Remove Voldemort Virus and Restore Encrypted Files - How to, Technology and PC Security Forum |

Remove Voldemort Virus and Restore Encrypted Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)


A new cryptovirus is on the loose. Discovered by the malware researcher Michael Gillespie, it is observed that it is themed around the Harry Potter novels. The ransomware uses a file named “voldemort.horcrux”, thus it is dubbed Voldemort ransomware.

The design pattern of the virus code is built upon inversion of control (IoC), which in short means that some functionality is changed due to additional code written by the malware maker. No ransom note and no extension is added, but just a hint of Voldemort’s snake “Nagini” inside the code and an image of the Voldemort character himself.

Threat Summary

TypeRansomware, Crypto-Virus
Short DescriptionThe ransomware will encrypt your files, while only changing their size.
SymptomsThe ransomware does not display a ransom note, and does not place an extension to files, but the data is still encrypted.
Distribution MethodSpam Emails, Email Attachments, Executable Files
Detection Tool See If Your System Has Been Affected by Voldemort


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Voldemort.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Voldemort Virus – Spread

The Voldemort virus uses multiple ways to spread itself. The most popular one is with spam email campaigns which distribute the payload file of the ransomware in question. This type of email will try to make you believe that some urgent message or program is contained in the attached file which comes with the e-mail. In actuality, the attached file might look harmless, but the malicious payload of the virus will be inside. If you open the file, which is in most cases an executable, your computer machine will be infected and your data will get encrypted.

Other infection methods for the Voldemort virus could be in motion, that use social media networks and file sharing services. The malware maker could have put the malicious files on every such platform, as an extra way to infect unsustepcting users. Be careful when surfing the Web and avoid suspicious e-mails, files or links. Perform checks of all files that you have downloaded for their signatures, size, and do a scan with security software. You should read more tips to prevent ransomware in that forum topic.

Voldemort Virus – More Information

The Voldemort cryptovirus is a very strange ransomware as it does not create a ransom note with payment instructions, neither does it add any extension or prefix to the files it encrypts. The malware researcher Michael Gillespie has found the ransomware in the wild, so its still soon to say what damage might be done to users’ compromised computers. The name comes from the “voldemort.horcrux” created in the C:\temp\ directory and the following image found afterward:


As you can see, the ransomware is themed around the Harry Potter fantasy novels written by J. K. Rowling. Specifically around the Voldemort character and his snake “Nagini”, which is included as a name for one of the payload dropping files. These files are mostly found as executables, but users have submitted more than one dropper file:

  • a1b0c47cc5d2ecb8ea634f436764c0b17c8ed59cc144739c77c069970642a102.exe
  • 1.exe
  • Nagini.exe
  • cd4e331d11f8eb70c4f2fd9d665ee654.virus
  • a1b0c47cc5d2ecb8ea634f436764c0b17c8ed59cc144739c77c069970642a102.bin

You can see its detections on VirusTotal here:


The ransomware creates the following entry in the Windows Registry:


Still new, let’s hope the ransomware is decryptable and does not become a bigger threat than it is. The inversion of control (IoC) mechanism shows that the ransomware creator put some thought behind the code, so it might be made by a professional, ratheer than a script-kiddie that is copy-pasting code. The lack of a ransom note seems intentional, so the crypting virus might be made just to encrypt files with no decryption option.

The files which the ransomware encrypts have the following extensions:

→.doc, .docx, .ppt, .pptx, .xls, .xlsx, .bmp, .png, .jpg, .jpeg, .exe, .pdf

UPDATE! However, there is a window that can come up on a newer version of the ransomware that displays an empty field for you to fill giving credit card access to the cybercriminals. The text in that window states the following:

Done encrypting!
Enter your credit card: ________
Get Key!
Enter your key to decrypt the files:
Decrypt Now!

Stay tuned for updates, if new activity arises around this malware.

Remove Voldemort Virus and Restore Your Files

If your computer got infected with the Voldemort ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Voldemort.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share