the following:

Remove .everbe Ransomware Completely Your Computer and Restore Files

In order to remove this ransomware from your computer, recommendations are to follow the removal instructions underneath this article. They have been created in order to help you by showing you how to remove the .everbe ransomware either manually or automatically from your computer system. For maximum effectiveness, malware researchers strongly advise victims to remove this ransomware infection automatically by downloading an advanced anti-malware software which will make sure to scan for and remove all of the related files to this ransomware infection.

In addition to this, the .everbe ransomware virus encrypts your files, so if you want to try and recover the files which have been encrypted on your computer, we advise that you try the alternative methods underneath this article in step “2. Restore files, encrypted by .everbee Ransomware”.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share