Darus Ransomware - How to remove

Darus is a type of STOP ransomware and is the name given to a virus that is responsible for restricting many people’s access to their files and data. It is a type of extortion where the criminals responsible for the virus try to sell their victims the tools that can help restore the files. This is illegal and the harm caused by the infection is very real, but, in many cases, the victims of this virus receive no justice or restoration.

Luckily, there are a few ways that can restore some lost data, though it’s unlikely that all of it is ever decrypted (unless the extortionists’ computers are seized and law enforcement releases their data). Most importantly, there are ways to protect yourself against the harm caused by ransomware like Darus by setting up secure backups.

Characteristics of a Darus infection

There is a small list of symptoms that Darus causes:

  • Changed file names: picture.jpg becomes picture.jpg.darus
  • A ransom note called _readme.txt is created
  • Some websites can’t be loaded on the infected computer (you can fix that manually by following this guide)

The files renamed cannot be fixed by simply getting rid of the extension. In fact, you might want to copy the encrypted files to a backup so that you have originals that you didn’t mess with. Decryption with the wrong key could corrupt the Darus-locked files further, so it’s always good to have untouched backups.

The harm caused by Darus

Darus is a file-encrypting virus, which implies that it can corrupt data and destroy the files. This is very devastating but not the only negative effect that Darus has on the victims. There is a small list of the problems that come with a Darus infection:

  • Lost files
  • Time spent on fixing the damage
  • Money paid to the extortionists, money lost from hacked online accounts
  • Hacked accounts

Lost files include documents and spreadsheets, pictures, audio, and video files, archives, even system restore files. A wide variety of file types are encrypted by Darus by trying to cause the most damage possible. The files needed for the operating system are left alone because the virus needs the operating system to remain functional.

Time is lost to the infection whether or not you have backups. With backups, restoring them takes some time. Some files are probably going to be outdated. Not to mention files which were not backed or backups that were encrypted. Hours of work might be lost and need to be recreated. This costs time and money, especially to businesses.

Money is lost to Darus — not by every victim, but it’s a danger that you should be aware of. The criminals often fail to help the victims restore their files after the money has been sent. Don’t pay what you aren’t willing to lose because there is no way to get your money back when you paid in Bitcoin or another cryptocurrency. Money on your website accounts is also endangered by Darus.

Hacked accounts are a scary but plausible consequence of a Darus infection. A trojan called AZORult is distributed together with STOP crypto viruses and, if an account with which you have associated a credit card has its password leaked and is hacked, you risk losing real money to unauthorized purchases. On top of that, a hacked account can be used to distribute malware to your contacts. This also puts your private data, such as personal conversations at risk.

On a lighter note, you don’t need to fear that the criminals have your data. They might have a few of your files, and the trojan might steal your credentials, but they don’t have the bulk of your data. Still, take precautions and secure your remote desktop and other remote connection channels. Change your passwords with something complex and monitor your bank account for suspicious activity.

darus cryptovirus, darus ransom note

How to get rid of Darus and restore the files

Remove the virus using Spyhunter, or another antivirus tool. If the antivirus doesn’t work, use safe mode or scan your computer from another device. Don’t be surprised if a few more threats than expected are found. Considering that Darus is distributed in other arguably unsafe programs, such as cracked programs, keygens, activators, a competent antivirus program will probably want to clear your computer of those, too.

Run STOPDecrypter on your encrypted files. A volunteer called Demonslay335 has a program that he developed to help the victims of STOP ransomware. This tool, called STOPDecrypter, can only decrypt files that were locked with an offline key, provided that one has been found for a particular strain of STOP/Djvu. Darus is still very new, but other variants have received such an update, like Tocue and Madek.

Try the other ways to restore lost data include data recovery (mean to get data off a disk, such as deleted files) and system restore (Darus should remove the needed files but viruses don’t always work correctly).

Automatic Malware removal tools

Download Spyhunter for Malware detection
(Win)

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection
(Mac)

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,


How to recover Darus Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Darus Ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of Darus Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Darus Ransomware. You can check other tools here.  

Step 3. Restore Darus Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Darus Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Darus Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Leave a Reply

Your email address will not be published. Required fields are marked *