EncrypTile ransomware removal instructions
What is EncrypTile?
EncrypTile is ransomware-type malware that encrypts files using AES and RSA cryptography. This virus appends the "EncrypTile" string to the name of each encrypted file. For example, "sample.jpg" becomes "sample.jpgEncrypTile". Following successful encryption, EncrypTile creates four files ("Decrypt_[victim's_id].txt", "Decrypt_[victim's_id].html", "Decrypt_[victim's_id].bmp", and "How to buy bitcoin_[victim's_id].txt"), places them on the desktop, and changes the desktop wallpaper. EncrypTile then opens a pop-up window that locks the computer screen.
The three "Decrypt_[victim's_id]" files contain an identical ransom-ransom demand message, which is also provided in the pop-up window. The message states that files are encrypted and that they can only be restored using unique decryption keys. To receive the keys and restore their files, victims must pay a ransom of .0540602 Bitcoin (currently, equivalent to ~$38). The ransom must be paid within the given time frame (pop-up window contains a timer), otherwise the keys are permanently deleted and it becomes impossible to decrypt the files. The pop-up window also contains a list of encrypted files, Bitcoin address, a video displaying how the files can be decrypted, and decryption button. Victims are able to send one selected file via the email address provided (email@example.com). The file is then decrypted and returned to the victim - this, supposedly to prove that files can be restored. Despite this, we strongly advise you to ignore all requests to pay or contact ransomware developers. These people often ignore victims, even if payments are submitted. Paying will most probably not deliver any positive result and you could be scammed. Unfortunately, claims that files can only be restored with the private keys are accurate - there are currently no tools capable of cracking the aforementioned AES and RSA algorithms. Thus, the only solution is to restore your files and system from a backup.
Screenshot of pop-up window encouraging users to pay a ransom to decrypt their compromised data:
Research shows that all ransomware-type viruses are virtually identical. As with EncrypTile, malware such as Princess, Cerber3, CTB-Locker, and many others, also encrypt files and demand ransom payments. Most use asymmetric cryptography (encryption and decryption keys are different). Therefore, the only noticeable difference between them is size of ransom. Ransomware is often distributed using trojans, fake software updaters, spam emails (malicious attachments), and various third party software download sources (peer-to-peer [P2P] networks, freeware download websites, free file hosting sites, etc.) Therefore, use a legitimate anti-virus/anti-spyware suite and keep your installed software up-to-date. Furthermore, never open any files received from unrecognized/suspicious emails and never download any software from unofficial sources.
Update 14 June, 2017 - Security researchers from Avast have released a free decrypter for this ransomware. You can download it HERE:
Screenshot of EncrypTile ransomware text file ("How to buy bitcoin_[victim's_id].txt"):
Screenshot of EncrypTile ransomware HTML file ("Decrypt_[victim's_id].html"):
Screenshot of EncrypTile ransomware desktop wallpaper ("Decrypt_[victim's_id].bmp"):
Ransom-demand message (presented in the "Decrypt_[victim's_id]" files and the pop-up window):
If anti-virus stopped software, e-mail ID after you pay.
Your files are safely encrypted with strongest AES encyrption and a private RSA key. Your important files are encrypted with AES and RSA key, only for this computer. To unlock all of your files as if nothing ever happened, please send 0,0540602 bitcoin to the bitcoin address by 3 days or both keys will be terminated and your files will be sold. There are tutorials and links to popular bitcoin markets to help you buy bitcoin easier. There is video proof the password downloads after payment, and that the decryption is flawless and you can’t recover/restore any files without the keys. Send the exact amount of bitcoin. Wait a few minutes and hit “Check payment”. After payment, the keys will download and the AES key will appear. Then of to “Decrypt” and enter the AES key. Web browsers and basic programs are only allowed until you pay. We will decrypt 1 files. E-mail us with you ID and file. Warning! If anti-virus deletes software then look at the screenshot and text documents. You can still get you files if you pay by the time. Any cracking attempts will result in a termination of both keys.
Email: firstname.lastname@example.org; email@example.com
Screenshot of decrypt window (victims must enter the password [decryption key] received after paying the ransom):
Screenshot of files encrypted by this ransomware (EncrypTile extension):
EncrypTile ransomware removal:
- What is EncrypTile?
- STEP 1. EncrypTile virus removal using safe mode with networking.
- STEP 2. EncrypTile ransomware removal using System Restore.
Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.
Video showing how to start Windows 8 in "Safe Mode with Networking":
Log in to the account infected with the EncrypTile virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.
If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.
Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":
1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.
2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.
3. Next, type this line: rstrui.exe and press ENTER.
4. In the opened window, click "Next".
5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the EncrypTile ransomware virus infiltrating your PC).
6. In the opened window, click "Yes".
7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining EncrypTile ransomware files.
To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of EncrypTile are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.
To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.
If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.
To protect your computer from file encrypting ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and Malwarebytes Anti-Ransomware, which artificially implant group policy objects into the registry to block rogue programs such as EncrypTile ransomware.
HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises any attempts without need for user-intervention:
Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:
- The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.
Other tools known to remove EncrypTile ransomware: