Remove VenusLocker Ransomware And Decrypt Files

VenusLocker is a ransomware virus which encrypts user files, renames them and changes their extensions to .Venusf or .Venusp. The virus creators require a $100, $500 or other amount to be paid in BitCoin in order to recover the files. Strong AES-256 (for .Venusf files) and RSA-2048 (for .Venusp files) encryption algorithms are used and it is virually impossible to decrypt the files yourself.

The virus displays a “You are hacked” warning window with istructions on how to make a payment as well as a 72-hour timer. It also places a “ReadMe.txt” ransom note on your desktop and tries to change the desktop background image. This ransomware originated from another ransomware called EDA2 and has several variation itself including the recent TrumpLocker which has almost identical looks and operations.

We strongly discourage you from paying any money to the criminals. Instead, you should remove the threat from your machine and then restore your files using the methods described in our file recovery guide. We have an automatic virus removal tool which will also protect your computer from future infections. We also have a manual removal guide for more experienced users.


Recommended Method: Download VenusLocker Ransomware Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is VenusLocker ransomware virus?

VenusLocker has slightly different operations when compared to other ransomware viruses. It uses popular AES-256 and RSA-2048 encryption algorithms but encrypts various files differently and assigns them different extensions depending on the method used. Some files are encrypted fully while others only have the first 512 bytes changed and might still be partly recoverable.

The ransomware is usually distributed using spam emails. The malicious file is disguised as an important invoice, word document, notice from a shipping company or any other attachment that would encourage the user to immediately open it. As soon as the file is opened it infects the Windows system and starts encrypting all user files in the background.

After encryption finishes the files start bearing .Venusp and .Venusf extensions and their names are usually changed using Base64 encode function. Therefore, a file named “DSC_0001.JPG” becomes “RFNDXzAwMDEuSlBH.Venusp”. The files are impossible to open using regular Windows programs and the users are instructed to make a BitCoin payment in order to recover them. The payment instructions window is very detailed and launches automatically as soon as VenusLocker finishes the encryption process.

IMPORTANT: If you think that you have just been infected by this or any other ransomware, check your CPU, RAM and hard disk space usage. If it is above normal or if the computer feels sluggish, chances are that the virus is currently using your resources to encrypt the files. In such case, turn off your computer immediately to prevent further damage and use our automatic removal tool or follow manual removal instructions. You can resume using your PC normally only after you remove the threat completely!

The following ransom note is presented by the ransomware:

--- Venus Locker ---
Unfortunately, you are hacked.
1. What happened to my files?
Your personal files, including your photos, documents, videos and other important files on this computer, 
have been encrypted with RSA-4096, a strong encryption algorithm. RSA algorithm generates a public key and a private key for your computer. 
The public key was used to encrypt your files a moment ago. The private key is necessary for you to decrypt and recover your files. 
Now, your private key is stored on our secret Internet server. And there is no doubt that no one can recover your files without your private key.
For further information about RSA algorithm, please refer to https://en.wikipedia.org/wiki/RSA_(cryptosystem)

2. How to decrypt my files?
To decrypt and recover your files, you have to pay 100 US Dollars for the private key and decryption service. 
Please note that you have ONLY 72 HOURS to complete your payment. If your peyment do not be completed within time limit, 
your private key will be deleted automatically by our server. All your files will be permanently encrypted and nobody can recover them. 
Therefore, it is advised that you'd better not waste your time, because there is no other way to recover your files except making a payment.

3. How to pay for my private key?
There are three steps to make a payment and recover your files: 
1). For the security of transactions, all the payments must be completed via Bitcoin network. 
Thus, you need to exchange 100 US dollars (or equivalent local currencies) to Bitcoins, and then send these Bitcoins (about 0.15 BTC) 
to the following address. 1Dj9YnMiciNgaKuyzKynygu7nB21tvV6QD
2). Send your personal ID to our official email: VenusLocker@mail2tor.com
Your personal ID is cc673bcfcf644d2c1a88893cb0ff8fa7
3). You will receive a decryptor and your private key to recover all your files within one working day.

4. What is Bitcoin?
Bitcoin is an innovative payment network and a new kind of money. 
It is based on an open-source cryptographic protocol that is independent of any central authority. 
Bitcoins can be transferred through a computer or a smartphone withour an intermediate financial institution.
5. How to make a payment with Bitcoin?
You can make a payment with Bitcoin based on Bitcoin Wallet or Based on Perfect Money. 
You can choose the way that is more convenient for you.
About Based on Bitcoin Wallet
1) Create a Bitcoin Wallet. We recommend Blockchain.info (https://blockchain.info/)
2) Buy necessary amount of Bitcoins. Our recommendations are as follows.
LocalBitcoins.com -- the fastest and easiest way to buy and sell Bitcoins.
CoinCafe.com -- the simplest and fastest way to buy, sell and use Bitcoins.
BTCDirect.eu -- the best for Europe.
CEX.IO -- Visa / MasterCard
CoinMama.com -- Visa / MasterCard
HowToBuyBitcoins.info -- discover quickly how to buy and sell Bitcoins in your local currency.
3) As mentioned above, send about 0.15 BTC (equivalent to 100 USD) to our Bitcoin receiving address.
4) As mentioned above, and then, send us your personal ID via email, you will receive your private key soon.
About Based on Perfect Money
1) Create a Perfect Money account. (https://perfectmoney.is)
2) Visit to PMBitcoin.com. (https://pmbitcoin.com/btc) 

input our Bitcoin receiving address in the "Bitcoin Wallet" textbox. 

input 100 in the "Amount" textbox, the amount of Bitcoin will be calculated automatically.
click "PAY" button, then you can complete you payment with your Perfect Money account and local debit card.
6. If you have any problem, please feel free to contact us via official email.
Best Regards
VenusLocker Team
The following emails are associated with the virus:
VenusLocker@mail2tor.com
crazyman@keemail.me
The virus has several variations, the following file extensions can be associated with VenusLocker:
.Venusf
.Venusp
.TheTrumpLockerf
.TheTrumpLockerp

We strongly discourage you from paying the ransom to the criminals. This does not guarantee that you will receive a working decryption key. Also, this way you will fund the cyber crime and encourage the creators to continue developing ransomware. You might be targeted again in the future due to being seen as a paying victim.

You should follow our instructions and remove this virus as soon as possible. The best option is to use the automatic removal tool listed at the top of this page. The tool will not only remove VenusLocker but will also protect your computer from any viruses in the future. The manual removal guide is for experienced users only and does not guarantee that the threat will not come back in the future if you will not secure your computer with a proper antivirus software.

Here are some screenshots of the VenusLocker ransomware in action:

    


 Manual Removal Instructions:

Remember to bookmark this page in order to access it after you restart your computer while working on the removal process!

Step 1:

Restart your computer in Safe Mode.

When your computer is infected by a virus some of its features may be locked or compromised. You need to bypass this by rebooting your computer using Safe Mode. This will allow you to remove the virus.

Since Safe Mode only has the most basic features do not be scared that your Windows look completely different!

Click here to show how to reboot Windows 98, XP, Vista or Windows 7 in Safe Mode

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard until you get the following screen:
  3. Use arrow keys to highlight Safe Mode With Networking and press Enter.
  4. Wait for the Windows to launch.

 

Click here to show how to reboot Windows 8, 8.1 or Windows 10 in Safe Mode

F8 method (1/4):

Restarting and constantly hitting F8 might not work for this version of Windows since the booting is much faster and does not always react to the key presses. Try this method first and then proceed to other methods if this does not help.

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard.
    If it does not work try repeating the same procedure but this time holding Shift key and clicking F8.
  3. Follow instructions from Step 5 below:

Shift+Restart method (2/4):

  1. Click the Power icon at the login screen or in the settings charm.
  2. Hold Shift key on your keyboard and click Restart with your mouse while holding:
  3. Click Troubleshoot:

  4. Click Advanced options:
  5. Click Startup Settings:
  6. Click Restart:
  7. Now press F5 key on your keyboard to enable Safe Mode With Networking:

System configuration method (3/4):

  1. Press and hold Windows () key and click R key.
  2. Enter msconfig.exe and click OK:
  3. When System Configuration opens go to the Boot tab:
  4. Check the box “Safe Boot” in Boot options and click OK.
  5. When prompted, click Restart.
  6. Windows will now start in Safe Mode.

System Recovery method (4/4):

If everything above fails you can try inserting System Recovery CD or DVD (works only with Windows 8) or System Recovery USB Memory Stick (works with Windows 8 and 8.1). You will be able to choose Troubleshoot option. The steps are then identical as in Shift + Restart method starting from #3.

Step 2:

Find any processes that might be associated with the VenusLocker virus and terminate them.

Press CTRL + SHIFT + ESC at the same time to launch Windows Task Manager. You can also launch it by right-clicking on Windows toolbar/startbar and clicking Start Task Manager.

Go to Processes tab.

All currently running processes will be listed.

Now you will have to check each process manually.

We recommend not skipping any of the processes as viruses sometimes hide in various processes that look like essential Windows components.

Right-click on each of the processes in the list and choose Open File Location.

Go to virustotal.com and upload the opened file for a scan.

If the scan shows that the file is dangerous, right-click on the process and choose End Process, then delete that file in the location you have opened.

Repeat this until you have checked all processes.

Step 3:

Check your hosts file for any suspicious IPs.

Press and hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

notepad %windir%/system32/Drivers/etc/hosts

Click OK.

Notepad will open your “hosts.ini” file. Delete any IPs that are listed in the end of the file and do not have “#” in front of them.

Step 4:

Remove suspicious programs from your startup config so they would not launch as soon as you boot your computer.

Hold Windows () key and click R key.

Enter the following in the field:

msconfig.exe

Click OK.

Go to the Startup tab and uncheck all suspicious entries.

The infected or fake startup items usually have “Unknown” listed as Manufacturer. However, sometimes they might pretend to be legitimate programs.

Check process location by hovering your mouse over the “Command” column. Navigate to the location and scan the file using virustotal.com if it looks suspicious but you are not sure.

Click OK when you are finished unselecting all potentially dangerous processes.

Step 5:

Clean up your registry entries.

Hold Windows () key and click R key.

Enter the following in the field:

regedit.exe

Click OK.

All Windows registry entries will open.

Most of them are critical for correct system operation and deleting important entries might result in Windows failing to load. Make sure you are very careful while deleting and editing the entries!

Press keyboard buttons CTRL + F and enter:

Venus

Click Find Next.

If you find any registry entries that could be associated with VenusLocker, delete them by right-clicking on it and choosing Delete.

Repeat this search until no results are found anymore. Then repeat this step with the following search queries:

U2FsdGVkX1DKeR
VenusLocker
code2

Step 6:

Clean up Windows temporary files.

VenusLocker can operate from temporary files directory.

You can safely remove all temporary files without posing any risk to your computer.

Hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

All temporary files will be listed in the directory.

Select all temporary files by simultaneously pressing CTRL + A and delete them.

Step 7:

Check for any recent changes in all the other important system files.

Hold Windows () key and click R key.

Enter the following in the field:

%AppData%

Click OK.

Do not delete anything here! Search for any recent changes (by “Date Modified”) in the files first. Only if you see that a file has just been changed scan it with virustotal.com. Remove only files marked as dangerous. Otherwise you might remove critical system files and Windows might stop working.

Repeat this step with the following three directories while being very careful:

%LocalAppData%
%ProgramData%
%WinDir%

Remember that these directories contain many important system files! Be very careful!

Step 8:

Use Windows File Search (you can access it from Windows Start Menu by simply pressing Windows () button) in order to find the following files and delete them:

U2FsdGVkX1DKeR.vluni
VenusLocker.exe
code2.exe

 Decrypting The Files:

Start recovering your files only if you have finished all removal steps! Otherwise you might cause more damage and make it harder to recover them in the future!

Check for EDA2, VenusLocker or TrumpLocker decryptor here: List of currently available decryptors. Currently we have no information that such decryptor is available but it might be added in the future so check the list before continuing.

We have a list of extensive file recovery methods available here. The instructions below are just a short version of the simplest methods.

Step 1:

Start by restoring the old system settings using System Restore. The virus might have changed them so you need to revert to the old ones first.

Sometimes the virus is able to remove your system restore points so this step might be unsuccessful.

Press and hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

A System Restore wizard will open.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the attack happened.

If there are no restore points you will see “No restore points have been created…” error.

Step 2:

Restore earlier file versions.

Download Shadow Explorer.

When you run the program you will see the list of all shadow copies created.

Select the drive and date that you want to restore from.

Right-click on a folder name and select Export. The folder will be restored.

Read more here about how to restore files from shadow copies.

The virus also tries to delete shadow copies so this step this might be unsuccessful as well. In such case, proceed to Step 3.

Step 3:

Read more on how to restore files (including backups) on our file recovery guide. This guide includes instructions how to restore the files from a backup or shadow copies as well as how to use a professional file recovery program (which has a very high success rate) if everything else fails.

Alternatively you could make a backup with all encrypted files, store it externally and wait for a VenusLocker decryptor to be created. New free decryptors for various ransomware appear every week but we cannot estimate the waiting time and if it is going to be created at all.


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *