Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove TaroCrypt Ransomware and Restore Encrypted Files

New ransomware infection has been discovered by security researchers. The crypto-malware possibly originates from Russia and demands money from infected users. The ransomware is believed to spread via other malware such as a Trojan or a malicious JavaScript. Everyone who has had their files encrypted by the TaroCrypt crypto-virus should not pay any ransom money and try to remove it and decrypt their files manually, instructions for which are illustrated below.

NameTaroCrypt
TypeRansomware
Short DescriptionThe malware may encode the user’s data with a strong AES-256 encryption algorithm and ask users for funds in return for the decryption password.
Symptoms
Distribution MethodTaroCrypt may be distributed via other malware.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by TaroCrypt
User ExperienceJoin our forum to follow the discussion about TaroCrypt.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

anonywallpaper-sensorstechforum-TaroCryptSource: Microsoft

TaroCrypt Ransomware – How Is It Spread

This particular malware is believed to spread via a Trojan activated on the user PC. Such Trojans may come as e-mail attachments or malicious URLs featured in spam messages posted online. Users are strongly advised to beware of any suspicious web links that may cause unwanted software to download onto the system.

TaroCrypt Ransomware In Detail

Once activated, the ransomware uses the following modules which are dropped in the %AppData% folder:

  • ВНИМАНИЕ_ОТКРОЙТЕ-МЕНЯ.txt
  • api.dll
  • encryptor.exe
  • encrypter.ico
  • ticket.exe
  • tickethelper.dll

TaroCrypt also creates registry entries for the module “encrypter.exe”:

In the key HKCU\Software\Microsoft\Windows\CurrentVersion\Run the value “EncrypterEpta” “%APPDATA%\\encrypter.exe”

According to Microsoft researchers this ransomware has several variants and they may search for the following file extensions to encrypt:

.-1 .1cd .3gp .7z .7zip .7-zip .aac .accdb .ace .ape .arj .avi .b5t .b6t .bin .bmp .bwt .bz .bz2 .ccd .cdi .cdr .cdx .cf .cpp .cs .css .csv .cue .dbf .dbk .djv .djvu .dmg .dng .doc .docm .docx .dot .dotx .dt .dwg .dxb .epf .eps .erf .flac .flv .geo .gho .ghs .gif .grs .gzip .h .hdd .htm .html .img .ini .iso .isz .jar .jnt .jpe .jpg .js .lhz .md .mdb .mdf .mds .mdx .mkv .mov .mp3 .mp4 .mpeg .mpg .mrh .nrg .odb .odt .ogg .pdf .php .pl .png .pot .potm .potx .pps .ppsm .ppsx .ppt .pptx .pqi .psb .psd .pst .pub .qcow .qcow2 .qt .rar .raw .rtf .shtm .shtml .smk .sql .tar .td .tga .tif .tiff .tst .txt .uue .vdf .vdi .vhd .vmdk .vob .vrp .wav .wma .wmv .wps .xls .xlsb .xlsm .xlsx .xlt .xlw .yml .zip

Also, TaroCrypt may be pre-programmed to scan external drives as well as files in the following folders:

  • Documents and Settings
  • Users/{all folders}

What is more, it may connect to a third-party host that may be to command and control center (C&C). This may provide the several permissions to the cyber-crooks:

  • Check whether or not you are connected.
  • Download other files such as obfuscators, for example.
  • Report whether or not there are new infections.
  • Receive system information.
  • Follow commands from a hacker.
  • Location information.
  • Read and Write permissions as well as file transfer to foreign hosts.

The crypto-malware also changes the user’s wallpaper to a ransom note, the picture of which copies the famous “Anonymous” ideology.
When the ransom note is translated from Russian, it demands the following:

“Welcome, all of your files are encrypted, contact us for their recovery.
To do this, open the shortcut ‘Online consultant’, which is on the desktop or double-click the left mouse button on any encrypted file.
If for some reason you can not reach us via the ‘Live Chat’ contact us through offline contacts:
1)Load the “Tor Browser for Windows, you can download it here:
{web link for Tor’s download page}
2)Install and run the ‘Tor browser.”

The ransomware also features a unique identification number for the computer it infects that also includes a Hash identifier. It also has in-depth instructions on how to open a file and type a password you should receive after making the payment:

Souce-microsoft-instructions-tarocryptSource: Microsoft Malware Protection

Remove TaroCrypt Ransomware and Restore the Encrypted Files

We strongly advise affected users NOT to pay the ransom money since there may be alternatives to decrypt the data by discovering holes in the malware itself or using a special software to remove the ransomware and restore your files. Also, the ransomware is not reported to delete Windows’s shadow volume copies, which means that if you have a backup, you might restore your files via it. For further information, it is advisable to refer to the removal manual below.

N.B. In case you wish to remove this malware, you should disconnect from the internet and backup the encrypted files to an external drive before attempting any removal. This is because removing the crypto-malware from your computer may affect them.

1. Boot Your PC In Safe Mode to isolate and remove TaroCrypt
2. Remove TaroCrypt with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by TaroCrypt in the future
4. Restore files encrypted by TaroCrypt
Optional: Using Alternative Anti-Malware Tools
NOTE! Substantial notification about the TaroCrypt threat: Manual removal of TaroCrypt requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.