The main goal of VTUA ransomware is to illegally block victim’s access to his/hers own files by leveraging a complex encryption algorithm and public encryption key. In order to decrypt locked files, the victim needs a private decryption key, which is in possession of cybercriminals. In legal usages of encryption, it is used to secure information transmission, for example, by sending private data over the Internet, such as passwords, emails, and other sensitive details. However, in this case, hackers are making a bad use of it in order to extort the computer user by taking one’s data hostage. This variant of STOP/DJVU malware works identically as its previous copies (TISC, NQSQ and others). The algorithm of this malicious program works in a way to affect the initial 150KB of information in each file. Such rule helps to corrupt files quickly and confidently, so that the whole file storage encryption could be done before the victim notices the ongoing attack. This leaves the victim with little chances of recovering data if no data backup was present prior to the attack; however, there are some ways to decrypt or repair affected files. Generally, victims affected by offline key have a chance to restore their files (we will explain this later) or use Media_Repair tool by DiskTuna to repair some audio and video files as explained in this guide. Once this ransomware does its dirty job and illegally locks victim’s files, it surely leaves an explanation behind. Therefore, the virus saves _readme.txt note in every folder. This message explains that VTUA ransomware has encrypted all images, videos, documents, archives and other important files with “strongest” encryption. The note also ensures that not all is lost and the victim can still decrypt all data if one manages to meet the cybercriminals’ expectations. They suggest writing to them via provided email addresses along with Personal ID and one test file. The criminals then would respond with decrypted test file version and further instructions on how to purchase cryptocurrency and make the transaction to the attacker’s virtual wallet address. However, the ransom note warns not to send a test file that contains valuable information, or the attackers might refuse to decrypt it. The reasoning behind this is related to the crooks’ fear that the victim won’t see any meaning of paying the ransom after recovering the most important information. The _readme.txt note also includes guidelines regarding the VTUA decryption tool and key pricing. The note simply suggests that the victim can get a 50% discount if one contacts the attacker and settles an agreement within 72 hours. This time is calculated from the initial computer attack timestamp. Needless to say, the criminals most likely agree to this decryption price if the victim manages to make the transaction within this timeframe as well. However, if the victim doesn’t reach out within given timeframe, the attackers say the decryption price will be $980. Of course, they won’t accept any other form of payment other than one made in cryptocurrency such as Bitcoin. They do not accept regular payments because these can help to reveal true identity of ransomware operators. Our team experts do not recommend paying ransoms to virtual extortionists. The same recommendations are issued by FBI. Here are some reasons why paying a ransom to crypto-malware operators isn’t a good idea:

Regardless the amount you transfer to cybercriminals, they can disappear the minute the transaction reaches their wallets. In other words, paying does not guarantee file decryption or recovery in any way. Everything is up to cybercriminals’ hands in this situation.Please do not keep the ransomware cycle active – victims who choose to pay the ransom helps to keep this illegal business active. In other words, the attackers wouldn’t create so many ransomware variants if there weren’t so many victims paying to decrypt their files.Ransomware operators earn millions of US dollars annually. The amount of money crooks can generate attracts other people to join the illegal business.STOP/DJVU ransomware variants including VTUA virus tend to infect the already-compromised computer with additional malware, for instance, information stealer known as AZORULT Trojan. It can collect sensitive information from the host which may be used for further victim extortion and blackmail.

REPAIR VIRUS DAMAGE

What this ransomware does to your computer

If you have fallen victim to VTUA ransomware virus attack, we believe that it is important to clear the uncertainties and explain what the virus done to your computer system. Although you might have an idea how you got infected, let us clarify that the majority of these viruses arrive in a form of a malicious torrent download. Most of the victims report downloading a compromised software crack or keygen. Once in the computer system, the ransomware collects some information about its operating system, user name, hardware details and software installed, then fetches victim’s geolocation information (IP address, country code, city, longitude, latitude, zip code and time zone) by connecting to “https[:]//api.2ip.ua/geo.json” domain. At this point, the ransomware checks whether the country code matches one from its exception list and if this is the case, it terminates itself without encrypting one’s files. Otherwise, it continues the attack and tries to connect to its Command & Control server to generate a unique encryption key for the victim. Once received, the virus saves it to bowsakkdestx.txt file along with victim’s personal ID string. This string is also separately saved to PersonalID.txt file. In case the ransomware fails to connect to the said server, it switches to use a hardcoded offline encryption key for the computer. You can identify whether this key was used very easily – just look at your personal ID ending – if the last two characters are t1, it most likely means you’re affected with offline key and that is partly good news because you can expect to recover your files in the future. Once the virus determines the encryption key to use, it begins scanning the computer system and encrypting files found in it. It has set rules to bypass system folders so that the operating system could continue functioning. During this procedure, the ransomware makes data inaccessible, marks each file with additional extension and drops ransom notes in every folder. At the same time, it showcases a fake Windows Update prompt with progress bar for the victim, trying to deceive one into thinking the system is slow due to ongoing essential updates being downloaded and installed (the prompt is launched by fake winupdate.exe process). Next, the ransomware runs a Command Line task to delete Volume Shadow Copies from the system, thus blocking victim’s chances to recover data using System Restore points (if any were created): vssadmin.exe Delete Shadows /All /Quiet However, this is not the last illegal modification done by the ransomware. On top of previous pile of functions that block victim’s access to own files, the virus adds a list of domain names to Windows HOSTS file. The virus maps them to localhost IP, thus causing a DNS resolution problem (DNS_PROBE_FINISHED_NXDOMAIN) when the victim attempts to access one of those websites from the list. To clarify, the malware restricts access to websites publishing guides on malware removal, tips on how to respond to ransomware attack or guides on how to recover files, plus various forums where users discuss computer problems. In simple terms, the ransomware operators do not want the victim to find help online, thus they seek to create even more tension in the current situation. Finally, the ransomware can deliver more malware to the computer system, although the _readme.txt note says nothing about it. The sneaky virus can drop AZORULT Trojan to your PC, which is a malware used to collect sensitive information from your computer remotely. It has a set of functionalities that are listed below:

Download and run even more malware on your computer;View files in your computer folders and delete them;Steal private information or login credentials, including cryptocurrency wallets, banking details, login credentials saved for various websites and similar;Steal login info of Telegram and Steam accounts.

Keeping all the damage done by this malware to your computer, we strongly recommend you to take steps to secure your information and whole computer system immediately. We suggest using robust security software with real-time protection such as INTEGO Antivirus which has excellent malware detection rate to remove existing threats from your Windows operating system. Moreover, computer experts advise downloading and scanning your PC with RESTORO to repair virus damage caused on Windows OS files.

Ransomware Summary

REPAIR VIRUS DAMAGE

Ransomware distribution tricks: avoid getting infected

It is essential to get to know how ransomware-type viruses are distributed by cybercriminals so you could avoid similar attacks in the future. There are several common attack vectors such as exploits, malicious email attachments and illegal torrent downloads. When it comes to STOP/DJVU variants such as VTUA virus, the main attack method is based on pirated software versions made available via untrustworthy torrent libraries online. Cybercriminals prey on computer users who are willing to use peer-to-peer file sharing agents to download copies of pirated software or games and activate their premium versions for free. What is even worse, many computer users tend to interpret their security software alerts for such downloads as irrelevant. They believe that AV software always marks each download involving word “crack” as malicious; although antivirus software indeed sometimes marks such downloads falsely, in the majority of cases, it is best to stay on the safe side and avoid opening such files. Another important thing is that if you do not immediately notice signs of computer malware, it doesn’t mean it is not there. There are many variants of malware that can reside on your computer system unnoticed for a long time, for instance, cryptocurrency miners, Trojans and other malware. Moreover, you should know that malware such as ransomware can be configured to launch after a set period of time to avoid being detected immediately. We have aggregated a list of software names that victims of STOP/DJVU ransomware variants have tried to download from unofficial sources and ended up infected. In other words, keep in mind that cybercriminals tend to hide the described file-encrypting threat in software cracks for these programs:

Adobe Photoshop;Corel Draw;Tenorshare 4ukey;Cubase;Adobe Illustrator;League of Legends;Windows activation tools such as KMSPico.

If you want to avoid getting infected, please try to download programs and games you need from official and confirmed sources only. Besides, we strongly encourage you to support legitimate software developers who try to create useful or entertaining programs rather than greedy criminals. The amount of money hackers will demand paying for recovery of your own data is always much higher than the cost of legitimate software license. Besides, the attackers can steal private information from your computer and blackmail you for a very long time. In other words, trying to save money by installing pirated software copies is simply not worth the risk. The attackers will use common and legitimate-looking names for these documents, for example, invoice, payment details, order summary, waybill and similar. They can even go as far as spoofing the sender’s address to trick you into thinking the email came from a trusted sender. Our general recommendation is to avoid emails that seem even slightly suspicious or ones that you did not expect to receive. Finally, victims of this ransomware strain should beware that cybercriminals place malicious file decryption tools online to cause double-encryption of data. One of ransomware strains that’s known for distributing non-functional STOP/DJVU data decryption tools is ZORAB. If you accidentally download this decryption tool to your computer, your files that are already encrypted would get corrupted again. We’d like to emphasize that in case an official decryption tools appears, it will be discussed in all the reputable websites covering cybersecurity news. Do not expect to find a magical tool to restore your files in shady websites online if the reputable websites do not mention existence of such software at all.

Remove VTUA Ransomware Virus and Decrypt Your Files

Now that your files are encrypted and your computer was affected by one of the most dangerous computer viruses in the wild, it is essential to secure your computer in the first place. Therefore, we have prepared in-depth guide on how to remove VTUA Ransomware Virus safely. Of course, we strongly suggest that you use a robust security software to eliminate existing threats professionally. Our team recommends INTEGO Antivirus which is VB100 certified software (in simple terms, it is confirmed to have excellent malware detection rates). After deleting malware, we also recommend you to download RESTORO here and scan your computer to identify and repair virus damage caused for Windows operating system files. Once VTUA virus removal is completed, we suggest you to take the following steps:

Let your local law enforcement agencies know about the cyber attack incident. You can find some references on who you should contact below the article.If you have data backups, you can restore your files using them. Remember: plug your removable data storage devices to computer only after the malware is deleted, otherwise the virus will encrypt them as well.Get to know how you can decrypt or repair files affected by STOP/DJVU versions.Change all of your passwords for websites saved in your browsers, also for Telegram, Steam and other programs (due to the Azorult Trojan’s activity).

OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.

Method 1. Enter Safe Mode with Networking

Before you try to remove VTUA Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users Now, you can search for and remove VTUA Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.

Method 2. Use System Restore

In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.

Alternative software recommendations

Malwarebytes Anti-Malware Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

Decrypt VTUA files

Fix and open large VTUA files easily:

It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.

STOP/DJVU decryption tool usage guide

STOP/DJVU ransomware versions are grouped into old and new variants. VTUA Ransomware Virus is considered the new STOP/DJVU variant, just like BPTO, ISWR, ISZA, BPSM, ZOUU, MBTF, ZNSM (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie. Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible. In order to test the tool and see if it can decrypt VTUA files, follow the given tutorial.

Meanings of decryptor’s messages

The VTUA decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages: Error: Unable to decrypt file with ID: [example ID] This message typically means that there is no corresponding decryption key in the decryptor’s database. No key for New Variant online ID: [example ID]Notice: this ID appears to be an online ID, decryption is impossible This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible. Result: No key for new variant offline ID: [example ID]This ID appears to be an offline ID. Decryption may be possible in the future. If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn’t available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your VTUA extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.

Victims of VTUA Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:

In the United States, go to the On Guard Online website.In Australia, go to the SCAMwatch website.In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.In Ireland, go to the An Garda Síochána website.In New Zealand, go to the Consumer Affairs Scams website.In the United Kingdom, go to the Action Fraud website.In Canada, go to the Canadian Anti-Fraud Centre.In India, go to Indian National Cybercrime Reporting Portal.In France, go to the Agence nationale de la sécurité des systèmes d’information.

If you can’t find an authority corresponding to your location on this list, we recommend using any search engine to look up “[your country name] report cyber crime”. This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities. Another recommendation is to contact your country’s or region’s federal police or communications authority.