.IMSORRY Ransomware Virus (Restore Files) - How to, Technology and PC Security Forum | SensorsTechForum.com

.IMSORRY Ransomware Virus (Restore Files)

This article has been created in order to show you how to remove ImSorry ransomware and restore AES encrypted files with the .imsorry file extension.

A ransomware virus encrypting files via the AES algorithm and demanding $500 ransom payoff in BTC in order to get the encrypted files decoded. The virus is called ImSorry, since the file extension and it’s ransom note have the same name. In addition to this, the virus also drops a ransom note, named Read me for help thanks.txt in which it states instructions on how to pay the fee to get the files recovered. In case you have been infected by this ransomware virus, we suggest that you read the following article.

Threat Summary

NameImSorry Virus
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware virus aims to perform different activities on the compromised computers that include extorting it’s owner for the files on it.
SymptomsFiles are AES encrypted with the .imsorry file extension added. Ransom note is named Read me for help thanks.txt. One more ransom note, named Im Sorry
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by ImSorry Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss ImSorry Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.imsorry File Virus – How Does It Infect

The infection process of this ransomware virus is connected primarily with using combination of different tools to spread various spam or upload the malware online as a file that only seems legitimate. The tools that could be used may vary:

  • Exploit kit for the infection.
  • Malware obfuscators.
  • Spam bots or spamming services.
  • Loaders or Trojans.
  • Domains which are converted into distribution sites.

These techniques and tools altogether may be used to spread the malicious files of .imsorry ransomware virus via various spam e-mails sent with deceptive messages. The e-mails may either contain a malicious e-mail attachments in them or web links that lead to the download of such, for example:

Other locations where the virus can have it’s malicious files uploaded are on suspicious software download sites, via compromised torrent sites or as a fake update of Java or Adobe flash player. It’s infection may also be caused via a web injector as a result of a malicious browser redirect. Such redirects are usually caused if you have an ad-supported suspicious PUA (potentially unwanted application) on your computer.

More Information about ImSorry Ransomware

As soon as an infection by this ransomware virus takes place, via one way or another, malicious files, like it’ primary infection file may be dropped on the compromised computer. It has a random name, as reported in VirusTotal.com:

Besides this file, other support modules that may be temporary and .dll files may be dropped on other Windows directories, like the following:

  • %AppData%
  • %Roaming%
  • %Temp%
  • %Local%
  • %LocalLow%

After this has completed, the ransomware virus may modify the registry entries on the compromised computers, more specifically by adding custom value strings. It may attack the Run and RunOnce registry sub-keys and in them add strings that make the malicious executable of ImSorry ransomware run automatically. The sub-keys have the following locations:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\

After this has been completed, the ransomware infection aims to perform multiple different actions to prevent any data recovery from Windows Backups. One of those is to delete the shadow volume copies possibly by executing a script that enters the following administrative Windows Command Prompt commands:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

In addition to those activities, the ImSorry ransomware virus also drops it’s ransom note on the compromised computer. This ransom note is responsible for getting the user closed to the end goal of the cyber-criminals – paying the ransom. The note is in two files, a program and a text file, named Read me for help thanks.txt. When opened, the program displays the following pop-up:

Ransom Text:

“Im Sorry
Hello. I hate to inform you but your files have been encrypted.
To get them back you must pay me a small fee.
Instructions are buy BTC then pay me then ill simply give you. your encryption key.
Step 1.
Make a account here
Step 2.
Buy bitcoin
Use one of the trade centers below to recieve bitcoin to pay me off
Step 3.
Send the payment of 500 USD to the ETC address below
then I’ll give you the key.
Places you can read about bitcoin
You have 3 weeks to pay else i might delete the key ori might just give you the key idk
Be sure you put your btc address in the box below as this is how i track payments.
if you fuck around ill delete your key.
Once again.Sorry

{I‘ve Paid button}
BTC Address: EDENrogéErfié‘BSfizzEEEZfiifiE?k-
Your Address: Your address goes here to check payment
Decrypted: 0
Failed: 0”

ImSorry Ransomware – Encryption Process

The encryption of the ImSorry ransomware virus is performed In one of the encryption modes that are compatible with the AES encryption algorithm. These modes include 10 passes, 12 passes or 14 passes for the AES-256 cipher. The encryption consists of replacing segments of plaintext data with a ciphertext data. This activity results in the file no longer able to be opened. For the encryption process, the ImSorry ransomware virus targets specific files and is very careful to avoid Windows files that may damage the OS. The targeted files may be of the following file types:


After the encryption process has completed, the ImSorry ransomware appends the .imsorry file extension to the files that have been encypted:

Remove ImSorry Ransomware and Restore .imsorry Encrypted Files

Before beginning the removal process of the .imsorry ransomware virus, it is strongly advisable to focus on backing up your files.

For the removal process of ImSorry ransomware, recommendations are to follow the steps from the removal instructions below. They are specifically designed to help you remove the malicious files of the ransomware virus either manually or automatically. Security experts strongly advise users to focus on downloading an advanced anti-malware software which will automatically scan for and remove all malicious files and objects related to ImSorry ransomware.

For the restoration of your files, we would advise you to follow the alternative file recovery instructions below in step “2. Restore files encrypted by ImSorry” below. These instructions may not be 100% effective, but they may help you in recovering a big part of your files.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share