Cyber Security Center

Remove VuLi ransomware


Part of the Xorist ransomware family, VuLi ransomware is file-encrypting malware that will encrypt files and demand that users pay for their decryption. It adds the .VuLi file extension to encrypted files and drops the HOW TO DECRYPT FILES.txt ransom note.

 

Screenshot (71)

VuLi ransomware is malware that encrypts files. It’s part of the Xorist ransomware family and is essentially identical to those versions. It infects a computer using the usual distribution methods, encrypts files and then proposes victims buy a decryptor to recover those files. Because file decryption is not always possible and not all users have backup, ransomware is considered to be one of the more dangerous malware infections, often resulting in permanent file loss.

This particular ransomware adds the .VuLi file extension, which will allow users to easily identify which ransomware they are dealing with. When users identify the ransomware, they can research possible free decryptors. Xorist ransomware is decryptable by decryptors offered by Emsisoft, Kaspersky and TrendMicro but it may not necessarily work for VuLi ransomware. However, paying the ransom is nonetheless not recommended. Based on past victims’ experiences, the cyber criminals behind ransomware sometimes do not send users decryptors after payment, or send faulty ones. In many cases, users were left with encrypted files and lost money. If users do not have backup and have decided to not pay the ransom, they should back up the encrypted files and wait for malware researchers to release a free decryptor.

Users who have backed up files prior to their encryption, recovering them should not be an issue. Users should first remove VuLi ransomware from their computers and only then access backup. Otherwise, if the ransomware is still present, files in backup would become encrypted as well.

How does VuLi ransomware enter a computer?

Most ransomware use more or less the same methods to spread. That includes spam emails, torrents, software cracks, and malicious ads. It’s not uncommon for users who have bad browsing habits to end up infecting their computers with ransomware. By simply being more careful, users should be able to avoid the majority of malware.

In many cases, it’s opening a spam email attachment that causes the infection. Spam email campaigns are often launched using leaked/breached email addresses that are sold on various hacking forums. Scammers attach infected files to emails and send them to those addresses. All users need to do to initiate the malware is open the file and enable macros. But if users pay attention to what email attachments they open, they should be able to easily spot malicious emails. First of all, they are often sent from nonsense email addresses, despite senders claiming to be from known companies/organizations. They are also full of grammar/spelling mistakes and just generally seem off somehow. Scanning all unsolicited email attachments with anti-malware software or VirusTotal is a good idea as some spam emails may be more sophisticated.

Pirating movies, games, TV series, software, etc., via torrents and forums can often lead to a malware infections. Torrent sites are not regulated properly which allows cyber crooks to upload all kinds of malware onto them. Users who pirate are not only stealing content but are also potentially jeopardizing their computers.

Engaging with ads when on high-risk websites can often lead to malware. Loads of sites, particularly ones hosting adult or pirated content can have dangerous ads on them, and clicking on them is not safe. When browsing sites that are known to be potentially dangerous, it’s a good idea to have adblocker and anti-virus software enabled.

Is it possible to recover VuLi ransomware files?

Like all ransomware, when users initiate VuLi ransomware, it will begin file encryption. It primarily targets files like photos, videos and documents, for obvious reasons. Encrypted files will have the .VuLi file extension added to them. For example, image.jpg would become image.jpg.VuLi. Users will be unable to open these files unless they decrypt them first. The decryption tool will be offered to users via the HOW TO DECRYPT FILES.txt ransom note. The note explains that in order to decrypt files, users need to send 0.11 Bitcoin ($1,130 at the time of writing) to the provided wallet address. When the Bitcoin is sent, users are asked to send an email to vulicapson@cock.lu or vulicapson@tuta.io.

Here is the VuLi ransomware ransom note:

In your attention!!!

Hello, your server is very vulnerable, that’s why you became a victim of ransomware
All your files are currently encrypted
However, there is also good news, the files can be decrypted if you pay 0.11 bitcoin.
All you have to do is follow the steps below.

Buy 0.11 bitcoin, you can easily buy bitcoin from this sites:
www.localbitcoins.com
www.paxful.com

Send the amount to this wallet: 1998JZzgMRtmDDiCnyjnHWtqn5xGX1BNEZ
After sending, contact me at these email addresses: vulicapson@cock.lu, vulicapson@tuta.io
With this subject: –

Immediately after this you will receive an email with the keys and a small tutorial for decrypting the files.

Here’s another list of where to buy bitcoin:

hxxps://bitcoin.org/en/exchanges

Giving into the demands and paying the ransom is usually discouraged because it won’t necessarily get users the desired outcome. It’s not uncommon for cyber criminals to simply take the money and not send a decryptor. It has happened in the past, and it will happen again in the future, since these are cyber criminals who are not likely to feel obligation to help users.

Currently, the only free way to recover files is backup. But it’s likely that a free decryptor will be made available by malware researchers or security vendors. Users should back up the encrypted files and wait for a decryptor. However, we should mention that there are many fake decryptors on the Internet, so it’s very important that users are careful about where they download decryptors from.

How to delete VuLi ransomware

Users should only attempt to delete VuLi ransomware with anti-malware software. Manual VuLi ransomware removal could result in even more damage as it’s a complicated process. It should also be mentioned that unfortunately, removing the ransomware does not decrypt files. The only sure way to recover VuLi ransomware files is via backup. Users who do have backup should only access it after the ransomware is no longer present.

VuLi ransomware is detected as:

  • Trojan-Ransom.Win32.Xorist.ln by Kaspersky
  • Ransom.Xorist by Malwarebytes
  • Artemis!4BE1BD12E13F by McAfee
  • Ransom:Win32/Sorikrypt by Microsoft
  • Ransom_XORIST.SMA by TrendMicro
  • Trojan.Ransom.AIG by BitDefender
  • A Variant Of Win32/Filecoder.Q by ESET