Cyber Security Center

Can you recover Jarkvgtiiq ransomware encrypted files


Jarkvgtiiq ransomware is file-encrypting malware that belongs to the Snatch ransomware family. It adds .jarkvgtiiq file extension to encrypted files and drops the HOW TO RESTORE YOUR FILES.TXT ransom note. The note demands that victims pay a ransom to recover files.

 

Jarkvgtiiq ransomware note

Jarkvgtiiq ransomware belongs to the Snatch ransomware family, of which we have already reported on in articles for Cndqmi and Jdokao. It’s a dangerous malware infection that could lead to permanent file loss. Once files are encrypted, a special decryptor needs to be used to decrypt them but to get it, victims are asked to pay money. And paying to cyber criminals is always risky.

Users will be able to identify which ransomware has infected their computers by the extension added to encrypted files. This ransomware adds the .jarkvgtiiq extension. Unfortunately, files with that extension will not be openable until decryption software that is meant specifically for this ransomware is used. Cyber crooks behind this ransomware will try to sell the decryptor, though the price is not specified in the HOW TO RESTORE YOUR FILES.TXT ransom note.

Whatever the sum may be, victims are discouraged from paying. The thing about paying the ransom is that it does not guarantee that files would be decrypted. Plenty of times in the past have ransomware operators simply not sent the decryptors to victims who pay, or sent ones that don’t work. There’s always a risk that victims will end up getting nothing. And as long as users pay the ransom, ransomware will continue to be a huge issue. Unfortunately, the ransomware is currently undecryptable without paying the ransom.

Malware researchers are sometimes able to release free decryptors in order to help victims but it is not always possible. In this particular case, Jarkvgtiiq ransomware is currently undecryptable, meaning a free decryptor has not been released as of yet. The only way to recover files for free is restoring them from backup. Users who have backed up files before they got encrypted should have no issue with file recovery. But they need to first remove Jarkvgtiiq ransomware from their computers. Otherwise, backed up files may become encrypted as well.

How to avoid infecting a computer with ransomware?

It’s usually users’ bad browsing habits that land them in trouble with ransomware. Something as seemingly harmless as opening an email attachment, downloading a torrent, clicking on ad, etc., could lead to an infection. Once users develop good browsing habits, they should be able to avoid the majority of malware out there.

Spam email is commonly the culprit behind an infection. Because it’s rather effortless, spam email campaigns are often used for malware distribution. Cyber criminals purchase email addresses from hacker forums, attach a malicious file to a poorly written email, and send it off to thousands of users. Those emails are usually full of grammar and spelling mistakes, are sent from random-looking email addresses, and senders claim to be from famous/well-known companies/organizations. If users actually pay attention instead of opening email attachments without double checking, they should be able to spot malicious emails with no issue. But as a precaution, users should scan all unsolicited email attachments with anti-malware software or VirusTotal before opening them.

Other ways users infect their computers is by downloading torrents. Torrent sites are often full of all kinds of malware disguised as popular content, such as movies, games, episodes of TV series, etc., because they are not regulated properly. Same goes for forums as well. Users who download pirated content are putting their computers in danger of becoming infected with some kind of malware.

High-risk websites often have unsafe ads, which if clicked could lead to dangerous sites or trigger a download. Those sites are usually pornography and pirated content pages. When browsing sites that are known to have potentially dangerous ads, users should have adblocker and anti-virus software running.

Is it possible to recoverĀ Jarkvgtiiq ransomware encrypted files?

When ransomware enters a computer, it will immediately begin encrypting files. Targeted files include photos, videos, documents, etc., essentially files that users hold most important and thus would be willing to pay for. All encrypted files will have the .jarkvgtiiq file extension added to them. The extension allows users to know which files have been encrypted and which ransomware is affecting the computer. Once encryption is done, the ransomware will drop HOW TO RESTORE YOUR FILES.TXT ransom note. The note explains that in order to recover files, users need to contact cyber crooks via allback@cock.li, allback@tutanota.com or a11back@protpnmail.ch.

Here is the full Jarkvgtiiq ransomware ransom note:

Hello! All your files are encrypted and only we can decrypt them.

Contact us:

allback@cock.li or allback@tutanota.com or a11back@protonmail.ch

Write us if you want to return your files – we can do it very quickly!

The header of letter must contain extension of encrypted files.
We always reply within 24 hours. If not – check spam folder, resend your letter or try send letter from another email service (like protonmail.com).

Attention!
Do not rename or edit encrypted files: you may have permanent data loss.

To prove that we can recover your files, we am ready to decrypt any three files (less than 1Mb) for free (except databases, Excel and backups).

HURRY UP!
If you do not email us in the next 48 hours then your data may be lost permanently.

The ransom sum is not specified in the note but whatever it is, it’s not recommended to pay. What would likely happen is the cyber criminals behind the ransomware would take the money and not actually send a decryptor, or send a broken one. This has, unfortunately, happened many times in the past and will likely happen many times in the future. Whether to pay is up to the victims, but they should be aware of the risks.

There currently is no way to decrypt files for free, and users should be very careful with decryptors promoted on the Internet that promise to help. Users should only trust services like NoMoreRansom, Emsisoft, other anti-virus vendors as well as malware researchers to provide legitimate decryptors.

Jarkvgtiiq ransomware removal

It’s necessary to use anti-malware software to delete Jarkvgtiiq ransomware from the computer. Attempts to manually remove Jarkvgtiiq ransomware could lead to even more damage. Unfortunately, Jarkvgtiiq ransomware removal does not mean files would be decrypted. The decryption tool is necessary for that.

Jarkvgtiiq ransomware is detected as:

  • A Variant Of Win64/Filecoder.BL by ESET
  • Win64:Trojan-gen by AVG/Avast
  • HEUR:Trojan-Ransom.Win32.Gen.vho by Kaspersky
  • Ransom:Win64/Snatch.A!MTB by Microsoft
  • Ransom.Snatch by Malwarebytes
  • Ransom.Win64.KRYGO.SMTH by TrendMicro