Remove SevenDays Ransomware | Updated


I wrote this article to help you remove SevenDays Ransomware. This SevenDays Ransomware removal guide works for all Windows versions.

SevenDays ransomware is an unusual win-locker. It first detected in early August 2017. The sinister program has a somewhat cryptic gaming theme. Security experts have made the assumption that its name refers to a 7-day ban in a popular computer game series named Counter-Strike. Valve imposed the ban on players of the game CS-GO who were using cheats and hacks to gain an unfair advantage. This theory is supported by the distribution range of SevenDays ransomware. The win-locker targets players from Eastern Europe where the Counter-Strike game series is most popular.

SevenDays ransomware is spread through spam emails. The secluded program is hidden behind an attached file, listed as an important document. The person behind the letter can write on behalf of a reputable company or organization, like the national post, the district police department, a bank, an institution, a government branch, a courier firm, or a social network. Accessing the attachment will initiate the download and install of the nefarious program. When installed, SevenDays ransomware creates a string called Alcmeter in the Windows Registry. You need to filter your in-box from spam. Checking the contacts is the way to tell whether a given message is genuine.

The developers of SevenDays ransomware have implemented AES-256 and RSA-2048 encryption algorithms. The RSA cipher generates a public encryption key which locks targeted files. The AES cipher creates a private decryption key for unlocking them. SevenDays ransomware targets a wide range of files types. This encompasses text documents, images, databases, archives, audios, videos, logs, zipped folders, and others. The insidious program marks each infected object with the custom suffix .SEVENDAYS.

Another distinctive characteristic of SevenDays ransomware is the use of in-game screenshots. The clandestine program drops player view graphics complete with captions in reference to the ban. The hackers have made a peculiar decision in regards to how the virus is presented. The communication with victims, or lack there of, is unusual for a win-locker. The furtive program drops a ransom note titled HOW TO DECRYPT FILES.txt on the desktop. The destination ensures that users would take notice of the file.

Commonly, win-lockers leave a ransom note to explain why the attack was launched. In most cases, hackers encrypt files with the intent of demanding a ransom. They ask for a certain sum in exchange for the unique decryption key. In this sense, the people behind SevenDays ransomware have strayed away from the essence of a ransomware program. They do not require people to pay or disclose their motives. The ransom note only lists the string SEVENDAYS, written a few times with no spaces or punctuation marks. Considering the name of the file, there may have been an oversight or a mistake. The coders may have forgot to complete the message or paste it in the document. Another possible explanation is that the virus was released before completion, perhaps deliberately or by accident.

The ultimate result from the lack of disclosure is that victims do not have a way out. Paying for the decryption key is not an option, neither is contacting the hackers to negotiate a deal. This may be a blessing in disguise, considering how win-locker developers operate. In most cases, these people are cyber criminals. They require users to pay a ransom in Bitcoins. This cryptocurrency protects from tracking and tracing, giving fraud artists the opportunity to keep their identity hidden. In some cases, they do not provide the decryption key upon receiving the payment.

Since the situation is entirely in your hands with SevenDays ransomware, you can take the time to educate yourself on how to recover your files in the case of a ransomware attack. You will need the shadow volume copies of the encrypted objects. Every file has a reserve copy which can work as a backup. To extract data from these components, you will need a tool. There is a list of free utilities below. Make sure you remove the win-locker from your system before proceeding with the restore.

SevenDays Ransomware Removal

Method 1: Restore your encrypted files using ShadowExplorer
Usually, SevenDays Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

  1. Download ShadowExplorer from this link:
  2. Install ShadowExplorer
  3. Open ShadowExplorer and select C: drive on the left panelshadowexplorer
  4. Choose at least a month ago date from the date field
  5. Navigate to the folder with encrypted files
  6. Right-click on the encrypted file
  7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

  1. Go to Start –> All programs –> Accessories –> System tools –> System restore
  2. Click “Nextsystem restore
  3. Choose a restore point, at least a month ago
  4. Click “Next
  5. Choose Disk C: (should be selected by default)
  6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since SevenDays Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

  1. Recuva
  2. Puran File Recovery
  3. Disk Drill
  4. Glary Undelete
Daniel Stoyanov
Daniel Stoyanov has a Master's degree in Computer Science from the Technical University of Sofia, Bulgaria. He is also a Microsoft Certified Professional. Daniel provides top cyber security news with in-depth coverage of malware, vulnerabilities, PC and Network security, online safety.If you have any questions feel free to ask him right now.


Please enter your comment!
Please enter your name here

Time limit is exhausted. Please reload CAPTCHA.