.Fake Files Ransomware - How to Remove and Restore Encrypted Data

.Fake Files Ransomware – How to Remove and Restore Encrypted Data

This article aims to help you by showing you how to remove the .fake file extension using ransomware and restore files that have been encrypted by this infection on your PC without having to pay ransom.

New ransomware virus, using the .fake file extension has been detected by malware researchers. The virus aims to encrypt the files on the computers which are infected by it, more importantly files that are often used (documents, music, video files, etc.) and then add the .fake suffix to the encrypted files. Then, the .fake files virus drops a notification, called “!!!!! Your personal files are now encrypted !!!!!” which aims to lead the victim to a TOR-based website, that has further demands from the victim, in particular how to pay a hefty ransom fee in order to get the criminals behind this virus to decrypt the encoded files. In order to learn how to remove this ransomware infection and how to restore your encrypted files, we recommend reading the following article.

Threat Summary

Name.fake File Ransomware
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on your computer and then asks for a payoff to decrypt them.
SymptomsAdds the .fake file extension to the encrypted files.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .fake File Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .fake File Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.fake Files Ransomware – Infection

There may be multiple methods by which the malicious files of the .fake files virus may be slithered onto your computer. The main one, which accounts for more than 80% of the infections with ransomware viruses worldwide is via malicious e-mail spam messages. These messages often contain e-mail attachments that are embedded within them and these attachments often contain loaders, droppers or downloaders which all aim to:

  • Connect to the malicious sites of the cyber-criminals.
  • Serve as an extractor and extract the files, which are embedded in it.
  • Infect via macros.

The malicious file is often masked as a fake document or a seemingly legitimate file to “hack” you into believing it’s trustworthy and get you to open it. These files can be fake installers of programs or other types of programs which are uploaded on suspicious websites.

The spam e-mail messages may contain one or more malicious e-mail attachments embedded within them and generally appear like they are from UPS, FedEx or other legitimate company. They often appear in the following format:

.fake Files Virus – More Information

Once your computer has been infected by the .fake files, virus it’s malicious files may be situated on your computer system. The primary one, related to them has been reported by malware researchers to have the following parameters:

In addition to this, the file may also drop several other files on your computer by downloading them from a remote host, which eventually results in the virus having files in the following Windows folders:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

After the malicious files of the .fake files virus have already been dropped on your PC, the virus may begin it’s malicious activity, starting with possibly adding Windows Registry values with data in them in the following Windows Registry sub-keys:

  • Run
  • RunOnce

After having modified the sub-keys of the infected PC, the .fake files virus may also delete the shadow volume copies of the infected computer. This may happen if the virus obtains administrative permissions on your computer after which uses those in order to execute the following commands as an administrator on your computer:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

Then, the virus sets a ransom note on the infected computer which may appear like the following:

Text from image:

If you see this message it means you have 24 hours to send 0.1 BTC to the following address or your files will be encrypted forever

All files with the following extensions have been encrypted: .jpg .png .gif .tif. .avi .mp4 .xls .xlsx .doc .docx .pptx .pdf .txt .csv
Time Remaining:

Researchers believe that based on the ransom note, this virus may be the same malware as the .lol file extension ransomware, only another variant.

.fake Files Virus Encryption

For the encryption process, this ransomware has been reported to encrypt the following files if it detects them on your computer:

  • Microsoft Office Word documents.
  • Microsoft Excel documents.
  • Movies and videos.
  • Microsoft Office PowerPoint documents.
  • Adobe .PDF files.
  • Text documents.
  • Images.
  • GIF animations.
  • Photoshop files.

As soon as it detects that you have such files on your computer system, the .fake files ransomware encrypts those files, adding the .fake file extension to them. The files can no longer be opened and look like the image below:

After encryption, .fake ransomware may send the decryption key to the cyber-criminals, making them the only ones with a decryptor do directly and swiftly decrypt your files. That is, unless malware researchers design a decryption method for these viruses using exploits in the ransomware itself.

Remove .fake Files Ransowmare and Restore Your Files

In order to remove this infection completely from your computer system, recommendations are to follow the removal instructions below. They have been created in order to help you delete the virus files either manually or automatically. For maximum effectiveness during the removal process, recommendations are to remove the .fake files ransomware automatically using an advanced anti-malware software, which will not only remove all malicious files related to the fake files virus, but will also protect your computer against future infections as well.

Furthermore, in addition to simply removing .fake ransomware, you can use step “2. Restore files encrypted by .fake Ransomware” below in order to attempt and recover at least a portion of your files without paying ransom. Even though the methods for recovery are indirect, some users have stated on our forums of recovering more than a half of their encrypted files using those tools.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share