New version of CryptoShield ransomware virus was released, using the same .CRYPTOSHIELD file extension and AES encryption. The malware performs modification on the files of the computers it infects to make them non-openable. It then drops a .txt and .html files, both named # RESTORING FILES #. These documents are so-called ransom notes and their only goal is to notify the victim of this ransomware virus to pay a hefty fee after contacting the e-mails of the cyber-criminals who are behind the CryptoShield 2.0 infection. We recommend reading this article If you are interested in removing this ransomware virus and trying to get your data back without giving away to these extorionists.
CryptoShield 2.0 Ransomware – Further Information
As soon as this iteration of the ransomware on your computer, has caused the infection, just like the 1.1 iteration, it creates multiple files on your computer. Amongst the files that are created by CryptoShield 2.0 are reported to be a .tmp.exe file, a .js.tmp file, another two executables, an executable, named “conhost.exe”, located in %system32% directory and some other files.
In addition to the payload of this virus being dropped, it is also reported to abuse the Windows Command Prompt and hence perform multiple different activities, such as delete the shadow volume copies on the infected computer. In addition to this, the virus also performs other activities such as setting malicious files to run on Windows boot up, like it’s encryption module.
The encryption process of CryptoShield 2.0 ransomware is performed with the support of the AES encryption algorithm. It replaces bytes of important files for the user, such as documents, photos, music, video files, Adobe PDF and Microsoft Office files and even archives, like .zip and .rar.
The virus then leaves the files with random identification numbers and the .CRYPTOSHIELD file extension after it. The files also contain no icon and cannot be opened by any type of program.
After the encryption process by CryptoShield 2.0 ransomware is complete, the virus scares the user by dropping the two ransom note files, named # RESTORING FILES #.txt and # RESTORING FILES #.html. They have similar content to the one below:
“What happens to you files?
All of your files were encrypted by a strong encryption with RSA-2048 using CryptoShield 2.0. DANGEROUS.
More information about the encryption keys using RSA-2048 can be found here: https://en.wikipedia.org/wiki/RSA_(cryptosystem)
How did this happen ?
Specially for your PC was generated personal RSA – 2048 KEY, both public and private. ALL your FILES were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our secret server.
What do I do ?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start send email now for more specific instructions, and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make payment.
To receive your private software:
Contact us by email , send us an email your (personal identification) ID number and wait for further instructions. Our specialist will contact you within 24 hours.
ALL YOUR FILES ARE ENCRYPTED AND LOCKED, YOU CAN NOT DELETE THEM, MOVE OR DO SOMETHING WITH THEM. HURRY TO GET BACK ACCESS FILES. Please do not waste your time! You have 72 hours only! After that The Main Server will double your price!
So right now You have a chance to buy your individual private SoftWare with a low price!
email@example.com – SUPPORT;
firstname.lastname@example.org – SUPPORT RESERVE FIRST;
email@example.com – SUPPORT RESERVE SECOND;” Source: id-ransomware.blogspot.bg
Malware experts strongly advise against paying any form of ransom to the cyber-criminals behind the res_sup e-mails, because it is no guarantee you will get your files and more to it, you aid the operation of the cyber-crooks.
How Did I Get Infected With CryptoShield 2.0
This type of ransomware uses the latest version of the famous RIG exploit kit – 4.0. It includes malicious code written to cause an undetected infection after a malicious file is opened. Such malicious files, usually pretend to be invoices or other type of fake documents that seem important. To convince the user to click on them, the ransomware infection uses multiple different deceptive messages. These messages are usually aiming at something that may have been done on an account of the user, like a purchase without his or her consent. Some e-mails are very easy to detect, but some are very direct and may even include the name of the user’ whose e-mail account is targeted.
CryptoShield 2.0 – Remove and Try to Restore The Files
CryptoShield 2.0 ransomware is a threat that can be removed only via one way – by isolating the threat initially after which performing the removal process by following the guidelines below. The ransomware virus can also be removed with an advanced anti-malware tool which is the option, malware analysts often recommend.
Booting in Safe Mode
1) Hold Windows Key and R
2) A run Window will appear, in it type “msconfig” and hit Enter
3) After the Window appears go to the Boot tab and select Safe Boot
Cut out CryptoShield 2.0 in Task Manager
1) Press CTRL+ESC+SHIFT at the same time.
2) Locate the “Processes” tab.
3) Locate the malicious process of CryptoShield 2.0, and end it’s task by right-clicking on it and clicking on “End Process”
Eliminate CryptoShield 2.0‘s Malicious Registries
For most Windows variants:
1) Hold Windows Button and R.
2) In the “Run” box type “Regedit” and hit “Enter”.
3) Hold CTRL+F keys and type CryptoShield 2.0 or the file name of the malicious executable of the virus which is usually located in %AppData%, %Temp%, %Local%, %Roaming% or %SystemDrive%.
4) After having located malicious registry objects, some of which are usually in the Run and RunOnce subkeys delete them ermanently and restart your computer. Here is how to find and delete keys for different versions.
For Windows 7: Open the Start Menu and in the search type and type regedit –> Open it. –> Hold CTRL + F buttons –> Type CryptoShield 2.0 Virus in the search field.
Win 8/10 users: Start Button –> Choose Run –> type regedit –> Hit Enter -> Press CTRL + F buttons. Type CryptoShield 2.0 in the search field.
Automatic Removal of CryptoShield 2.0
Recover files encrypted by the CryptoShield 2.0 Ransomware.
Method 1: Using Shadow Explorer. In case you have enabled File history on your Windows Machine one thing you can do is to use Shadow Explorer to get your files back. Unfortunately some ransomware viruses may delete those shadow volume copies with an administrative command to prevent you from doing just that.
Method 2: If you try to decrypt your files using third-party decryption tools. There are many antivirus providers who have decrypted multiple ransomware viruses the last couple of years and posted decryptors for them. Chances are if your ransomware virus uses the same encryption code used by a decryptable virus, you may get the files back. However, this is also not a guarantee, so you might want to try this method with copies of the original encrypted files, because if a third-party program tampers with their encrypted structure, they may be damaged permanently. Here are the vendors to look for:
Method 3: Using Data Recovery tools. This method is suggested by multiple experts in the field. It can be used to scan your hard drive’s sectors and hence scramble the encrypted files anew as if they were deleted. Most ransomware viruses usually delete a file and create an encrypted copy to prevent such programs for restoring the files, but not all are this sophisticated. So you may have a chance of restoring some of your files with this method. Here are several data recovery programs which you can try and restore at least some of your files: