Ithh ransomware virus Remove and decrypt ithh file
Ithh ransomware variant is a type of malware encrypts files (video, photos, documents)
What is ithh Ransomware
ithh is another file-encryptor developed and spread by the STOP/Djvu family. It copies all traits and capabilities of older versions issues by the STOP/Djvu group. The virus encrypts PC-stored data and demands crypto ransom for unique decryption software that will decipher this data. Most often, malware like ithh targets vital data like images, music, videos, and documents containing important information.
After detecting such files, the ransomware program will generate unique ciphers and write them over the files to prevent users from accessing them. Apart from this, ransomware infections also append new extensions to highlight the encrypted data. In the case of ithh Ransomware, users will see their data changed with the .ithh extension. This means a regular file like 1.pdf will change its look to something like this 1.pdf.ithh .
After this, ithh developers create a text note called _readme.txt that explain decryption instruction. Note that all of these changes happen in a blink of an eye, so it is impossible to track which part of encryption occurred first. This is what you can see written inside the text note with ransom demands. The same ransom note template was used in previous versions as well:
According to the file content, victims are able to recover their data only by paying for special decryption software (a tool and key), which will decode unique ciphers assigned to each victim.
Unfortunately, this is the only way to decrypt files unless ransomware contains some serious vulnerabilities that help third-party tools crack open the ciphers.
It can be the case if ransomware failed to generate online keys due to lack of connection and was forced to create offline ones instead.
To avoid the guessing game, it is safer and better to recover your files using backup copies. In all other cases, the decryption of ithh files is almost impossible unless the aforementioned. The cost of decryption offered by cybercriminals is $980, but it can be cut down to $490 if victims contact developers within 72 hours after getting infected.
Communication between victims and ransomware developers is guided to be established via one of the e-mail addresses (support@fishmail.top or datarestorehelp@airmail.cc).
Additionally, ithh developers offer the victims to send 1 file containing no valuable information to test free decryption. By doing so, ransomware developers prove their capability of decrypting your data. Unfortunately, whatever they do to uplift their trust and push victims into performing the requested steps is still not enough to be 100% sure about their trustworthiness.
Just like other fraudulent figures, they are able to fool you and not send any decryption tools even after paying the ransom.
If you do not have money to pay the ransom, or simply do not want to risk your money, we recommend using backup copies as mentioned above. It is also possible some victims do not have very important data encrypted, so they can afford to lose it without regrets.
However, if you are the opposite case and willing to decrypt your data without having any backup copies, you can give it a try nonetheless. Along with removal instructions, we have prepared a list of the most popular and effective tools able to decrypt compromised data in some post-encryption scenarios.
How does .ithh ransomware attack files?
- By spam e-mails.
- Some Fake Ads on free hosting websites.
- Some unsafe torrent software, Opening these types or clicking on the harmful links might harm the system.
- Applications games cracks.
How To protect from the .ithh ransomware Cyber-attack
- Do not open any e-mail attachments, specifically from unknown sender.
- Do not install unsafe freeware.
- Install an antivirus with last update, to check each file before opening it.
How to remove ithh virus?
You can remove ransomware from windows 10 & Remove Ransomware from windows 7 method available in mango school YouTube channel.
You have to change all your passwords used on the infected device because the ithh ransomware may steal the passwords stored in your browser and send them to the gangs.
How to Decrypt .ithh ?
Remove .ithh extension from some BIG files then open them, this depends on virus ability of reading and encrypting the file, so it will not add the file marker. incase each file is larger than 2GB.
1. Make sure to launch Emsisoft decryption tool as an administrator. then agree with the license terms by clicking on "yes" button.
2. It will automatically find the available drives, including any connected drives, and for more locations can be selected with the “Add” button.
3. After adding the needed locations for decryption into the list, click on the “Decrypt” button to start the decryption procedure.
4. The main screen may turn you to a status view, letting you know of the active process and the decryption statistics of your data.
5. The tool will notify you at the end of the decryption process.
Emsisoft will display a message while decrypting files like:
No key for New Variant online ID
The decryption is impossible. Your original files were encrypted with an online key you run the virus while you are connected to the internet. So no one has the same encryption/decryption key pair.
Result: No key for new variant offline ID
Decryption may be possible in the future. Receiving this message is good news for you, because it might be possible to restore your files in the future, follow updates regarding the decrypted DJVU variants.
Remote name could not be resolved
It refers to DNS problem on your PC, so reset your HOSTS file back to default.
How ithh Ransomware infected your computer
Ransomware developers exploit a lot of distribution techniques to spread various infections. E-mail spam letters, trojans, fake software updaters or installers, backdoors, botnets, keyloggers, web-injects, malicious ads, and other dangerous channels are those often successful in spreading malicious software.
The one to stick around the top of this list happens to be e-mail spam. It is abused by cybercriminals to send malicious attachments. MS Office files like Word or Excel, PDF, Executable, and JavaScript files are very often located in malicious letters of such type.
Most often, they are sent from legitimate-looking sources like DHL, DPD, FedEx, or Financial organizations asking to open the files. In case you stumbled upon something similar, be sure this is a trap leading to malicious infections.
Usually, such companies will never send you messages with requests to open or download something without a reason. People that decide to risk and open such files, due to inexperience or curiosity, will more likely be pounced by some piece of malware.
More and more swindlers spread ransomware infections because this is the best virus to monetize and earn on. To prevent getting infected by this and many other channels as well, read our guidelines below. We mentioned some of the most essential tips that will help you maintain high-level protection whilst running online activity.
Virus modifies “hosts” file to block Windows updates, downloading antivirus programs, and visiting sites related to security news or offering security solutions. ithh Ransomware comes along with AZORult trojan, which was initially created to steal logins and passwords. The process of infection also looks like installing Windows updates, the malware shows a fake window, that mimics the update process.
It uses rdpclip.exe to replace a legal Windows file and to launch an attack on a computer network.
ithh Ransomware virus is propagated via spam attack with malicious e-mail attachments and using manual PC hacking.
Can be distributed by hacking through an unprotected RDP configuration, fraudulent downloads, exploits, web injections, fake updates, repackaged, and infected installers. The virus assigns a certain ID to the victims, which is used to name those files and supposedly to send a decryption key.
Great tools to protect against ithh Ransomware are: Emsisoft Anti-Malware and Malwarebytes Anti-Malware.
How to remove ithh Ransomware manually
It is not recommended to remove ithh Ransomware manually, for safer solution use Removal Tools instead.
ithh Ransomware files:
_readme.txt
rdpclip.exe
delself.bat
{randomname}.exe
ithh Ransomware registry keys:
no information
How to decrypt and restore .ithh files
STOP Djvu Decryptor is able to decrypt .ithh files, encrypted by ithh Ransomware. This tool was developed by EmsiSoft. It works in automatic mode, but in most cases works only for files encrypted with offline keys.
Dr.Web Rescue Pack
Famous antivirus vendor Dr. Web provides free decryption service for the owners of its products: Dr.Web Security Space or Dr.Web Enterprise Security Suite. Other users can ask for help in the decryption of .ithh files by uploading samples to Dr. Web Ransomware Decryption Service. Analysis of files will be performed free of charge and if files are decryptable, all you need to do is purchase a 2-year license of Dr.Web Security Space worth $120 or less. Otherwise, you don’t have to pay.
If you are infected with ithh Ransomware and removed it from your computer, you can try decrypting your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers.
Use Stellar Data Recovery Professional to restore .ithh files
Download Stellar Data Recovery Professional.
Click Recover Data button.
Select type of files you want to restore and click Next button.
Choose location where you would like to restore files from and click Scan button.
Preview found files, choose ones you will restore and click Recover.
Using Windows Previous Versions option:
Right-click on infected file and choose Properties.
Select Previous Versions tab.
Choose particular version of the file and click Copy.
To restore the selected file and replace the existing one, click on the Restore button.
In case there is no items in the list choose alternative method.
Using Shadow Explorer:
Download Shadow Explorer program.
Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
Select the drive and date that you want to restore from.
Right-click on a folder name and select Export.
In case there are no other dates in the list, choose alternative method.
If you are using Dropbox:
Login to the DropBox website and go to the folder that contains encrypted files.
Right-click on the encrypted file and select Previous Versions.
Select the version of the file you wish to restore and click on the Restore button.
Use Media Repair to decrypt media files encrypted with .ithh
Download Media Repair tool.
Right-click on the downloaded archive, and select Extract to Media_Repair\.
Then double-click on the extracted .exe file to launch the utility.
At first, you have to choose which file type you want to decrypt. You can do it from the drop-down menu in the utility.
Next, browser the folder with encrypted or reference files. Choose any of them and click on the Test icon located in the top right corner.
Media Repair will display a pop-up message with information on whether it can repair the selected file or not.
After checking if it is possible or not, select your reference file and click on the icon right under the Test button we used in step #5.
If the file pair is properly matched, you can move on and hit the Play button to start repairing. You can also stop the process anytime by clicking on the Stop button.
How to protect computer from viruses, like ithh Ransomware, in future
1. Get special anti-ransomware software
2. Back up your files
3. Do not open spam e-mails and protect your mailbox
References