.Serp File Virus (Restore Files )

.Serp File Virus (Restore Files)

Article, designed to help you remove the Serpent ransomware virus and help restore files encrypted with .serp extension added to them.

Researchers have detected a version of Serpent ransomware still active out in the wild, using the .serp file extension which it adds to the encrypted files. The ransomware infection encrypts the files on the computers compromised by it after which demands a hefty ransom fee to be paid to the users. The demands are written in a ransom note file which is called “README_TO_RESTORE_FILES{random}.txt”. In case you have become a victim of this variant of Serpent ransomware, recommendations are to focus on reading this article carefully to learn how to remove this ransomware infection and try to get your data back.

Threat Summary



Short DescriptionThe virus encrypts files on the compromised computer and then demands a hefty ransom fee to be paid in a .txt file.
SymptomsThe victim may not be able to open the files. The .serp file extension is appended to them. Ransom notes are dropped in .html and .txt file formats.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Serpent


Malware Removal Tool

User ExperienceJoin our forum to Discuss Serpent.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Is Serpent Ransomware Distributed

The distribution stage of Serpent ransomware causing infections are usually achieved by sending out spammed e-mail messages that aim for only one – to convince the victim of these infections into opening the malicious attachments of those e-mails or click on web links which lead to infected URLs or files. Such e-mails often contain false statements such as:

  • Invoice.
  • Suspicious bank account activity.
  • A purchase that is made in the name of the account holder.
  • Other false claims.

Once the user opens the attachment, infection is inevitable and the virus may download it’s malious payload files on the infected system.

Other infection methods by the Serpent ransomware infection may also include the usage of fake program installers, fake game licensing patches or software key generators. These may be combined with malicious code which when executed causes the infection.

Serpent Ransomware –Infection Activity

Similar to the older version, after infection by the Serpent ransomware virus has become inevitable, the malware begins to perform multiple different activities, the first of which is to situate the following malicious files on the user’s computer, which may be the following:

{random A-Z 0-9}.exe
%Roaming%\{random folder name}\{random file name}.exe
%Startup%\{random vbs executable}.vbs

After having dropped the malicious files, this ransomware infection may attack multiple different Windows processes and either inject malicious code In them or completely shut them down:

→ bootsect.bak

After stopping any processes that may interfere with encryption, the Serpent ransomware virus may begin to interfere with the Windows Registry entries, making it possible for it’s previously dropped malicious files to run on system start-up. The usually targeted Windows registry keys are the following:


Serpent Ransomware – Encryption Process

Serpent ransomware is pre-configured to encrypt multiple file types by in the same time carefully avoiding files in Windows’ system folders so that it leaves the operating system intact.

The .serp file virus is believed to attack files with the following file extensions to encrypt them:

→ .2011, .2012, .2013, .2014, .2015, .2016, .2017, . 3dm, .7zip, .accd, .accdb, .accde, .accdr, .accdt, .aepx, .agdl, .aiff, .aspx, .back, .backup, .backupdb, .bank, .blend, .btif, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cfdi, .clas, .class, .cntk, .config, .craw, .db-journal, .db_journal, .ddoc, .ddrw, .defx, .design, .djvu, .docb, .docm, .docx, .dotm, .dotx, .dtau, .efsl, .erbsql, .fcpa, .fcpr, .flac, .flvv, .gray, .grey, .groups, .html, .iban, .ibank, .idml, .incpas, .indb, .indd, .indl, .indt, .int?, .intu, .java, .jpeg, .jsda, .kdbx, .kpdx, .laccdb, .lay6, .m2ts, .m3u8, .mbsb, .meta, .mhtm, .mone, .moneywell, .mpeg, .ms11, .myox, .nvram, .pages, .pcif, .php5, .phtml, .plus_muhd, .potm, .potx, .ppam, .ppsm, .ppsx, .pptm, .pptx, .prel, .prpr, .psafe3, .pspimage, .ptdb, .qb20, .qbmb, .qbmd, .qcow, .qcow2, .qdfx, .qmtf, .quic, .qwmo, .resx, .s3db, .safe, .sas7bdat, .save, .seam, .sldm, .sldx, .sqli, .sqlite, .sqlitedb, .tax0, .tax1, .tax2, .text, .tiff, .tt10, .tt11, .tt12, .tt13, .tt14, .tt15, .tt20, .vbox, .vbpf, .vhdx, .vmdk, .vmsd, .vmxf, .wallet, .xhtm, .xlam, .xlsb, .xlsm, .xlsx, .xltm, .xltx, .ycbcra, .zipx

The encryption process of Serpent can consist of the usage of the AES-256 encryption algorithm and the RSA cipher to generate unique public and private keys which are used for the decryption of the files. These keys may be sent to the cyber-criminals command and control servers so that they can demand a ransom.

After the encryption has finished, the files may be left in the following way:

After the whole process has finished, the last activity of the virus is to make sure the user knows of it’s presence, by dropping it’s ransom note:

  • README_TO_RESTORE_FILES{random}.html

Remove Serpent Ransowmare and Restore .serp Encrypted Files

For the removal of Serpent ransomware, a good practice is to follow the instructions below. They will help you isolate the virus after which choose whether to look for each setting and file manually or if you do not have experience to perform the removal automatically (recommended).

After removing Serpent ransomware from your computer, it is time to think about the encrypted files. To restore files encoded by Serpent on your computer, we advise checking out the alternative file recovery methods in step “2. Restore files encrypted by Serpent” below.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share