Cyber Security Center

Delete Vari ransomware


Vari ransomware is file-encrypting malware that belongs to the Djvu ransomware family that already has hundreds of versions.

 

Maas ransomware noteVari ransomware encrypts files, adds the .vari file extensions to affected files and demands that victims pay $980 to get the decryption tool. This is one of hundreds of Djvu/STOP ransomware versions, and it’s essentially identical to most others. Once the ransomware is initiated, it will target and encrypt files like photos, videos, documents, etc. Users will not be able to open the files that have the .vari extension added to them until those files are decrypted. The cyber criminals behind this ransomware will explain in the ransom note _readme.txt that the only way to recover files is to buy their decryption tool. The price depends on how quickly victims contact them. If contact is made within 72 hours, the price will be $490. However, after those 3 days, the price will double to $980.

Whatever the price is, paying the ransom is not recommended for a couple of reasons. First of all, it does not guarantee that victims will be sent a decryptor, or that the decryption tool will work as it’s supposed to. Many users have paid the ransom but received nothing in return, so giving into the demands is discouraged. Paying also encourages these cyber criminals to continue their activity as ransomware is a profitable business for them.

Malware researchers have released a free decryption tool for many Djvu ransomware versions, but it will not necessarily decrypt Vari ransomware files. You can read more about that here.

If users have hacked up files prior to their encryption, they can access the backup and start file recovery once they remove Vari ransomware from their computers.

Ransomware distribution methods

The majority of ransomware uses the same distribution methods, which include spam emails, software cracks, torrents, and system vulnerabilities.

Malware can use system vulnerabilities to enter a computer, which is why it’s so important that users install updates on a regular basis. Updates patch known vulnerabilities, which could potentially prevent all kinds of malware from getting. Back in 2017, WannaCry ransomware was so widespread because users did not install an essential update that was available months before the attack began. Whenever possible, users should enable automatic updates.

Downloading copyrighted content via torrents as well as using software cracks could also lead to an infection. Torrent sites are often not regulated and anyone can upload malware and disguise it as a popular movie, TV series, game, software, etc. If users insist on pirating, they should at least make sure they are downloading safe torrents.

The most common way users pick up ransomware is via email attachments. Malware distributors purchase thousands of email addresses from various hacker forums, and launch spam email campaigns that spread the malware. If users open the attached files, they end up allowing the ransomware to launch. This is why it’s so important that users do not rush to open unsolicited email attachments. Users should always check the contents of the email, see if the sender’s email address is legitimate, etc. And most importantly, before opening, all unsolicited email attachments should be scanned with anti-malware software or VirusTotal.

Vari ransomware encrypts files

The ransomware will start encrypting files as soon as it is initiated. It will target the files users find most important, usually photos and documents. All encrypted files will have the .vari file extension added (e.g. image.jpg.vari), hence why this version is known as Vari ransomware. Once the encryption process is complete, a ransom note _readme.txt will be dropped. The note is identical to the ones dropped by other version of Djvu ransomware. It asks that victims contact the cyber crooks behind this ransomware via email to helpmanager@mail.ch or restoremanager@airmail.cc. The price for the decryptor is either $490 or $980, depending on quickly the victims contact them.

Here is the full ransom note:

ATTENTION!

Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-ceT7wn7Ioe
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:
helpmanager@mail.ch

Reserve e-mail address to contact us:
restoremanager@airmail.cc

Your personal ID:

Whether users pay the ransom is their decision, but paying is not recommended. Many victims have wasted their money this way as they did not receive a decryptor. The only certain way to recover files is via backup.

Vari ransomware removal

If users want to safely delete Vari ransomware, they need to use anti-malware software. They should not attempt manual Vari ransomware removal because that may end up doing even more damage. Once the infection is no longer present, users can start recovering files from backup.

Vari ransomware is detected as:

  • Win32:BankerX-gen [Trj] by Avast
  • Trojan-Ransom.Win32.Stop.pk by Kaspersky
  • Trojan:Win32/Zenpak.DEH!MTB by Microsoft
  • A Variant Of Win32/Kryptik.HFNI by ESET
  • Ransom_Stop.R011C0WHG20 by TrendMicro