.Velso Files Virus – How to Remove and Restore Your Data

.Velso Files Virus – How to Remove and Restore Your Data

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article has been created in order to provide information on what is the .velso file extension virus and how to detect plus remove it from your computer and restore encrypted files.

New ransomware infection, using the file extension .velso and the “get_my_files.txt” ransom note has been detected in the wild. The virus aims to encrypt the files and generate a base64 public key which the victim should send to MerlinVelso@protonmail.com anonymous e-mail to receive payment instructions in order to get the cyber-criminals to decrypt them. Such ransomware virus attacks are increasing in both variety and infection rate and if your computer has been infected by the .velso ransowmare virus, reccomendations are to read the following article and learn how to remove it and how to try and restore your encrypted files.

Threat Summary

Name.velso Files Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt your files, making them no longer openable, unless you pay ransom to the hacker to send you a decryption software key.
SymptomsThe files are encrypted with an added .velso file extension.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .velso Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .velso Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.Velso Ransomware – Propagation

There may be several different methods by which your computer may have been infected with the .velso files virus. The main of those is if the malware is spread via e-mail, resulting in it’s malicious files being opened manually by you. Most spammed e-mails sent by cyber-criminals often contain deceitful messages in them that aim to convince you into thinking the attachments within them are legitimate documents, such as fake invoices or receipts of an order you may have not even heard of. Furthermore, legitimate retailers like PayPal, FedEx, DHL and others are often imitated in the emails, so it is advisable to take caution.

In addition to via e-mail messages, the cyber-criminals also aim to infect victims with less effort, which may be the reason why you may find the infection file of the .velso ransomware masked as a fake:

  • Key generator.
  • License activation software.
  • Patch for program or game.
  • Crackfix.
  • Setup of software or games.

The cyber-criminals usually use suspicious websites to upload these malicious files and they often archive the files to mask them from conventional antivirus protection so maximum caution and on-demand scanning using an advanced anti-malware software are advisable if you use a download site for the first time.

.Velso Files Virus – More Information and Activity

The .Velso files virus is the type of threat which has a clear purpose – to encrypt the files on your computer. It’s initial infection is usually conducted by an intermediary malware file, like a downloader or dropper viruses. Such may use obfuscation to hide the fact that they drop the malicious files of the .velso ransomware on your computer. The files include the main executable of this virus plus other support files for this virus and they often have random names or imitate legitimate Windows processes or programs. They may be dropped in the following Windows directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

The files that may be dropped may be of the following types:

.exe, .bat, .vbs, .reg, .js, .dll, .tmp, .hta

Among the files dropped by .velso ransomware is the
get_my_files.txt ransom note type of file which has the following message to victims:

“Hello. If you want to return files, write me to e-mail MerlinVelso@protonmail.com
Your userkey: {KEY}”

In addition to this, the .velso files virus may also add Windows Registry Entries in the following Windows Registry sub-keys:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In those sub-keys, the entries that are created by the virus may have random names and their data may lead to the actual location of the malicious file set to run and encrypt your files, adding the .velso extension.

In addition to encyrpting data, the .velso files virus may also perform other activities on the victim’s computer, like run a script as an administrator that triggers Windows Command Prompt. The script may delete the shadow volume copies of the infected machine, most likely by executin the vssadmin and bcedit commands with the following parameters:

→ process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

.Velso Ransomware – How Does It Encrypt

The encryption of the .velso ransomware virus has been done using a sophisticated encryption algorithm, which replaces data from the original targeted files with data from the algorithm. The malware also aims to target specific files for encryption, like documents, images, videos, archives and other often used files which may have the following file extensions:


After the encryption process has completed, the ransomware virus adds the .velso file extension to the encrypted files, making them appear like the image below shows:

The recovery of the file cannot be done directly, since their core code is changed and tampering with them may risk damaging them. For more methods on how you can possibly recover them, check the removal and restoration section of the article underneath.

How to Remove .Velso Ransomware and Restore Encrypted Files

In order to fully remove this ransomware infection, reccomendations are that you follow the instructions down below for either manual or automatic removal approach. If you lack the experience in performing manual removal, experts often advise that the best way to remove viruses, like .velso is to scan your computer for all the objects related to them and remove them automatically by using an advanced anti-malware software. Such will also make sure that your computer remains protected against future infections.

If you want to try and recover as many files as possible by using methods besides paying the ransom, we advise you to check some of the file recovery methods down below in step “2. Restore files encrypted by .velso Files Virus”. These are not 100% guaranteed to work, but they may help you to get back at least some of your important data.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share