Cyber Security Center

How to remove Vpsh ransomware


Vpsh ransomware is part of the Djvu/STOP malware family, a group that has released more than 200 ransomware versions. It’s a dangerous malware infection that adds the .vpsh file extension, and demands $980 for file decryption.

 

Vpsh ransom note

 

Vpsh ransomware is file-encrypting malware that belongs to the notorious Djvu/STOP ransomware family. It encrypts files, which means users will not be able to open them until they are decrypted. All affected files will have .vpsh added to them, which is how users can identify which ransomware has infected their computers. Once the ransomware is done encrypting files, it will drop a _readme.txt ransom note, which will explain that in order to get the decryptor, paying $980 ($490 if contact is made within 72 hours) is necessary. Despite the fact there currently is no free decryptor available, paying the ransom is not recommended.

Users should not forget that they are dealing with cyber criminals, and how helpful they are likely depends on their mood. They are unlikely to feel any kind of obligation to help users recover files, so paying is considered to be risky. Even if users are sent a decryptor, it won’t necessarily work.

We should mention that a free Djvu/STOP decryptor by Emsisoft is available, but it only works for older versions that use offline keys to encrypt files. The most recent versions all use online keys for file encryption, which means that keys are unique to each victim. Without those keys, specialists cannot release a free decryptor. However, not all hope is lost, as there are cases when ransomware gangs themselves release the keys, or they may be caught by law enforcement. In any case, backing up encrypted files is recommended for users who do not have any other option.

For users who do have backup, all they need to do is remove Vpsh ransomware first. If the ransomware is still present when users access backup, backed up files may become encrypted as well.

What does the ransomware do?

When the ransomware is initiated and starts encrypting files, users will see a fake Windows Update window that will say important updates are being installed. The window is shown to distract users from the fact that their files are being encrypted. It will target files that users find most important, including documents, photos and videos. All encrypted files will have .vpsh added to them. For example, image.jpg would become image.jpg.vpsh. Until these files are decrypted, users will be unable to open them.

A _readme.txt ransom note will be dropped in all folders that contain encrypted files. The note is identical to the one dropped by other versions of this ransomware family. It explains that files can only be recovered if users agree to pay the ransom of $980, or $490 if victims contact the cyber crooks within 72 hours. Use can also send them 1 file, and it will supposedly be decrypted for free, though it must not contain valuable information.

When it comes to ransomware, paying the ransom is not recommended. Cyber crooks don’t always send the decryptors, so users are risking losing both their files and money. Furthermore, victims who pay are essentially supporting future criminal activity. The more victims pay the ransom, the more cyber crooks will use ransomware to make money in the future.

Here is the text from the ransom note dropped by this ransomware:

ATTENTION!

Don’t worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-Uz1NIFxEUC
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:
helpmanager@mail.ch

Reserve e-mail address to contact us:
restoremanager@airmail.cc

Your personal ID:

At this moment in time, backup is the only free way users can recover files. Users may encounter supposed free decryptors that can help users recover Vpsh ransomware encrypted files, but users should be very skeptical. As we said, a free decryptor cannot be currently made, as keys are unique to each user. And if a free decryptor was released, it would come from legitimate sources like NoMoreRansom, Emsisoft, anti-virus vendors or malware researchers.

How does ransomware spread?

This ransomware uses the usual distribution methods, which include spam email campaigns, torrents, and malicious ads.

Users who tend to open email attachments without first checking that they’re safe have a much higher chance of picking up ransomware than those who don’t. Malicious actors purchase email addresses from hacker forums, and proceed to send malicious emails to them. All users need to do is open those attachments for the malware to initiate. Fortunately, users should be able to spot a potentially malicious email if they know what to look for. The first thing users should check when they receive an unsolicited email with an attachment is the sender’s email address. If it’s a nonsense one, or if it looks random, users should be very skeptical of the email itself. Another sign is grammar and spelling mistakes, which spam emails are usually full of. Finally, it’s highly recommended to scan all unsolicited email attachments with VirusTotal or anti-virus software.

Users who pirate copyrighted content via torrents are also risking picking up ransomware or some other malware. Torrent sites are full of all kinds of malicious infections, mainly because most of them are so poorly regulated. Users should avoid pirating, not only because it’s essentially stealing content but also also because it’s risky.

Vpsh ransomware removal

Using anti-virus software to delete Vpsh ransomware is necessary, as ransomware is a complex computer infection. As soon as users fully remove Vpsh ransomware, they can access their backup. Unfortunately for those with no backup, removing the ransomware does not decrypt files.

Vpsh ransomware is detected by:

  • Gen:Heur.Dreidel.Tu0@xu4klpk by BitDefender
  • Trojan:Win32/Glupteba by Microsoft
  • Artemis!64EE3BB96CBC by McAfee
  • HEUR:Exploit.Win32.Shellcode.gen by Kaspersky
  • Trojan.GenericKDZ.71184 (B) by Emsisoft
  • A Variant Of Win32/Kryptik.HHEX by ESET
  • Trojan.MalPack.GS by Malwarebytes