Remove Voldemort Virus and Restore Encrypted Files - How to, Technology and PC Security Forum | SensorsTechForum.com
THREAT REMOVAL

Remove Voldemort Virus and Restore Encrypted Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by Voldemort and other threats.
Threats such as Voldemort may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

stf-voldemort-hocrux-nagini-ransomware-cryptovirus-crypto-virus

A new cryptovirus is on the loose. Discovered by the malware researcher Michael Gillespie, it is observed that it is themed around the Harry Potter novels. The ransomware uses a file named “voldemort.horcrux”, thus it is dubbed Voldemort ransomware.

The design pattern of the virus code is built upon inversion of control (IoC), which in short means that some functionality is changed due to additional code written by the malware maker. No ransom note and no extension is added, but just a hint of Voldemort’s snake “Nagini” inside the code and an image of the Voldemort character himself.

Threat Summary

NameVoldemort
TypeRansomware, Crypto-Virus
Short DescriptionThe ransomware will encrypt your files, while only changing their size.
SymptomsThe ransomware does not display a ransom note, and does not place an extension to files, but the data is still encrypted.
Distribution MethodSpam Emails, Email Attachments, Executable Files
Detection Tool See If Your System Has Been Affected by Voldemort

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Voldemort.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Voldemort Virus – Spread

The Voldemort virus uses multiple ways to spread itself. The most popular one is with spam email campaigns which distribute the payload file of the ransomware in question. This type of email will try to make you believe that some urgent message or program is contained in the attached file which comes with the e-mail. In actuality, the attached file might look harmless, but the malicious payload of the virus will be inside. If you open the file, which is in most cases an executable, your computer machine will be infected and your data will get encrypted.

Other infection methods for the Voldemort virus could be in motion, that use social media networks and file sharing services. The malware maker could have put the malicious files on every such platform, as an extra way to infect unsustepcting users. Be careful when surfing the Web and avoid suspicious e-mails, files or links. Perform checks of all files that you have downloaded for their signatures, size, and do a scan with security software. You should read more tips to prevent ransomware in that forum topic.

Voldemort Virus – More Information

The Voldemort cryptovirus is a very strange ransomware as it does not create a ransom note with payment instructions, neither does it add any extension or prefix to the files it encrypts. The malware researcher Michael Gillespie has found the ransomware in the wild, so its still soon to say what damage might be done to users’ compromised computers. The name comes from the “voldemort.horcrux” created in the C:\temp\ directory and the following image found afterward:

stf-voldemort-hocrux-nagini-ransomware-cryptovirus-crypto-virus

As you can see, the ransomware is themed around the Harry Potter fantasy novels written by J. K. Rowling. Specifically around the Voldemort character and his snake “Nagini”, which is included as a name for one of the payload dropping files. These files are mostly found as executables, but users have submitted more than one dropper file:

  • a1b0c47cc5d2ecb8ea634f436764c0b17c8ed59cc144739c77c069970642a102.exe
  • 1.exe
  • Nagini.exe
  • cd4e331d11f8eb70c4f2fd9d665ee654.virus
  • a1b0c47cc5d2ecb8ea634f436764c0b17c8ed59cc144739c77c069970642a102.bin

You can see its detections on VirusTotal here:

stf-voldemort-hocrux-nagini-ransomware-cryptovirus-crypto-virus-detections-virustotal

The ransomware creates the following entry in the Windows Registry:

→HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Voldemort=%CurrentFolder%

Still new, let’s hope the ransomware is decryptable and does not become a bigger threat than it is. The inversion of control (IoC) mechanism shows that the ransomware creator put some thought behind the code, so it might be made by a professional, ratheer than a script-kiddie that is copy-pasting code. The lack of a ransom note seems intentional, so the crypting virus might be made just to encrypt files with no decryption option.

The files which the ransomware encrypts have the following extensions:

→.doc, .docx, .ppt, .pptx, .xls, .xlsx, .bmp, .png, .jpg, .jpeg, .exe, .pdf

UPDATE! However, there is a window that can come up on a newer version of the ransomware that displays an empty field for you to fill giving credit card access to the cybercriminals. The text in that window states the following:

Done encrypting!
Enter your credit card: ________
Get Key!
Enter your key to decrypt the files:
Decrypt Now!

Stay tuned for updates, if new activity arises around this malware.

Remove Voldemort Virus and Restore Your Files

If your computer got infected with the Voldemort ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Voldemort.

Note! Your computer system may be affected by Voldemort and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as Voldemort.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove Voldemort follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove Voldemort files and objects
2. Find files created by Voldemort on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by Voldemort

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...