I wrote this article to help you remove Oldbat Ransomware. This Oldbat Ransomware removal guide works for all Windows versions.
Oldbat ransomware is a Trojan win-locker. This category classifies the ransomware infections which are distributed through Trojan horses. Win-lockers rarely travel alone. Most of them use an external program or file as a host. The propagation vector is not related to the technical characteristics of the software. Oldbat ransomware is a typical encryption virus. It locks files using advanced algorithms. The malevolent program will require you to pay in order to access your own files on your personal computer.
As we alluded to earlier, Oldbat ransomware is spread via Trojan droppers. The win-locker hitches a ride with a Trojan program which unleashes its payload to the targeted device upon entering it. The download and install of the win-locker will be conducted through background processes, making it seamless. You may not realize what is happening. While the rogue program is getting installed, your machine may slow down to a crawl. It might take less than a minute before your computer becomes unusable.
The Trojan carrying Oldbat ransomware can penetrate your system in a couple of ways. Spam emails are the usual culprit. The malicious software can be hidden behind an attachment, listed as a piece of documentation. Spammers often write on behalf of existing entities, trying to trick users into opening fake documents. The sender can misrepresent the national post or a courier firm and state there is a letter or a package for you. The attached file can be described as a private notice from a government institution or your local police department. Attackers can be tricky when it comes to devising emails. They can copy the logo and contacts of the entity they are writing on behalf of. The only thing they cannot use is an official email account. You can visit the website of the organization in question and consult the contacts page for reference.
Oldbat ransomware uses a combination of RSA-2048 and AES-128 algorithms to lock files. These cryptosystems often go hand in hand. The RSA cipher generates a public encryption key for locking files. The AES cipher creates a private decryption key for unlocking them. The key may be sent to a remote command and control (C&C) server. This kind of server is usually associated to the Tor web browser. The Tor network allows users to hide their IP address and geographic location. There is no information on whether or not the developers of Oldbat ransomware use a C&C server.
Since the virus has been spotted a short time ago, we do not have much details about it. More likely than not, Oldbat ransomware will require you to pay the ransom in bitcoins. This is a cryptocurrency which makes for a quick and secure transaction. The user just has to create an online wallet to start using the website. Bitcoin platforms do not require any personal details. They protect the identity of both parties, involved in the transaction of financial assets. These conditions have been misused by cyber criminals who take advantage of the option to hide their identity. In most cases, ransomware developers demand between 0.5 and 1.0 BTC. According to the current exchange rate, one bitcoin coverts to about $1,000 USD. This should put things into perspective.
Dealing with a win-locker can be a stressful challenge. The developers of Oldbat ransomware try to pressure victims through the ransom note. They claim that the only way to recover your data is with their help. You should not allow the scare tactics to get to you. There is no guarantee that the cyber criminals will provide the decryption key or software upon receiving the payment. There have been many cases where the attackers collected the ransom and discontinued all communication with the victim. This is why we do not advise people to meet the demands of attackers. There is a possibility that it may not be necessary to depend on the authors of the sinister program. If Oldbat ransomware does not delete the shadow volume copies of the encrypted objects, you may be able to restore them. There are a few recovery tools listed below.
Oldbat Ransomware Removal
Method 1: Restore your encrypted files using ShadowExplorer
Usually, Oldbat Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.
- Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
- Install ShadowExplorer
- Open ShadowExplorer and select C: drive on the left panel
- Choose at least a month ago date from the date field
- Navigate to the folder with encrypted files
- Right-click on the encrypted file
- Select “Export” and choose a destination for the original file
Method 2: Restore your encrypted files by using System Restore
- Go to Start –> All programs –> Accessories –> System tools –> System restore
- Click “Next“
- Choose a restore point, at least a month ago
- Click “Next“
- Choose Disk C: (should be selected by default)
- Click “Next“. Wait for a few minutes and the restore should be done.
Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Oldbat Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs: