.sorry Files Virus (Ransomware) – How to Remove It and Restore Data

.sorry Files Virus (Ransomware) – How to Remove It and Restore Data

This article has been created in order to help you by explaining what is the .sorry files virus and how to remove this ransomware effectively plus restore data encrypted by it.

The .sorry files virus is the type of malware that aims to encrypt the files on your PC. The virus then drops a How Recovery Files.txt file, which has ransom instructions on how to pay a hefty fee to cyber-criminals in order for your files to be decrypted once again. If you have seen the .sorry files on your computer and the ransom note of this malware, we advise you to read the following article in order to learn how to remove the .Sorry ransomware completely from your computer system and try to restore your encrypted files without having to pay ransom.

Threat Summary

Name.sorry Files Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on your computer and hold them hostage until you pay ransom in order to restore them.
SymptomsThe .sorry ransomware encrypts your files, making them unable to be opened. Drops a ransom note file, called How Recovery Files.txt.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .sorry Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .sorry Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.sorry Files Virus – How Does It Infect

In order for the .sorry files virus to infect computers, the ransomware virus aims to use different types of techniques and tools, some of which may be:

  • Malware obfuscators that aim to conceal the virus from various different types of antivirus software.
  • Trojan.downloaders.
  • Extractors.
  • Modified installers.
  • Malicious macros.
  • Droppers.

The primary malicious file of .Sorry ransomware has been reported by malware researchers to have the following parameters:

→ SHA256: 2805ede8a9dfff58ec05ecbb7751fe98c37ccc16e5c48c6e4dc549d36bd17264
Name: ConsoleApp1.exe

The virus may come to you via e-mail that resembles a legitimate message sent to you by the cyber-crooks. These e-mails usually aim to resemble receipts, invoices or any other notifications from big companies, like PayPal, banks, DHL, eBay, Amazon and other big names in the industry. They often contain malicious e-mail attachments in them that are infected Microsoft Office documents or PDF files and when you open them, and enable their content for editing or reading, the malicious macros may trigger the infection process.

In addition to via e-mail, the cyber-crooks may upload the malicious files, concealing them to resemble seemingly legitimate setups of programs, software patches, cracks, license activators, key generators and other types of files that appear to be legitimate. Most inexperienced users who are looking to download a program or a driver for their computer fall victims of ransomware viruses, like the .sorry file infection.

.sorry Files Virus – More Information

As soon as the .sorry ransomware conducts and infection the victim’s computer, the malware may begin it’s malicious activity, starting with dropping it’s malicious files on the following Windows directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

When the malicious files of the .sorry ransomware are dropped on the victim’s computer, the malware may to create mutexes, copies of itself in case it’s main malicious files are deleted and other defensive actions. In addition to this, the .sorry files ransomware may also create scheduled tasks on the computers infected by it, so that it automatically runs the encryption module. The .sorry files virus may also attack the following Windows Registry sub-keys and add in them custom registry entries with values in them, containing data to run the malicious file and ransom note of .Sorry ransomware automatically when you login Windows. The targeted sub-keys are reported to be the following:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

As soon as this is done, the .sorry files virus may also run scripts that execute the following commands as an administrator in Windows command prompt:

→ process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”

As soon as this is complete, the .sorry ransomware has deleted all of the backups and shadow volume copies on your computer and may drop it’s ransom note, file, named How Recovery Files.txt and hrf.txt. It has the following contents:

Hello, dear friend!
All your files have been ENCRYPTED
Do you really want to restore your files
Write to our email – system@hitler.rocks or systems@tutanota.com and tell us your unique ID

.Sorry Ransomware – Encryption

In order to encrypt files on your computer system, the .Sorry ransomware infection may use an encryption mode which replaces key data from the original file in a newly created copy of it. This data is data from the encryption algorithm, used by this virus. After the encryption process has completed, the .Sorry ransomware may delete the original file. The virus is specific in what types of files it encrypts and may target only important files on your computer, while carefully avoiding important Windows files, so that you can still use your computer to pay the ransom. The files which are often encrypted by ransomware viruses, like the .sorry files virus are reported to be the following:

  • Documents.
  • Videos.
  • Pictures.
  • Images.
  • Text files.
  • Archives.

In addition to this, the ransomware also adds it’s distinctive file extension and the files begin to appear like the following:

Remove .Sorry Files Virus and Restore .sorry Encrypted Files

In order to make sure that this ransomware is gone from your computer, we advise you to follow the removal instructions that are underneath this article. They are created with the purpose to help you delete the objects, created by the .sorry ransomware either manually or automatically. Be advised that for maximum effectiveness, security researchers strongly recommend to use an advanced anti-malware software. Downloading and scanning your PC with such ransomware-specific removal tool will make sure all of the files and objects, that are created by the .Sorry files virus on your computer are permanently gone and your system remains protected against future malware infections as well.

If you want to decrypt .sorry encrypted files, be advised that direct decryption may not be available at the moment. This is why we have created alternative tools which can help you to recover files, that are encrypted by this ransomware on your PC. They are located in step “2. Restore files, encrypted by .sorry Files Virus” underneath and are no guarantee you will recover all your files, but may work for some of them.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share