I wrote this article to help you remove 1txt Ransomware. This 1txt Ransomware removal guide works for all Windows versions.

1txt ransomware is an alternative name for the new variant of a win-locker called Enigma. The initial version of the nefarious program was released in April 2016. It operates on a much smaller scale than its successor. In the beginning, 1txt ransomware was only aimed at users from Russia. Its ransom note was written in Russian. A few months later, the hackers decided to make their virus worldwide. They composed a ransom note in English which more people can comprehend. The two versions now work in unison. The information, contained in this article, is valid for both of them.

The second version of 1txt ransomware has the same technical specifications as the first. The changes in the clandestine program include a new ransom note with a different name. The note of the original win-locker is titled enigma_encr.txt. In the upgrade, the file is called enigma_info.txt. The name 1txt ransomware derives from the extension the malevolent program adds. The second version of Enigma appends the .1txt suffix to the names of the encrypted files. The first uses the appendix .enigma. This sums up the differences between the two variants.

The function which defines 1txt ransomware is encryption. The malicious program has not changed in this aspect. Enigma uses AES-128 cryptography to render files inaccessible. This is a strong cipher. A lot of win-lockers work with this technique. 1txt ransomware can infect different file types, including documents, archives, databases, audios, videos, graphics and system components. The following is a list of common file types which are vulnerable to the win-locker’s attacks: .doc, .docx, .txt, .pdf, .eps, .html, .sql, .xls, .xlsx, .ppt, .pptx, .asp, .aspx, .raw, .zip, .rar, .wsc, .bdf, .xml, .qic, .m4a, .m3u, .wmv, .avi, .mp4, .mpg, .mpeg, .mov, .mkv, .flv, .asf, .dll, .lnk, .sys, .cer, .js, .gif, .jpg, .jpeg, .png, .bmp, .tif, .tiff, .csv, .arw, .pfx, .sln, .crw, .sct, .exif, .mp3, .wav, .wma, .ogg, .flac, .bat, .exe, .cdr, .rtf, .ini, .bkp, .pak, .mdb, .db, .ps1, .wps, .srf, .dng, .bin, .ai, .dat, .vb, .iff and others.

The owners of 1txt ransomware demand a ransom of 0.4273 bitcoins for the RSA decryption key. The sum has to be transferred through the Tor platform. This payment method is common for win-lockers. The bitcoin cryptocurrency and the Tor browser are used as payment methods because they assure the recipient’s security. Payments made in bitcoins cannot be traced. Accessing a website through the Tor browser hides the IP address and geographic location of the device. This allows the proprietors of the win-locker to receive and withdraw the ransom money without the risk of being tracked down.

Paying a ransom to cyber criminals is not advisable. There is no guarantee that they will restore your files once you have made the payment. Even if they do, there is still a risk of a secondary attack. 1txt ransomware may be deactivated at first, but the hackers could leave traces from it in your hard drive. This would enable them to reactivate the malignant program at a later time. The encryption procedure can be repeated with the same consequences involved. With the virus present on your system, making backups may be ineffective. The files of 1txt ransomware could be transferred to the data copies. The only safe way to remove a win-locker from your computer is with a professional anti-virus program.

1txt ransomware is distributed through exploit kits and Trojans. The malicious software which installs the win-locker to the device is spread through spam emails. This is the propagation vector you need to be careful about. Spammers are quite crafty when it comes to devising fake letters. They misrepresent existing companies and entities to make the message seem genuine. The sender can introduce himself as a postal worker, a courier, a government clerk, a police officer or a representative of an institution. To tell between legit and spam messages, look up the email account the person has used. The address should belong to the corresponding organization. You can go to its official website to do the checkup.

1txt Ransomware Uninstall

Method 1: Restore your encrypted files using ShadowExplorer
Usually, 1txt Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

1. Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
2. Install ShadowExplorer
3. Open ShadowExplorer and select C: drive on the left panel
4. Choose at least a month ago date from the date field
5. Navigate to the folder with encrypted files
6. Right-click on the encrypted file
7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

1. Go to Start –> All programs –> Accessories –> System tools –> System restore
2. Click “Next“
3. Choose a restore point, at least a month ago
4. Click “Next“
5. Choose Disk C: (should be selected by default)
6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since 1txt Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

1. Recuva
2. Puran File Recovery
3. Disk Drill
4. Glary Undelete