.Twist Files Virus – How to Remove and Restore Your Data

.Twist Files Virus – How to Remove and Restore Your Data

This article has been created in order to help you by showing you how to remove the .twist files virus and how to restore files encrypted by this ransomware without paying ransom to the cyber-criminals who are behind it.

New ransomware virus, using the .[[email protected]].twist file extension which it adds after it encrypts the files on the compromised computer has been detected out in the wild. The virus aims to encrypt the files on computers, making them no longer able to be opened. This results in the malware becoming the one in control with your file, and it also drops “How_Decrypt_Files.txt” ransom instructions which explain carefully how to pay a hefty extortion fee to the cyber-criminals in order to get the files back, which is not advisable as a course of action. If your computer has been infected by the .twist files virus, we advise you to read this article and learn how to remove it from your computer and try to restore your files without having to pay ransom.

Threat Summary

Name.twist Files Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on your computer system, and demand a ransom payoff in order to get them restored back to working state.
SymptomsAims to encrypt the files on the victim’s computer, adding the .[[email protected]].twist and a “How_Decrypt_Files.txt” ransom note.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .twist Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .twist Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.Twist Ransomware – Update December 2018

Update! A decryption tool is now available for this ransomware! The tool was created by the malware researcher Michael Gillespie and can be downloaded from the following link, wrapped inside a .zip archive: Decryption Tool. You need an encrypted file along with its original and the files can be decrypted even if their size is under 10 MB. The decryptor works for the following variants: Insane, desuCrypt, DEUScrypt, .volcano, .Everbe, .pain, .embrace, .Tornado and .twist .

.Twist Ransomware – How Does It Infect

The main method of infection which is used by this ransom infection is connected with various spam e-mail messages which are being sent out to a pre-set list of e-mail addresses. In addition to this, malicious e-mail attachments are contained within the e-mail addresses which often aim to resemble:

  • Invoices.
  • Receipts.
  • Documents coming from banks.
  • Various different types of fake files.

Most e-mails also contain convincing statements within them, whose primary purpose is to convince the victim that the e-mail is legitimate and the attachment within it should be opened immediately, similar to what the example e-mail below displays.

In addition to this, some of those e-mails may also contain malicious macros which are triggered when the victim clicks on “Enable content” after the documents are opened:

Furthermore, besides via e-mails, the .twist files virus may also cause malware infection as a result of more passive tactics, such as uploading the files on a suspicious website or torrent sites with weak security. In those, the files often pretend to be:

  • Installers of drivers or other free software.
  • Installers of patches for software or games.
  • Key generators.
  • Software license activators.
  • Cracks or fixes.

.twist Files Virus – Malicious Activity

The .twist files ransomware is the type of virus which is from the file encryption kind, meaning that it aims to interfere heavily with the files on your computer to temporarily break them until it’s decryptor decodes them and they become operational.

The first actions of the .twist file ransomware after it infects your computer system is to immediately begin to drop malicious files, which may reside in the following Windows directories:

  • %AppData%
  • %Local%
  • %Roaming%
  • %Temp%
  • %LocalLow%
  • %Windows%

As soon as the files are dropped without the victim noticing this, the malware may begin it’s malicious activities, which begin from creating mutants all the way to displaying the ransom note with the scary message after the files have already been encrypted. After having created mutexes, the .twist files ransomware begins to modify the Windows Registry editor, more importantly it may attack the following Windows registry sub-keys:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In those sub-keys, the .twist ransomware adds registry values in which data is added with the actual location of the file which the .twist ransomware may run automatically when your system startup.

After interfering with your Windows Registry Editor, the .twist files virus may also perform other unwanted activity on your computer, which may result in the deletion of the shadow volume copies and other backed up files via Windows. This is achievable by inserting the following commands via script as an administrator in the victim’s computers:

→ process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”

.twist Files Virus – Encryption

The encryption procedure of this ransomware’s file encryption is done by an advanced encryption mode which results in portions of the file being replaced with data from the cipher being used. This makes a legitimate file no longer able to be opened. And on top of that the virus ads an ASCII hex at the end of each file and the first 8B are the victim’s identifier – rather clever method for identification. After the encryption, the virus also adds the e-mail of the cyber-criminals along with the file extension of the virus, and the files look like the image below displays:

After encrypting the files on the computer of the victim, the .twist files virus also may open it’s ransom note automatically so that the victim sees it’s ransom instructions. The note, named How_Decrypt_Files.txt has the following message to victims:

Hello !
All your files have been encrypted !
If you want restore your files write on email – [email protected]
In the subject write – id-{Unique ID, also seen in the file’s hex}

The ransom note asks victims to negotiate for their files in the anonymous e-mail of the crooks where likely a decryptor is created specifically for each victim’s files.

Remove Twist Ransomware and Restore .twist Encrypted Files

In order to remove this ransomware infection, recommendations are to follow the manual or automatic removal instructions down below. If you lack experience in eliminating malware manually, security researchers would advise that you perform the removal process automatically via downloading an advanced anti-malware program, which by scanning your PC will fully get rid of all malware currently residing in it and protect it against future viruses, like Twist ransomware.

In order for you to try and restore as many files as possible, we recommend you to follow the file recovery instructions down below in step “2. Restore files encrypted by .twist Files Virus”. They may not be 100% guarantee you will be able to restore all of your files, but with their aid, you may be able to recover as many files as possible.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share