Hello, have you tried the instruction steps from this video: https://www.youtube.com/watch?v=bsn8_-j0ZJU&t=0s

It is not about SafeFinder, but the instructions are basically the same. Try them and let me know if you have any questions.

Best Regards,
never

Hello, in order to provide further support, we have created the following video, which contains manual and automatic removal instructions within it. Do not hesitate to ask us any questions by commenting here or under the video itself.

https://youtu.be/2hrNbk1xNb8

Hello, buddy.

There is one thing you can do, but it is purely theoretical. If you haven't removed the virus, you can try sniffing out the traffic from the infection file to hopefully find the decryption key while it is being sent to cyber-criminals. Here is more info on this:

http://sensorstechforum.com/find-decryption-key-files-encrypted-ransomware/

The downside of this method is that you have to be infected with Cerber and know how to sniff network traffic. Another downside is that the traffic is usually encoded in another format and even if there is a key, the cyber-criminals may have thought about obfuscating that as well.

Another method that you can attempt is try absolutely every single decryptor. But to do this you have to copy the encrypted files to a flash drive for example and test decryption tools only on copied files, because they may break the files indefinitely in case you are attempting to tamper with their structure (like a trap). Here are some free decryption tools and do not use them on the original files, please:

http://support.kaspersky.com/viruses/utility

https://decrypter.emsisoft.com/

There is also another option, but I am not sure that it can work. If you know what System Restore is and if you have set restore points on earlier time on your computer, you could attempt to restore it back to before the infection, but bear in mind that everything you have done after the infection may dissappear, so back it up. Technically System Restore only restores certain aspects of your PC, but not all of it. I am not sure but if your files are encrypted, they theoretically have modified settings on them. If System Restore brings back the old configuration and settings before the encryption(If you have set a restore point), you may succeed in restoring some documents. Here is full info on system restore thanks to howtogeek.com:

https://www.howtogeek.com/howto/windows-vista/using-windows-vista-system-restore/

Other than that, our team is actively researching for a universal solution against this problem, besides backup and we are yet to find one.

By the way, in the future, if you see malicious e-mails please check the attachments before opening them online. Here is one website that can help you with that:

ZipeZip.com

Before you open an attachment next time, simply upload it on this site. If it detects a virus, do not open the attachment. This is a very good and free way to protect yourself, but you have to make it your habit.

Best Regards and best of luck,

"never"

CryptoShield is a ransomware virus spotted in the beginning of 2017 and since it came out has infected numerous systems. The virus encrypts files, adding the .CRYPTOSHIELD file extension. The files are encoded in ROT-13 mode with AES-256 algorithm and in addition to this, the ransomware virus also drops two ransom notes named # RESTORING FILES #.txt and # RESTORING FILES #.html. For the moment, there is no free decryption available, but work is being done to find gaps in the code and hence make a breaktrought.



This is an open support topic, regarding the CryptoShield Ransomware. If you want to ask questions on the matter, leave your opinion or simply ask for assistance, do not hesitate to write. We will make sure we reply objectively.

Turns out a new variant of Dharma ransomware*  has just been discovered,  using the .zzzzz file extension, just like Locky ransowmare does. So far, undecryptable but you can try using data recovery software as an alternative method to restore at least small portion of the data.

Radxlove7@india.com is the e-mail address associated with a newly discovered crypto-infection variant. So far, malware researchers believe that this virus is a part of the .XTBL ransomware variants containing the @india.com e-mail addresses as extensions.  Malekal forum researchers have also discovered the following files to be associated with this virus:

C:\Users\{User's profile}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryption instructions.jpg
C:\Users\{User's profile}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryption instructions.txt
C:\Users\{User's profile}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{malicious payload file}.exe
C:\Windows\System32\{malicious payload file}.exe

The copies of the files in the %Startup% directory clearly indicate that Radxlove7@india.com ransomware runs on startup. After encrypting the files, this virus may leave them unopenable by any program with the following file extension:


Filename.jpg.id-{unique id}-Radxlove7@india.com.xtbl

In case you have encountered file encrypted by this virus on a PC and the ransom notes opening on startup, you should immediately try to intercept any traffic that is outgoing on startup and hopefully recover the decryption key. Here are instructions on how to perform this:

Find Decryption Key of Files Encrypted by Ransomware

In case you manage to discover the key, send it to us and we will research methods to decrypt the files and hopefully decode them.

This is an open forum topic and I urge anyone who will be pariticipating to input ideas, ask questions and share experience and technical details about Radxlove7@india.com ransomware. We will try to respond as soon as we see your reply.

Hello, Jsan

At the present moment I do not see any viable direct solution. It is unfortunate that you have deleted this virus, because you could have used a method also known as network sniffing to try and intercept any information that can be sent out to the cyber-criminals, like the decryption keys, for example. Either way, you may want to give a try to some of Kaspersky's decrypters. But bear in mind that this is a risky thing because you tamper directly with the files and If they have a so called CBC mode, sort of "file protection", that breaks the files when you try to decrypt them, you may lose your files forever. Either way, you can try using Kaspersky's decryptors, starting with Rannoh decryptor - here is the link for download:

Kaspersky Utilities


But if you are going to try using the decryptors, I advise you to set your PC to stay turned on and not automatically shut down. This is how to do it:

Step 1: Click on the battery icon in your system tray (next to the digital clock) in Windows and then click on More Power Options.
Step 2:The mighty Power options menu will appear. In your power plan click on Change Plan Settings.
Step 3: In your plan’s settings make sure you set “Turn off the display” and “Put computer to sleep” to “Never” from the drop down minutes menu.
Step 4: Click on “Change Advanced Plan Settings” and click to expand the “Hard Disk” option in the list there.
Step 5: From there, set the power settings (On Battery and Powered On) to “Never”.

Now, you should configure your PC to start decrypting Cerber ransomware’s files. Bear in mind that the process may take a lot of time so arm yourself with patience.

Hi again, Josiegard

Thanks for asking. On this web link can find detailed information on the commands that will help you create a file that will autorun on startup. Here are the commands to enter in the text document. Pay attention to the "-W" which is for capturing packets. Make sure that the files you saved as .pcap file types so that you can open them for anallyzing with Wireshark later on: