Remove OpenToYou Virus and Decrypt Files

Remove OpenToYou Virus and Decrypt [email protected] Files

This article will help you remove OpenToYou virus effectively and decrypt your data. Follow the ransomware removal guide provided at the end of the article.

OpenToYou is the name of a ransomware virus written in the Delphi programming language. Your files will get encrypted with the RC4 (Rivest Cipher 4) encryption algorithm and receive the [email protected] extension when the encryption is complete. Afterward, the OpenToYou cryptovirus displays a ransom note. Read on to see how you can decrypt your files.

Threat Summary

Short DescriptionThe ransomware encrypts files on your computer with the RC4 algorithm and displays a ransom message after the process is finished.
SymptomsThe ransomware will encrypt your files and put the [email protected] extension on all of them.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by OpenToYou


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss OpenToYou.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

OpenToYou Virus – Distribution Ways

The OpenToYou virus can be distributed through different ways. The payload file which executes the malicious script of this ransomware, that in turn infects your computer system has been seen on the Web. You can take a peek on the malware analysis of the VirusTotal service for that same executable file of the OpenToYou ransomware, from the snapshot here below:

OpenToYou virus could also be distributing that payload file on social media networks and file-sharing services for wider coverage. A big number of freeware programs could be promoted as being useful on the Internet, but might also be hiding the malicious script of the virus in question. Refrain from opening files immediately after you have downloaded them, especially ones that come from suspicious sources such as emails and links. First, you should perform a scan on them with a security program. Be sure to also check their size and signatures for anything that seems out of the ordinary. You should check out the tips for ransomware prevention from the corresponding forum topic.

OpenToYou Virus – Technical Information

OpenToYou is the name of a ransomware which is also a cryptovirus. It will encrypt files on your computer device while appending the exact same extension to them when the process is complete. The RC4 encryption algorithm is used. The virus is written on the Delphi programming language, just like other ones, e.g. Telecrypt ransomware.

OpenToYou ransomware could make entries in the Windows Registry to achieve persistence. These registry entries are typically designed in a way to launch the virus automatically with each boot of the Windows operating system.

The ransom note is located in a file called !!!.txt and shows a similar message in a lockscreen after the encryption process is done. Some files connected to the ransomware will be located in the directory C:\Logs\. The note and the screen share the same simplistic text, which you can see from the screenshot down here:

That ransom note reads the following:

Your files are encrypted!
To decrypt write on email – [email protected]
Identification key – 5E1C0884

The cyber crooks have kept the ransom note simple with that short message, but that can still be effective. However, no matter what you do, you should NOT in any circumstances contact the cybercriminals. They will only try to negotiate a price for you to pay for unlocking your data. Nothing can guarantee that you will restore your files upon payment. Keep in mind that supporting these criminals financially, you will end up in giving them more motivation to create other ransomware or do different criminal acts. Also, the ransomware is decryptable, and there is already a solution, so keep on reading below to find out how to decrypt your files for free.

Directories which will be skipped and not get encrypted are the following:

  • C:\$Recycle.Bin
  • C:\Logs
  • C:\Users\All Users
  • C:\Windows
  • C:\ProgramData
  • C:\Program Files
  • C:\Program Files (x86)
  • C:\nVidia
  • C:\Intel
  • C:\Boot
  • C:\bootmgr
  • C:\PerfLogs
  • C:\Drivers
  • C:\MSOCache
  • C:\Program instal

The algorithm used for the encryption of the files is called RC4 a.k.a. Rivest Cipher 4, named after its creator Ronald Rivest. The OpenToYou ransomware searches to encrypt files that have the following extensions:

→.3ds, .3fr, .4db, .7z, .7zip, .accdb, .accdt, .aes, .ai, .apk, .arch00, .arj, .arw, .asset, .avi, .bar, .bay, .bc6, .bc7, .big, .bik, .bkf, .bkp, .blob, .bpw, .bsa, .cas, .cdr, .cer, .cfr, .cr2, .crp, .crt, .crw, .css, .csv, .d3dbsp, .das, .dazip, .db0, .dba, .dbf, .dbx, .dcr, .der, .desc, .dmp, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .dwfx, .dwg, .dwk, .dxf, .dxg, .eml, .epk, .eps, .erf, .esm, .ff, .flv, .forge, .fos, .fpk, .fsh, .gdb, .gho, .gpg, .gxk, .hkdb, .hkx, .hplg, .hvpl, .ibank, .icxs, .idx, .ifx, .indd, .iso, .itdb, .itl, .itm, .iwd, .iwi, .jpe, .jpeg, .jpg, .js, .kdb, .kdbx, .kdc, .key, .kf, .ksd, .layout, .lbf, .litemod, .lrf, .ltx, .lvl, .m2, .m3u, .m4a, .map, .max, .mcmeta, .mdb, .mdbackup, .mddata, .mdf, .mef, .menu, .mlx, .mov, .mp3, .mp4, .mpd, .mpp, .mpqge, .mrwref, .myo, .nba, .nbf, .ncf, .nrw, .nsf, .ntl, .nv2, .odb, .odc, .odm, .odp, .ods, .odt, .ofx, .orf, .p12, .p7b, .p7c, .pak, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .pgp, .pkpass, .png, .ppj, .pps, .ppsx, .ppt, .pptm, .pptx, .prproj, .psd, .psk, .pst, .psw, .ptx, .py, .qba, .qbb, .qbo, .qbw, .qdf, .qfx, .qic, .qif, .raf, .rar, .raw, .rb, .re4, .rgss3a, .rim, .rofl, .rtf, .rw2, .rwl, .saj, .sav, .sb, .sdf, .sid, .sidd, .sidn, .sie, .sis, .sko, .slm, .snx, .sql, .sr2, .srf, .srw, .sum, .svg, .sxc, .syncdb, .t12, .t13, .tar, .tax, .tbl, .tib, .tor, .txt, .upk, .vcf, .vdf, .vfs0, .vpk, .vpp_pc, .vtf, .w3x, .wallet, .wb2, .wdb, .wma, .wmo, .wmv, .wotreplay, .wpd, .wps, .x3f, .xf, .xlk, .xls, .xlsb, .xlsm, .xlsx, .xml, .xxx, .zip, .ztmp

All of the files that become encrypted will receive the same extension appended to them, which is [email protected].

The OpenToYou cryptovirus is very likely going to delete the Shadow Volume Copies from any Windows operating system by using the following command:

→vssadmin.exe delete shadows /all /Quiet

Read further to see how you can decrypt your files without for free.

Remove OpenToYou Virus and Decrypt [email protected] Files

If your computer got infected with the OpenToYou ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share