Danger level:  
  (97/100)

Yyto ransomware. How to delete? (Removal tutorial)

removal by Lucia Danes - -   Also known as Yyto ransomware | Type: Ransomware

Yyto – a file-encrypting virus that has been updated several times

Yyto ransoware virus
Yyto is a ransomware virus that asks to pay the ransom in exchange for data recovery tool.

Yyto is crypto-virus that uses AES-256 encryption cipher to lock files on the targeted computer. The original version of the virus appends .YYTO file extension to the data. However, it has been updated a couple of times, so other variants of the malware can make file useless by adding .b007 and .codyprince92@mail.com.ovgm extensions. When ransomware corrupts all files, it delivers a ransom note where victims are asked to contact crooks ASAP.

Summary of the cyber threat
Name Yyto
Type Ransomware
Danger level High. Makes system changes and locks files
Cryprography AES-256
File extensions .YYTO, .b007, .codyprince92@mail.com.ovgm, .read_to_txt_file.juuj, .m5m5
Ransom note Readme.txt, help.txt, encrypt.txt
Contact email address odyprince92@mail.com;
cutterswish@torbox3uiot6wchz.onion;
isabell@torbox3uiot6wchz.onion;
albertkerr94@mail.com;
colecyrus@mail.com. 
The size of the ransom Unknown
Data recovery Impossible without backups
To uninstall Yyto, install Reimage and run a full system scan

Yyto ransomware operates as an ordinary file-encrypting virus. It usually arrives on the system when a user opens an obfuscated email attachment. Any file attached in the email can contain malware payload. This particular ransomware is dropped and executed from 2.exe or RS01bz.exe files.

On the affected machine Yyto virus immediately makes system changes to run on Windows startup and starts data encryption procedure. All versions of the virus use AES-256 cryptography to compromise files. The original ransomware appends .YYTO suffix. Though, victims can also find .b007 and .codyprince92@mail.com.ovgm extensions added to their files too.

When all files are encrypted, ransomware delivers a ransom note where victims can learn about data encryption and are given instructions what they need to do:

Hello. Your files have been encrypted.

For help, write to this e-mail: codyprince92@mail.com
Attach to the letter 1-2 files (no more than 3 MB) and your personal key.

Each version of the virus includes the same instructions in differently named files. Researchers have discovered the following names of the ransom notes:

  • help_to_decrypt.txt;
  • read_to_txt_file.yyt;
  • help.txt;
  • encrypt.txt;
  • Readme.txt.

Yyto ransom note
Yyto delivers a ransom note as soon as all files are made useless.

Also, crooks use different email addresses for communication with victims. Currently, authors of Yyto asks to send an email to these email addresses:

  • odyprince92@mail.com;
  • cutterswish@torbox3uiot6wchz.onion;
  • isabell@torbox3uiot6wchz.onion;
  • albertkerr94@mail.com;
  • colecyrus@mail.com.

However, we do not recommend emailing cyber criminals. You will be asked to pay a specific sum of money for the decryptor. The problem is that you cannot trust these people. They may not have a working tool or might blackmail you into paying more than it was first asked. Once they drain your bank account, they might disappear leaving you without a needed tool.

For this reason, you should remove Yyto from the machine and try other methods to get back access to your files. Unfortunately, the official decryptor is not available yet. So, any of the ransomware versions cannot be fully recovered without backups.

If you have backups or want to try our suggested alternative methods below, you should not rush. The first and the most important task is YYto removal. Once you scan the machine with Reimage or another anti-malware software and become sure that your PC is virus-free, you can proceed without data recovery without worrying about an affected external hard drive and repeated file encryption.

Versions of Yyto ransomware virus

.read_to_txt_file.juuj file extension virus. It is the first update from the virus developers. However, it continues using AES cryptography but appends a new file extension to the targeted data. Just like the name suggests, it appends .read_to_txt_file.juuj suffix. Also, it uses a different name for the data recovery instructions. The ransom-demanding message from cyber criminals is provided in help.txt where victims learn that they need to contact criminals using isabell@torbox3uiot6wchz.onion address.

.m5m5 file extension virus. Released in September 2017, this version also uses the same encryption algorithm. But this time malware uses .m5m5 suffix to make files useless on the affected machine. Researchers report that ransomware can download one of two ransom notes – help.txt or encrypt.txt. However, both of them provide the same instructions and demand to send an email to albertkerr94@mail.com in order to learn how to get access to the encrypted files back.

Yyto virus
Yyto virus can append different file extensions to audio, video, image, and other popular files.

Colecyrus ransomware virus. The third version of the virus is quite different compared with the previous ones. It uses AES-CBC cryptography and adds .b007 file extension. Despite slightly changed encryption, authors of malware still use the same data recovery pattern. They provide a contact email address (colecyrus@mail.com) and ask victims to contact them immediately.

.codyprince92@mail.com.ovgm file extension virus. The fourth version of ransomware emerged in June 2018. It uses .codyprince92@mail.com.ovgm file extension and places Readme.txt to the folders that contain encrypted files. In the ransom note, criminals provide one more email address to communicate with cyber criminals. This time, they use codyprince92@mail.com address.

Malicious spam email attachments are the main ransomware distribution method

According to the latest research data, this file-encrypting virus mostly spreads via email attachments. Usually, these emails appear in the spam folder and include attachments. However, crooks might find the way how to trick spam filters and you might find a dangerous email in the main inbox. Therefore, before opening any email attachment, you have to make sure that it’s safe to do:

  • Check sender’s email address;
  • Make sure that you were supposed to receive such email;
  • Look up for grammar mistakes or other language errors in the body;
  • Do not open attachment if the body or subject line is empty;
  • Check the attachment with online virus scanners.

However, file-encrypting viruses might find the way to the device using other methods too. So, you need to be careful when browsing the web and create backups. Installing powerful antivirus is also recommended precautions, but even the most powerful tool cannot protect you if you do not watch your clicks and downloads online.

Eliminate Yyto virus and try to restore your files

To remove Yyto from the machine entirely, you need to use professional tools like Reimage, Malwarebytes Anti Malware or Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus. Virus elimination without security software is not recommended due to the specifications and operation of the ransomware. This cyber threat includes lots of files, programs and might affect various system processes. So, it’s hard to detect and get rid of safely.

However, Yyto removal might require taking some additional steps. The virus can block installation of an anti-malware program or system scans, so you need to reboot the device to Safe Mode with Networking. At the end of the article, you can find virus removal instructions and data recovery options.

We might promote some affiliate products. An entire disclosure is provided in our Terms and Conditions. By Downloading any recommended Anti-spyware software to uninstall Yyto ransomware you accept our privacy policy and terms and conditions.
try it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Computer security experts recommend using Reimage to uninstall Yyto ransomware. Reimage scans the entire computer system and checks whether it is infected with spyware/malware or not. If you want to remove computer threats and secure your computer system, you should consider buying the licensed version of Reimage.
You can find more details about this program in Reimage review.
Press mentions on Reimage

To remove Yyto virus, follow these steps:

Eliminate Yyto using Safe Mode with Networking

Booting to Safe Mode with Networking helps to get rid of the virus easily.

  • Step 1: Restart your computer in Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Go to Start Shutdown Restart OK.
    2. As soon as your computer starts, start pressing F8 key repeatedly before the Windows logo shows up.
    3. Choose Safe Mode with Networking from the list Choose 'Safe Mode with Networking' option

    Windows 10 / Windows 8
    1. Click on the Power button at the Windows login screen, and then press and hold Shift key on your keyboard. Then click Restart.
    2. Then select Troubleshoot Advanced options Startup Settings and click Restart.
    3. Once your computer starts, select Enable Safe Mode with Networking from the list of options in Startup Settings. Choose 'Enable Safe Mode with Networking' option
  • Step 2: Remove Yyto

    Sign in to your account and launch any Internet browser. Download a legitimate anti-malware software, for instance, Reimage. Make sure you update it to the latest version and then run a full system scan with it to detect and eliminate all malicious components of the ransomware to remove Yyto completely.

If your ransomware does not allow you to access Safe Mode with Networking, please follow the instructions provided below.

Eliminate Yyto using System Restore

  • Step 1: Restart your computer in Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Go to Start Shutdown Restart OK.
    2. As soon as your computer starts, start pressing F8 key repeatedly before the Windows logo shows up.
    3. Choose Command Prompt from the list Choose 'Safe Mode with Command Prompt' option

    Windows 10 / Windows 8
    1. Click on the Power button at the Windows login screen, and then press and hold Shift key on your keyboard. Then click Restart.
    2. Then select Troubleshoot Advanced options Startup Settings and click Restart.
    3. Once your computer starts, select Enable Safe Mode with Command Prompt from the list of options in Startup Settings. Choose 'Enable Safe Mode with Command Prompt' option
  • Step 2: Perform a system restore to recover files and settings
    1. When the Command Prompt window appears, type in cd restore and press Enter. Type 'cd restore' without quotes and hit 'Enter'
    2. Then type rstrui.exe and hit Enter.. Type 'rstrui.exe' without quotes and hit 'Enter'
    3. In a new window that shows up, click the Next button and choose a restore point that was created before the infiltration of Yyto and then click on the Next button again. When 'System Restore' wizard comes up, click 'Next'. Choose a preferable restore point and click 'Next'
    4. To start system restore, click Yes. Hit 'Yes' and start system restore
    After restoring the computer system to an antecedent date, install and check your computer with Reimage to uncover any remains of Yyto.

Bonus: Restore your files

Using the tutorial provided above you should be able to eliminate Yyto from the infected device. novirus.uk team has also prepared an in-depth data recovery guide which you will also find above.

There are a couple of methods you can apply to recover data encrypted by Yyto:

Try Data Recovery Pro to restore files

This professional recovery tool might be helpful after the ransomware attack.

  • Download Data Recovery Pro (https://novirus.uk/download/data-recovery-pro-setup.exe);
  • Install Data Recovery on your computer following the steps indicated in the software’s Setup;
  • Run the program to scan your device for the data encrypted by Yyto ransomware;
  • Recover the data.

Windows Previous Versions feature helps to restore individual files

If System Restore was enabled before ransomware attack, you can recover individual files using this method:

  • Right-click on the encrypted document you want to recover;
  • Click “Properties” and navigate to “Previous versions” tab;
  • In the “Folder versions” section look for the available file copies. Choose the desired version and press “Restore”.

ShadowExplorer can recover files from Shadow Volume Copies

If ransomware did not delete Shadow Volume Copies of the targeted files, you can use this tool and restore needed data:

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Install Shadow Explorer on your computer following the instructions in the software’s Setup Wizard;
  • Run the program. Navigate to the menu on the top-left corner and select a disk containing your encrypted files. Look through the available folders;
  • When you find the folder you want to recover, right-click it and select “Export”. Also, choose where the recovered data will be stored.

Yyto decryptor hasn't been created yet

It is strongly recommended to take precautions and secure your computer from malware attacks. To protect your PC from Yyto and other dangerous viruses, you should install and keep a powerful malware removal tool, for instance, Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware.

About the author

Lucia Danes
Lucia Danes - Virus researcher

If you found this free removal tutorial helpful, please consider making a donation to support us. Even the smallest amount will be appreciated and will help to keep this service alive.

Contact Lucia Danes
About the company Esolutions

Source: https://www.2-spyware.com/remove-yyto-ransomware-virus.html

Uninstall guides in different languages