a800 Ransomware

Also Known As: a800 virus
Distribution: Low
Damage level: Severe

a800 ransomware removal instructions

What is a800?

There are many ransomware-type programs that cyber criminals use to encrypt data and to blackmail people (make ransom demands), a800 is one of these programs. It is a new variant of RotorCrypt ransomware. This malicious program renames every encrypted file by adding the "!__help2decode@mail.com__.a800" extension. For example, if a file before encryption was named "1.jpg", then encrypted file will be named "1.jpg!__help2decode@mail.com__.a800" and so on. Like most ransomware-type programs, a800 creates a ransom note, in this case it generates a text file named "recovery.instruction.txt". A person who discovered this computer infection was Michael Gillespie.

In "recovery.instruction.txt" ransom note cyber criminals (a800's developers) tell their victims that all their files were encrypted using RSA-2048 cryptography algorithm. They explain that encrypted files can no longer be used (read, opened or even seen). The only way to restore them is to use their help by writing an email to help2decode@mail.com address. It is very likely that any other details (like a decryption price and how to pay it) will be provided after these cyber criminals are contacted. Most ransomware developers use cryptography algorithms that make decryptions without using a particular tool (decryption tool) impossible. In other words, their victims are forced to contact them (and even meet their demands/transfer them a particular amount of cryptocurrency). However, it is known that most cyber criminals ignore their victims after they receive the demanded amount of ransom. Therefore, they should not be trusted. The problem is that most decryptions cannot be done without using tools that only particular ransomware's developers have. There is no tool that could be capable of decrypting files encrypted by a800 for free as well. The best option is this case (and in many other similar cases) is to use a data backup that was (if was) created before encryption and to restore everything from there.

Screenshot of a message encouraging users to pay a ransom to decrypt their compromised data:

a800 decrypt instructions

There is a great number of cyber criminals who proliferate various ransomware-type programs, a few examples of other programs of this type are: NWA, Yatron and Plomb. In most cases these computer infections are very similar, they are designed to encrypt data and display ransom demanding messages/create ransom notes. Most common differences usually are price of a decryption tool/key and cryptography algorithm used for encryption. Unfortunately, the majority of ransomware-type programs are designed to be "uncrackable" - encrypted files cannot be decrypted without contacting cyber criminals/using tools that only they can provide. It is possible only if ransomware is not fully developed/has some bugs, flaws. For these reasons we advise to create data backups regularly and to keep them in remote servers or unplugged storage devices.

How did ransomware infect my computer?

It is unknown how exactly cyber criminals proliferate a800 ransomware. However, most cyber criminals use similar methods. Typically, they attempt to do it through spam campaigns, Trojans, fake software updaters, various untrustworthy software download sources and software "cracking" tools. Spam campaigns are emails that contain malicious attachments. These attachments usually are Microsoft Office documents, PDF files, executables (.exe files), archives (ZIP, RAR and so on), JavaScript or some other files. The main purpose of these emails is to trick people into opening included attachments that, once opened, download/install of ransomware (or other) infections. To spread various viruses cyber criminals also use Trojans - malicious programs that spread other programs of this type - cause chain infections. Fake software updaters cause computer infections by downloading and installing malware instead of promised (expected) updates or fixes, or by exploiting outdated software's bugs, flaws. Untrustworthy software download sources such as freeware download websites, free file hosting websites, Peer-to-Peer networks (torrent clients, eMule and so on), third party downloaders and other similar tools can be used to present malicious files as legitimate. In this case cyber criminals attempt to trick people into downloading and installing computer infections by themselves. Software "cracking" tools are tools that people use to bypass paid activations for free. Cyber criminals often use such software to proliferate ransomware (and other malicious programs) as well.

How to protect yourself from ransomware infections?

We advise to avoid opening attachments or web links that are presented in e-mail letters received from unknown/untrustworthy suspicious addresses. If an email looks irrelevant (even if presented as legitimate and official) it should not be trusted without carefully analyzing it first. We also recommend to download software using official, trustworthy sources (websites) and direct links. Various third party downloaders, Peer-to-Peer networks like torrents, eMule, questionable/unofficial websites should not be used for that. Software should be updated using tools or implemented functions that are provided by official developers only (not some third party tools). Note, software "cracking" tools not only cause computer infections but are illegal as well. Another important thing is to have a reputable anti-spyware or anti-virus software/suite installed and enabled at all times. Most of these programs are capable of detecting and removing viruses before they can do any damage to a computer/operating system. If your computer is already infected with a800, we recommend running a scan with Spyhunter for Windows to automatically eliminate this ransomware.

Text presented in a800 ransomware's text file ("recovery.instruction.txt"):

What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048.
More information about the encryption keys using RSA-2048 can be found here:
http://en.wikipedia.org/wiki/RSA_(cryptosystem)

What does this mean ?
This means that the structure and data within your files have been irrevocably changed,
you will not be able to work with them, read them or see them, it is the same thing as
losing them forever, but with our help, you can restore them.

CONTACT US BY EMAIL: help2decode@mail.com

Screenshot of files encrypted by a800 ("!__help2decode@mail.com__.a800" extension):

Files encrypted by a800

a800 ransomware removal:

Instant automatic removal of a800 virus: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Spyhunter is a professional automatic malware removal tool that is recommended to get rid of a800 virus. Download it by clicking the button below:
▼ DOWNLOAD Spyhunter By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.

Quick menu:

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

windows 10 safe mode with networking

Video showing how to start Windows 10 in "Safe Mode with Networking":

Step 2

Log in to the account infected with the a800 virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window, click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the a800 ransomware virus infiltrating your PC).

select a restore point

6. In the opened window, click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining a800 ransomware files.

To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of a800 are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.

Restoring files encrypted by CryptoDefense

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by a800, you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

shadow explorer screenshot

To protect your computer from file encryption ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and EasySync CryptoMonitor, which artificially implant group policy objects into the registry to block rogue programs such as a800 ransomware.

Note that Windows 10 Fall Creators Update includes "Controlled Folder Access" feature that blocks ransomware attempts to encrypt your files. By default this feature automatically protects files stored in Documents, Pictures, Videos, Music, Favorites as well as Desktop folders.

Controll Folder Access

Windows 10 users should install this update to protect their data from ransomware attacks. Here�s more information on how to get this update and add additional protection layer from ransomware infections.

HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises any attempts without need for user-intervention:

hitmanproalert ransomware prevention application

Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:

malwarebytes anti-ransomware

  • The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.

Other tools known to remove a800 ransomware: