Remove HowDecrypt (Cryptorbit) virus and restore encrypted files

Update, Dec. 30: 9:20 a.m. PST: it seems there's a new variant of this file encrypting ransomware that drops slightly modified HOWDECRYPT.gif and HOWDECRYPT.txt files on infected computers with different instructions on how to recover your files. File decryption now costs ~$50, ten times less then a few weeks ago. The new howdecrypt image is now titled Cryptorbit, so I assume people will use this name to find more information about the infection. The previous variants didn't have any names associated with them, there were only .jpg and .txt files called HOWDECRYPT. One more thing, cyber crooks urge victims to access their TOR page using tor to web services rather than TOR browser. It's faster, besides, not everyone knows what TOR is. Everything else is pretty much the same. You can't restore encrypted files without your private key. Your best bet would be to use Shadow Explorer as explained below. We'll post new information about this virus here as soon as we can.

Cryptorbit "Your personal files are encrypted"

A slightly modified guide on how to pay the ransom and restore your files.

12/17/13 - Initial guide creation. One of the most unpleasant forms of malware around at the moment is the HowDecrypt encryption virus that encrypts your files and requires a $500 USD, 500 EUR or 0.5 Bitcoin ransom in order to get a decrypter. It attacks your computer and seriously limits or totally disables its functions by encrypting your files. It will them attempt to extort money from you so that your files will be usable again.

Usually, ransomware messages and warnings are incredibly realistic looking and are designed to cause as much alarm and distress as possible – hence the term scareware. Probably the best example of such malware would be the FBI ransomware. However, this variant is similar to CryptoLocker ransomware. It will actually encrypt your files instead of just trying to scare you. Usually, files in almost all the folders are encrypted and two files (a howdecrypt.jpeg and howdecrypt.txt) are added to the encrypted folders, explaining how to pay the ransom.

The contents of the HowDecrypt.txt file:

All files including videos, photos and documents on your computer are encrypted.

File Decryption costs ~ $ 500.

In order to decrypt the files, you need to perform the following steps:
1. You should download and install this browser http://www.torproject.org/projects/torbrowser.html.en
2. After installation, run the browser and enter the address: 4sfxctgp53imlvzk.onion
3. Follow the instructions on the web-site. We remind you that the sooner you do, the more chances are left to recover the files.
Guaranteed recovery is provided within 10 days.

IMPORTANT INFORMATION:
Your Personal CODE: 00000001-XXXXXXXX

The decryption page is accessible through the Tor anonymity network using Tor web browser. There's a form where you can to enter your code, email and choose how to pay the ransom, either using 0.5 BTC or by submitting a $500 USD / 500 EUR MoneyPak, PaySafeCard, or Ukash voucher. You just need to make a payment and wait for an email with an attached decrypter that you can use to decrypt your files.Cyber crooks state that guaranteed recovery is provided within 10 days. Multiple users have reported that paying cyber crooks to decrypt the files actually does work. However, this is a self-help guide. Use at your own risk. I can't guarantee you anything.

So what should you do if this happens to you? Easy to say, but try not to panic and most definitely do not pay any money unless the encrypted files are very important and you can't afford to lose them. If the encrypted files are not very important or you don't have money to pay the ransom, you can remove try to restore your files (at least some of them) using Shadow Explorer and specialized tools listed below.

To remove HowDecrypt and restore encrypted files, please follow the removal guide below. If you have any questions, please leave a comment below. Last, but not least, if there's anything you think I should add or correct, please let me know. It might be a pain but the issue needs to be dealt with – and the way to do it is by not giving in, not paying up and not letting the attackers win.

Written by Michael Kaur, http://deletemalware.blogspot.com

---

Step 1: Removing HowDecrypt (Cryptorbit) and related malware:

Before restoring your files from shadow copies, make sure HowDecrypt is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

Also, please feel free to call us (toll free) and we'll be happy to help you on the phone.


2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

---

Step 2: Restoring files encrypted by HowDecrypt (Cryptorbit) using Shadow Volume Copies:

Before using Shadow Explorer, you can try to decrypt some of your files using RakhniDecryptor.exe and RectorDecryptor.exe from Kaspersky. These tools might help you, but please note that they were not designed decrypt the data encrypted by HowDecrypt virus. However, you can still try them.

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.



3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.



Hopefully, this will help you to restore all encrypted files or at least some of them.