District ransomware refers to a cryptovirus that has been active since October 2018 and first reported to the public by the malware expert https://twitter.com/demonslay335/status/1052236230702891011. This ransom demanding threat aims to compromise victims’ computers by locking all the personal files and requesting money in exchange for the decrypting key. This scary ransomware is spreading all around the world, without selecting any specific region or type of users, therefore anyone can become a victim. Even if you still have not been touched by the notorious District virus it is useful to know how to prevent it from sneaking into your PC.
District Ransomware quicklinks
- What is the District ransomware
- How does District virus infect computers
- How to get rid of the District ransomware and recover files
- Automatic Malware removal tools
- How to clean the system from District virus
- How to recover District ransomware encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- 1. Reboot your computer to Safe Mode with Command Prompt:
- 2.Restore System files and settings.
- Step 4. Use Data Recovery programs to recover District ransomware encrypted files
(Win)
Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,
(Mac)
Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,
Just like EbolaRnsmwr, Minotaur, Qweuirtksd or Dharma-Btc, District ransomware yet does not have an official decryptor yet, but cybersecurity experts are aware of this threat and actively are trying to design one. In this article, we’ll give you some basic information about the District virus, it’s working principles, how to recognize it and prevent it. Moreover, at the end, you’ll find very detailed instructions on how to remove this crypto infection and access your locked data without that special unlocking program.
What is the District ransomware
District ransomware is a type of malware that is designed to bring profit for its developers by blackmailing the victims into paying a certain amount of Cryptocurrency in exchange for the inaccessible data, which was encrypted during the infection. Although this hacker monetization method is getting less and less popular by crypto mining pushing it from the market, yet some crooks are still succeeding in receiving the ransom since there still are users who fail to secure their computers, use the internet wisely or make backups. The added extension and ransom note urging to make a payment quickly does add the fuel to the fire and cause a lot of stress for the victim, which ends up paying the hackers, which is never a good idea.
Once the District cryptovirus slithers into your computer, mind you, it only infects Windows OS, it will run tons of Background processes at the same time to avoid antivirus detection and complete its setup before it gets interrupted. District ransomware alters Windows registry keys, making itself persistent, at the same time searches for targeted personal files with extensions like .jpg, .mp4, .docx, .png and etc. which could be locked. When such files are identified, the virus uses the fast AES-256 algorithm to encrypt them and appends ‘[email protected]’ or ‘[email protected]’ string at the end of their names to mark affected data. Later District virus drops the text file called ‘READ_IT.district’ which shows what happened to your system and how to fix it.
District virus can be easily spotted right after the infection by the above-mentioned signs – the Notepad file ‘READ_IT.district’ and extension ‘[email protected]’ (‘[email protected]’) at the end of all data. Actually, one of the main ransomware’s features is to get noticed, because this will ensure that the compromised user sees the threat and knows that the only way to solve it is by paying. Here is what ‘READ_IT.district’ says:
You only have 96 hours to submit the payment
Danger: our contacts change every 3 days
Do not hesitate, contact us immediately
Then we will not be available
Attention: if you do not have money then you do not need to write to us!
The file is encrypted with the AES-256 algorithm
Only we can decrypt the file!
Don’t delete “NO_DELETE_SEND_IT” at Desktop
If you want decrypt data, send this file to us
Our email: [email protected]
No matter what the crooks are saying and how convincing their lies sound, do not send anything to their [email protected] email, because they might just take your money and leave you still with locked files. We have a few tips that we want to share below, which have worked in some cases when dealing with ransomware like District cryptovirus, both for the removal and file recovery. Finally, to see more technical details you can visit VirusTotal.com analysis results.
How does District virus infect computers
If your system was compromised you can already tell what caused the District ransomware infection. We are guessing the main spreading methods at the moment can be MS Word Macros, which are still the number one vector for malware distribution, or software bundled with viruses. The latter technique seems to be easier to avoid and comprehend – simply avoid installing shady programs from untrusted sites or torrents because the ransomware can be camouflaged as something legitimate. However, macros still fool lots of people.
Macros are tiny programs that can be added to MS Office files. They are legitimate and undetectable by the security products, therefore, can easily sneak in with a Word file. In order to do so, District virus creators make tons of Socially engineered emails that look like bills, requests, resumes, offers, medical records or whatever that seems like a routine email, which needs further attention and download of the attached .docx file. When the file is opened, the victim must enable macros themselves to see the falsified content but does not see anything, because there never was a message and District ransomware starts running its malicious deeds.
How to get rid of the District ransomware and recover files
Prevention is better than cure and knowing the measures against ransomware can really save you from lots of trouble and lost files in the future. On the other hand, if District virus is already in the system there are a few ways how to fix it.
Our best suggestion if you want to keep your files would be using either Spyhunter or Malwarebytes anti-spyware tools to remove District ransomware in the first place, then trying various restoring methods like Shadow Copies, file recovery programs and etc. that are mentioned below in the guide. While there is no official decrypter, which you should keep looking for on the NoMoreRansom project page, that is the only option you have, unless you are good with your backups and have made one before the infection.
Automatic Malware removal tools
(Win)
Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,
(Mac)
Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,
How to clean the system from District virus
Manual cleansing of the system is only advised for these victims that have recent Backups, which could be used for the restore your system back to the previous state before District virus. All the steps how to do that correctly are mentioned in the guidelines below. If you don’t care about encrypted data, the best option would be a complete System Restore.
How to recover District ransomware encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before District ransomware has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of District ransomware
After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to District ransomware. You can check other tools here.Step 3. Restore District ransomware affected files using Shadow Volume Copies
If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually District ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover District ransomware encrypted files
There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download a data recovery program.
- Install and scan for recently deleted files.