How To Remove .Serp Ransomware And Recover Encrypted Files

.Serp is a new extension of Serpent ransomware which appeared on 9th of April 2017. Previous version used to change file extensions to .serpent while the new one uses a shorter one: .serp. The ransom note has also received a new name and is now called “README_TO_RESTORE_FILES“.

The updated Serpent version is even more dangerous even though it has been already aggressive since the beginning. The creators have invested a lot of time in its development and created a complex virus as a result. The group behind this project is suspected to have worked on at least three other ransomware families.

The virus targets and encrypts many file types and makes them impossible to open. It then demands a BitCoin payment in order to decrypt the files. A time limit of 7 days is given after which the ransom amount increases. All payment information and tracking is included on a dedicated “Serpent Ransomware” website which can be accessed through various regular and .onion (TOR) addresses.

Even though the criminals promise to provide you with a decryption key and software, there is no guarantee that they will do so after you make the payment. Therefore, we strongly recommend removing this malware yourself and trying alternative file recovery methods included in this article. We recommend using the automatic removal tool listed below as it is the easiest and most reliable option to remove this complex ransomware.


Recommended Method: Download Serpent Virus Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is .Serp (Serpent) ransomware?

Serpent is one of the most complex and dangerous ransomware viruses currently targeting user computers. It has evolved from several other ransomware families called Zyklon Locker, Wildfire Locker, and Hades Locker.

Serpent is currently known to use two extensions for encrypted files: .serpent and .serp, the latter being associated with the updated version. The new version also renamed .html and .txt ransom notes (from “HOW_TO_DECRYPT_YOUR_FILES” to “README_TO_RESTORE_FILES“) but the payment website is still titled “Serpent Ransomware” and has the same looks.

There are many distribution methods for ransomware to spread. However, email spam still remains the most common way of infecting computers. The virus is usually included as an important Microsoft Word, PDF or any other file or image and activates as soon as you download and launch the suspicious attachment. Word documents often ask you to enable Macros which is another indicator that you are being targeted by malicious software. You should never open suspicious emails and attachments with strange extensions or unknown contents.

Other ways for this malware to spread are exploit kits, bundling with illegal software on Torrent and other P2P websites and distribution through infected websites.

Once the virus enters your system it immediately starts encrypting all important files in the background. When the encryption process finishes a ransom note pops up and all files become impossible to open. You are required to visit a .onion (TOR) website with payment instructions and pay the ransom in BitCoin. A personal ID is generated for you to log in to the payment website and be identified by the ransomware creators.

Here are typical ransom note contents in English:

==== NEED HELP WITH TRANSLATE? USE https://translate.google.com ====
================ PLEASE READ THIS MESSAGE CAREFULLY ================

Your documents, photos, videos, databases and other important files have been encrypted!
The files have been encrypted using AES256 and RSA2048 encryption (unbreakable)
To decrypt your files you need to buy the special software ‘Serpent Decrypter’.
You can buy this software on one of the websites below.
http://vdpbkmwbnp.pw/
http://hnxrvobhgm.pw/
If the websites above do not work you can use a special website on the TOR network. Follow the steps below
1. Download the TOR browser https://www.torproject.org/projects/torbrowser.html.en#downloads
2. Inside the TOR browser brower navigate to : 3o4kqe6khkfgx25g.onion
3. Follow the instructions to buy ‘Serpent Decrypter’

================ PLEASE READ THIS MESSAGE CAREFULLY ================

Other languages are often used as well depending on the targeted country. For example, Serpent is known for actively targeting Danish users.

Here are some addresses associated with the ransomware:

185.163.46.150
tomrerarbejdeolsen.com/
3o4kqe6khkfgx25g.onion
vdpbkmwbnp.pw
hnxrvobhgm.pw
n7457xrhg5kibr2c.onion
pfmydcsjib.ru
jdybchotfn.ru

We strongly discourage you from paying the ransom as there is no guarantee that the criminals will provide you with the required decryption key and software after you make the payment. This way you can lose both your money and files. The ransomware creators demand a lot of money (often close to $1000) so there is a high risk involved. They can also leave additional backdoors and target you in the future since you will be marked as a paying victim.

We recommend removing the ransomware yourself instead of following the ransomware instructions and financing the criminals. The automatic tool provided above is the easiest and most reliable way to remove this threat. It will scan your system for this and any other virus and remove them immediately. It will also protect your computer in the future so you will not run into similar problems again. We also have a manual removal guide for more experienced users. However, this method requires Windows system knowledge and is not as reliable as the automatic tool.

Unfortunately, .serp files currently do not have official decryption software developed by security researchers. This means that there is no straightforward way to recover your files. However, we have several alternative methods which should help you get back the ransomed files.

Screenshots of .serp ransomware:

    


 Manual Removal Instructions:

NB: Even if you follow this guide completely there might be some virus files remaining deep in the system. Therefore, we recommend using the automatic removal tool listed above. This way you will be sure that Serpent is removed completely as well as that your computer will be protected from any further threats.

Make sure you bookmark this page as a computer restart will be required. The best way to work is to open this website on a separate device while removing the threat.

Step 1:

You will need to restart the computer in Safe Mode.

When your computer is infected by a virus some of its features may be locked or compromised. You need to bypass this by rebooting your computer using Safe Mode. This will allow you to remove the virus.

Since Safe Mode only has the most basic features do not be scared that your Windows look completely different!

Click here to show how to reboot Windows 98, XP, Vista or Windows 7 in Safe Mode

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard until you get the following screen:
  3. Use arrow keys to highlight Safe Mode With Networking and press Enter.
  4. Wait for the Windows to launch.

 

Click here to show how to reboot Windows 8, 8.1 or Windows 10 in Safe Mode

F8 method (1/4):

Restarting and constantly hitting F8 might not work for this version of Windows since the booting is much faster and does not always react to the key presses. Try this method first and then proceed to other methods if this does not help.

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard.
    If it does not work try repeating the same procedure but this time holding Shift key and clicking F8.
  3. Follow instructions from Step 5 below:

Shift+Restart method (2/4):

  1. Click the Power icon at the login screen or in the settings charm.
  2. Hold Shift key on your keyboard and click Restart with your mouse while holding:
  3. Click Troubleshoot:

  4. Click Advanced options:
  5. Click Startup Settings:
  6. Click Restart:
  7. Now press F5 key on your keyboard to enable Safe Mode With Networking:

System configuration method (3/4):

  1. Press and hold Windows () key and click R key.
  2. Enter msconfig.exe and click OK:
  3. When System Configuration opens go to the Boot tab:
  4. Check the box “Safe Boot” in Boot options and click OK.
  5. When prompted, click Restart.
  6. Windows will now start in Safe Mode.

System Recovery method (4/4):

If everything above fails you can try inserting System Recovery CD or DVD (works only with Windows 8) or System Recovery USB Memory Stick (works with Windows 8 and 8.1). You will be able to choose Troubleshoot option. The steps are then identical as in Shift + Restart method starting from #3.

Step 2:

Clean up your registry entries.

Hold Windows () key and click R key.

Enter the following in the field:

regedit.exe

Click OK.

All Windows registry entries will open.

Most of them are critical for correct system operation and deleting important entries might result in Windows failing to load. Make sure you are very careful while deleting and editing the entries!

Press keyboard buttons CTRL + F and enter:

serpent

Click Find Next.

If you find any registry entries that could be associated with Serpent ransomware, delete them by right-clicking on it and choosing Delete.

Repeat the search with the following search queries:

ransomware
vdpbkmwbnp
hnxrvobhgm
3o4kqe6khkfgx25g

Repeat this search until no results are found anymore.

Step 3:

Clean up Windows temporary files.

You can safely remove all temporary files without posing any risk to your computer.

Hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

All temporary files will be listed in the directory.

Select all temporary files by simultaneously pressing CTRL + A and delete them.

Step 4:

Hold Windows () key and click R key.

Enter the following in the field:

%AppData%

Click OK.

A folder will open. Go to the following directory:

Roaming

Search for any randomly named directories with exe files in them there and delete them permanently by pressing SHIFT + DELETE.

Look for any other recently created and randomly named .exe files and delete them as well.

From the same folder navigate further to this path:

Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Look for a randomly named VBS file, for example:

raesdfgiuytr.vbs

Delete it. Look for any other recently created and randomly named .vbs files and delete them as well.

Step 5:

Block virus IPs in your hosts file.

Press and hold Windows () key and click R key.

Enter the following in the field:

notepad %windir%/system32/Drivers/etc/hosts

Click OK.

Your hosts.ini file will open in Notepad. Delete any IPs that are not marked with an “#” in front of them except the “127.0.0.1 localhost” entry. Here is an example:

Then, at the bottom of the file, paste the following text and save it:

127.0.0.1 185.163.46.150
127.0.0.1 146.71.84.110
127.0.0.1 185.175.208.12
127.0.0.1 94.140.120.88

Step 6:

Find and delete the following file by utilizing Windows Search (Windows () key to open):

software.exe

Make sure it has been modified recently (at the time of the infection) and is related to the virus.

 Decrypting The Files:

Start recovering your files only if you have finished all removal steps! Otherwise you might cause more damage and make it harder to recover them in the future!

We recommend making a backup of the encrypted files on a separate media in case you are not able to recover the files using our methods.

Check for Serpent decryptor here: List of currently available decryptors. Currently we have no information that such decryptor is available but it might be added in the future so check the list before continuing.

We have a list of extensive file recovery methods available here. The instructions below are just a short version of the simplest methods.

Step 1:

Start by enabling recovery since the virus might have turned it off.

Hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

cmd

Click OK.

A comand prompt will open.

Copy the following:

bcdedit.exe /set {default} recoveryenabled yes

Right-click on the command prompt (black window) and select Paste.

Press Enter.

Step 2:

Restore the old system settings using System Restore. The virus might have changed them so you need to revert to the old ones first.

Sometimes the virus is able to remove your system restore points so this step might be unsuccessful.

Press and hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

A System Restore wizard will open.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the attack happened.

If there are no restore points you will see “No restore points have been created…” error.

Step 3:

Try restoring earlier file versions.

Download Shadow Explorer.

When you run the program you will see the list of all shadow copies created.

Select the drive and date that you want to restore from.

Right-click on a folder name and select Export. The folder will be restored.

Read more here about how to restore files from shadow copies.

The virus usually deletes shadow copies so this step this might be unsuccessful. In such case, proceed to Step 4.

Step 4:

Read more on how to restore files (including backups) on our file recovery guide. This guide includes instructions how to restore the files from a backup or shadow copies as well as how to use a professional file recovery program (which has a very high success rate) if everything else fails.

Alternatively you could make a backup with all encrypted files, store it externally and wait for a Serpent decryptor to be created. New free decryptors for various ransomware appear every week but we cannot estimate the waiting time and if it is going to be created at all.

After removing the virus

When you have finished removing the Serpent ransomware virus you should protect your computer by installing a good antivirus suite. This will prevent any further infections and fix the current vulnerabilities that have been used by the ransomware to infiltrate your system.


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *