Remove Virus and Restore Your Files - How to, Technology and PC Security Forum |

Remove [email protected] Virus and Restore Your Files


[email protected] is the name given to a cryptovirus that mimics the Cryptolocker ransomware. As it is not the first copycat and there are no other distinguishable characteristics for this virus except the email given as a contact detail, researchers named it after that. Encrypted files will remain with unchanged names and no added prefixes or extensions. After encryption the file “Your files are locked !!!!.txt” will be left in locations containing the decrypted files. To see how to remove this virus and how you can try to restore your encrypted files, read the article carefully.

Threat Summary

Name[email protected]
TypeRansomware, Cryptovirus
Short DescriptionThe virus pretends to be Cryptolocker. It will encrypt files and demand a ransom to be paid with a ransom message that looks almost exactly like that of the latest version of Cryptolocker.
SymptomsThe ransomware does not change the names of encrypted files and does not add a prefix or another extension to them. It leaves the file “Your files are locked !!!!.txt” in directories with locked files.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by [email protected]


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss [email protected]
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

[email protected] Virus – Spread

[email protected] ransomware can infect computers using various ways to spread. Spam emails could be spreading the payload file. Such spam mails will try to make you believe that they are of huge importance. Additionally, the body of the email will be presented in a way to urge you to open an attachment. According to these electronic letters, the attached file is either a continuation of the email message or a document related to it. Opening the file, however, releases the malicious code and infects your computer machine.

The [email protected] ransomware could be spreading the payload file on sharing networks or social media sites. Refrain from opening files coming from suspicious links or emails. Scan all files with a security program first and check their signatures and size before you launch them. You should see more tips to prevent ransomware attacks in the topic inside the forum.

[email protected] Virus – Description

A new copycat of the CryptoLocker ransomware has emerged on the radar of malware researchers, recently. They have dubbed it [email protected] as that email is the only viably distinguishable characteristic of the virus. There have been numerous copycats and versions of the CryptoLocker ransomware in 2016, and this continues to happen.

Whenever the [email protected] ransomware executes its payload, it will set automatic launch functionality by configuring values in the Windows Registry. Those values will be set inside new registry entries and function to start the virus automatically when the Windows OS is booted. After encryption, a pop-up window will appear on your desktop screen, containing the ransom message. You can view how it looks like and what its demands are from the below screenshot:


The text of the ransom note will also be included in a file named “Your files are locked !!!!.txt“. The file will be created for every directory that has encrypted files and the instructions provided inside are the following:

Support e-mails: [email protected] [email protected]
Your personal files encryption produced on this computer: photos, videos, documents, etc. Encryption was produced using a unique public key RSA-2048 generated for this computer.
To decrypt files you need to obtain the private key.
The single copy of the private key, which will allow to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that nobody and never will be able to restore files.

To obtain the private key for this computer, which will automatically decrypt files, you need pay 1.2 Bitcoin (~761 USD)
You can easily delete this software, but you must know that without it, you will never be able to get your original files back.
Disable your antivirus to prevent the removal of this software.
For more information on how to buy and send bitcoins, click ‘Pay with Bitcoin’. To open a list of encoded files, click ‘Show Files’.
Do not delete this list, it will be used for decryption. And do not move your files.

The main email address that the ransomware virus uses for contacting with the cybercriminals is [email protected]. Being a copycat ransomware and not the first of its kind has led to its name to be the same as the primary email address left for contact. You are given a 120-hour deadline to pay up, and the hefty sum of 1.2 Bitcoins which is the equivalent of 761 US dollars. The ransom message in the pop-up window looks almost identical to that of the Sanction ransomware virus.

Other emails that could be used for payment are:

The thought of paying the cybercriminals shouldn’t even come to your mind, as ransomware makers have proved that many times they will not decrypt your files, let alone contact you back. By not giving this ransomware a brand and mimicking the CryptoLocker one, the crooks have no name to build fame for and no incentive to return your files to their original state. In fact, the extortionists will most likely use the money to create more ransomware or do other criminal acts.

[email protected] can encrypt file types similar to ransomware viruses of its caliber – namely, with the following file extensions:

→.bak, .bmp, .dbf, .djvu, .doc, .docx, .exe, .flv, .gif, .jpeg, .jpg, .mdb, .mdf, .mkv, .mov, .mpeg, .mpg, .odt, .pdf, .png, .pps, .pptm, .pptx, .psd, .rar, .raw, .tar, .tif, .tiff, .txt, .vob, .wav, .wma, .wmv, .xls, .xlsb, .xlsx, .zip, .rar, .tar

The file extension list might be incomplete, but those file types are probably the ones to become encrypted. The encrypted files will have no name change and no new prefixes or extensions appended to them. In other words, the file names will remain completely untouched. To recognize which files are locked is easy as they will have a bigger size and you won’t be able to access them. The ransomware states to utilize a 2048-bit AES encryption algorithm which is not thought to be possible. That is since a 512-bit key will have multiple errors and be unstable, let alone any bigger key size.

The [email protected] ransomware might erase the Shadow Volume Copies from the Windows operating system with the following command-line parameter:

→vssadmin.exe delete shadows /all /Quiet

Read on and see what methods you can try for data and file restoration of your encrypted files.

Remove [email protected] Virus and Restore Your Files

If your computer got infected with the [email protected] ransomware, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by [email protected].

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share