Minotaur ransomware - How to remove

Minotaur ransomware is one of a few new cryptovirus variants that came out this October 2018. The first one to report about this ransom-demanding parasite was a malware specialist https://twitter.com/malware_traffic/status/1050907381964689408 on Twitter. Minotaur virus uses AES algorithm, .Lock extension and asks for a considerable amount of Bitcoins for the ransom 0.125 BTC ($827,60 at the moment). Even though Minotaur crypto infection is a unique ransomware, or at least not a copy of Hidden Tear project, it acts and looks very similar to other kinds of crypto viruses, such as Qweuirtksd[email protected],   Magician RSWware or Donut

This ransomware targets only English speaking users, yet is only at the first stages of dissemination and can possibly spread wider around the globe. If you have become a victim of Minotaur virus, this article will be really helpful for you to find out more of what happened to your PC, what you are dealing with and how to get rid of it once and for all, possibly unlocking now unavailable files, so keep on reading.

How does Minotaur ransomware work

For some new-to-the-cyber-threat-world users, Minotaur virus may appear as a very dangerous and sophisticated ransomware, which requires a degree in computer science to understand, but for those who are already familiar with various kinds of malware, Minotaur variant can come across as rather plain and boring. While the technical processes of How ransomware works truly take time to understand, but the concept is really simple. Minotaur ransomware is developed by crooks, which want to get some easy money. Their profiting technique is to sneak into computers, find personal files which are precious to the user, encrypt them and ask for a ransom to unlock them.

minotaur ransomware ransom note

Victims usually need to be pushed to pay, so for that Minotaur works as a Scareware too. It displays a scary ransom note, including the contact email, desired ransom amount and your case ID, also marks all affected files with .lock extension. Only personal files like videos, documents, pictures, music are encrypted, because strategically if System files would be damaged victim could not get the information and send the payment, moreover, they are not as valuable for the user as the digital memories.

Minotaur virus uses a symmetric AES algorithm (which indeed is fast but not as strong as RSA) to lock the selected files and then drops the above-mentioned ransom note in a text file called How To Decrypt Files.txt, where it asks for the anonymous payment in Bitcoins. Right now the average ransom request, overall, is around $1000. 

How To Decrypt Files.txt

—————————————————————————————-
(KEY): J3oLtCrE14EL…….
(EMAIL) : minotaur0428blaze.it
—————————————————————————————-
ALL YOUR FILES ARE ENCRYPTED BY (MINOTAUR) RANSOMWARE!
—————————————————————————————-
FOR DECRYPT YOUR FILES NEED TO PAY US A (0.125 BTC)!
—————————————————————————————-
FILES ARE ENCRYPTED BY (MINOTAUR) RANSOMWARE!
—————————————————————————————-

Minotaur, despite not touching System Files, does modify registry keys, so even if you will restart your PC it will still be there. If you are interested in the technical details please take a look at Virustotal.com and HybridAnalysis.com pages. To see how Minotaur acts in practice take a look at malware expert’s @GrujaRS video.

Clearly, paying so much to get your files is risky and there is no guarantee that it is going to work, therefore Never pay the ransom. Better keep reading this article to find out what other options you can try in order to solve Minotaur ransomware.

How does Minotaur virus spread

Minotaur ransomware has an ability to spread via email. To be more specific, bogus email messages with the attached virus to it. It’s no surprise that Macros are the number one malware spreading vectors in the cyber world right now. As you know, Macros are in MS documents as legitimate programs that are only activated if the user allows them. Knowing this crooks have a great an easy way to get into the PC because infected Macros are not detectable by the antivirus, therefore s believable message tricking the user into enabling this function is enough. This spreading technique also allows overcoming security of corporations, meaning that Minotaur virus hackers can ask for more money.

While more and more companies are starting to invest in cybersecurity and confident tools like the FireEye, regular users must use their common sense to avoid Minotaur ransomware. These Fake socially engineered emails are short and seem to carry an important message, which content can be only seen in the attached .docx file. Invoices, rent payment problems, complaint, tax report, resume, hospital report, request to update or confirm personal/account details and etc. Some viruses can even spread from your compromised friend’s email, so it looks that it is sent from them. Therefore, always check the sender and use common sense to recognize such threats. More about ransomware spreading methods

How to remove Minotaur ransomware fast

Minotaur ransomware is undeniably one of the hardest virus infections to solve. Not that it is super hard to remove, but it is hard to recover encrypted files. However, have in mind, that Minotaur is persistent and needs to be removed from various directories in order to completely disappear from your Windows. This requires a really advanced technical knowledge to perform yourself because it includes fixing modified Registry keys (which can mess up the whole system if you delete or adjust it in the wrong way), identifying hundreds of virus related files, finding where the main cause lies and etc.

You cannot skip virus removal, as it is the initial step towards a clean system, therefore we suggest using professional malware removal software which is developed to hunt and delete all kinds of spyware, including Minotaur virus. Two of the best ones are SpyHunter and Malwarebytes. We trust these security programs and their ability to do the job properly, terminating Minotaur ransomware once and for all. Just run a full system scan with either of them and minutes later you’ll have a clean Minotaur virus-free computer.

Automatic Malware removal tools

Download Spyhunter for Malware detection
(Win)

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection
(Mac)

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,

How to uninstall Minotaur virus manually and restore files

The manual removal of Minotaur virus is suitable only for these victims that have their Backups made constantly or don’t care about their files being lost at all. For the latter, who just want to use their computer properly and do not need anything back from the locked files, can simply perform System restore and start fresh. And those who do need their files and have proper data stored should recover their system from the point back in time right before the infection. Scroll down to see the step-by-step guidelines for it.

Without a doubt, the most unwanted consequence of Minotaur ransomware infection is locked files, which, unfortunately, even after the complete virus removal stay inaccessible. Despite Minotaur developers claiming that you need to pay them this huge ransom in order to decrypt your precious data, that is not advisable because there are a few other techniques to recover encrypted files. You should start by checking if your Shadow Volume Copies were not deleted and then try restoring from them as shown in our instructions below. Another option is to try file-recovery programs which are also mentioned at the end of the restore guide.

Sadly, Minotaur cryptovirus does not have an official decryptor yet, however knowing how fast malware specialists are working towards saving victims of cybercriminals, we expect to have a proper decrypting tool anytime soon. We’ll update this post when the unlocking software will be available, but you can keep your eyes on the No more ransoms decryptors list yourself as well.


How to recover Minotaur ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Minotaur ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of Minotaur ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Minotaur ransomware. You can check other tools here.  

Step 3. Restore Minotaur ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Minotaur ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Minotaur ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *