Windows 10: Ransomware infection restore encrypted files

Decryption did not work for me and I used a lot of different tools... My files still have .erif extension. When I ran EMSISOFT Decryptor the results were:


Starting... File: "THE NAME OF THE FILE"Error: No key for New Variant online ID: "ONLINE ID" Notice: this ID appears to be an online ID, decryption is impossibleFinished!

What should I do now? Can anyone help me please?

:)

 

Filed encrypted by Tor ransomware

More information is needed to determine specifically what infection you are dealing with since there are many variants of crypto malware (file encrypting ransomware).
RSA-4096 / RSA-2048 / RSA-1024 / AES-256 / AES-128 are
encryption algorithms and not an explicit way of identifying a particular ransomware infection.

Are there any obvious file extensions appended to or with your encrypted data files (i.e. several random hexadecimal characters, words or email addresses)? If so, is the extension the same for each encrypted file or is it different?

What is the actual name of your ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the
C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named
.html, .txt, .png, .bmp, .url file. Most ransomware will also drop a ransom note in every directory/affected folder where data has been encrypted.

The best way to identify the different ransomwares is the ransom note (including it's name), the malware file itself, any obvious extensions appended to the encrypted files, samples of those encrypted files and information related to the email address used
by the cyber-criminals.

You can submit samples of encrypted files and ransom notes to ID Ransomware for
assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further
assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.

After gathering that information, please read and follow the instructions below.

• How to Post a Topic Asking for Help With Ransomware

 

Ransomware infection?

Any files that are encrypted with MRCR1 Ransomware will have the the
.MRCR1.PEGS1, .RARE1,
.RMCM1 or .MERRY extension appended to the end of the encrypted data filename and leave files (ransome notes) named YOUR_FILES_ARE_DEAD.HTA as explained

here. The ransom note instructs victims to contact the cyber-criminals at "L: *** Email address is removed for privacy ***" or "TELEGRAM @comodosecurity" to get payment instructions.

You can submit samples of encrypted files and ransom notes to ID Ransomware for
assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further
assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.

Fabian Wosar released a decryptor tool for victims of this type of infection.

• Emsisoft Decrypter for MRCR (Merry X-Mas) -
  
  How to use Emsisoft Decrypter for MRCR

There is an ongoing discussion in this topic where you can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.

• Merry X-Mas (.MRCR1) Ransomware Support & Help topic - YOUR_FILES_ARE_DEAD.HTA

Most crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. That explains why many security scanners
do not find anything after the fact. The encrypted files do not contain malicious code so they are safe. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already
been encrypted. In some cases there may be no ransom note and discovery only occurs at a later time when attempting to open an encrypted file. As such, they don't know how long the malware was on the system before being alerted or if
other malware was downloaded and installed along with the ransomware. If other malware was involved it could still be present so be sure to perform full scans with your anti-virus.
Disinfection will not help with decryption of any files affected by the ransomware.

If your antivirus did not detect and remove anything, additional scans should be performed with other security programs like

Malwarebytes 3.0,
HitmanPro and
Emsisoft Anti-Malware. You can also supplement your anti-virus or get a second opinion by performing an

Online Virus Scan...ESET is one of the more effective online scanners.

 

CryptoLocker Ransomware - File-encrypting malware

How To Avoid CryptoLocker Ransomware — Krebs on Security


Basically guys, the ransomware isn't that hard to remove, however, all your files are left encrypted.


There's also other links for more information and even a tool to help prevent infection in the link above.