Uninstall Yyto virus (Uninstall Guide) - Jun 2018 updated
Yyto virus Removal Guide
Description of Yyto ransomware
Yyto – a file-encrypting virus that has been updated several times
Yyto is crypto-virus that uses AES-256 encryption cipher to lock files on the targeted computer. The original version of the virus appends .YYTO file extension to the data. However, it has been updated a couple of times, so other variants of the malware can make file useless by adding .b007 and .codyprince92@mail.com.ovgm extensions. When ransomware corrupts all files, it delivers a ransom note where victims are asked to contact crooks ASAP.
| Summary of the cyber threat | |
|---|---|
| Name | Yyto |
| Type | Ransomware |
| Danger level | High. Makes system changes and locks files |
| Cryprography | AES-256 |
| File extensions | .YYTO, .b007, .codyprince92@mail.com.ovgm, .read_to_txt_file.juuj, .m5m5 |
| Ransom note | Readme.txt, help.txt, encrypt.txt |
| Contact email address | odyprince92@mail.com; cutterswish@torbox3uiot6wchz.onion; isabell@torbox3uiot6wchz.onion; albertkerr94@mail.com; colecyrus@mail.com. |
| The size of the ransom | Unknown |
| Data recovery | Impossible without backups |
| To uninstall Yyto, install FortectIntego and run a full system scan | |
Yyto ransomware operates as an ordinary file-encrypting virus. It usually arrives on the system when a user opens an obfuscated email attachment. Any file attached in the email can contain malware payload. This particular ransomware is dropped and executed from 2.exe or RS01bz.exe files.
On the affected machine Yyto virus immediately makes system changes to run on Windows startup and starts data encryption procedure. All versions of the virus use AES-256 cryptography to compromise files. The original ransomware appends .YYTO suffix. Though, victims can also find .b007 and .codyprince92@mail.com.ovgm extensions added to their files too.
When all files are encrypted, ransomware delivers a ransom note where victims can learn about data encryption and are given instructions what they need to do:
Hello. Your files have been encrypted.
For help, write to this e-mail: codyprince92@mail.com
Attach to the letter 1-2 files (no more than 3 MB) and your personal key.
Each version of the virus includes the same instructions in differently named files. Researchers have discovered the following names of the ransom notes:
- help_to_decrypt.txt;
- read_to_txt_file.yyt;
- help.txt;
- encrypt.txt;
- Readme.txt.
Also, crooks use different email addresses for communication with victims. Currently, authors of Yyto asks to send an email to these email addresses:
- odyprince92@mail.com;
- cutterswish@torbox3uiot6wchz.onion;
- isabell@torbox3uiot6wchz.onion;
- albertkerr94@mail.com;
- colecyrus@mail.com.
However, we do not recommend emailing cyber criminals. You will be asked to pay a specific sum of money for the decryptor. The problem is that you cannot trust these people. They may not have a working tool or might blackmail you into paying more than it was first asked. Once they drain your bank account, they might disappear leaving you without a needed tool.
For this reason, you should remove Yyto from the machine and try other methods to get back access to your files. Unfortunately, the official decryptor is not available yet. So, any of the ransomware versions cannot be fully recovered without backups.
If you have backups or want to try our suggested alternative methods below, you should not rush. The first and the most important task is YYto removal. Once you scan the machine with FortectIntego or another anti-malware software and become sure that your PC is virus-free, you can proceed without data recovery without worrying about an affected external hard drive and repeated file encryption.
Versions of Yyto ransomware virus
.read_to_txt_file.juuj file extension virus. It is the first update from the virus developers. However, it continues using AES cryptography but appends a new file extension to the targeted data. Just like the name suggests, it appends .read_to_txt_file.juuj suffix. Also, it uses a different name for the data recovery instructions. The ransom-demanding message from cyber criminals is provided in help.txt where victims learn that they need to contact criminals using isabell@torbox3uiot6wchz.onion address.
.m5m5 file extension virus. Released in September 2017, this version also uses the same encryption algorithm. But this time malware uses .m5m5 suffix to make files useless on the affected machine. Researchers report that ransomware can download one of two ransom notes – help.txt or encrypt.txt. However, both of them provide the same instructions and demand to send an email to albertkerr94@mail.com in order to learn how to get access to the encrypted files back.
Colecyrus ransomware virus. The third version of the virus is quite different compared with the previous ones. It uses AES-CBC cryptography and adds .b007 file extension. Despite slightly changed encryption, authors of malware still use the same data recovery pattern. They provide a contact email address (colecyrus@mail.com) and ask victims to contact them immediately.
.codyprince92@mail.com.ovgm file extension virus. The fourth version of ransomware emerged in June 2018. It uses .codyprince92@mail.com.ovgm file extension and places Readme.txt to the folders that contain encrypted files. In the ransom note, criminals provide one more email address to communicate with cyber criminals. This time, they use codyprince92@mail.com address.
Malicious spam email attachments are the main ransomware distribution method
According to the latest research data, this file-encrypting virus mostly spreads via email attachments. Usually, these emails appear in the spam folder and include attachments. However, crooks might find the way how to trick spam filters and you might find a dangerous email in the main inbox. Therefore, before opening any email attachment, you have to make sure that it’s safe to do:
- Check sender’s email address;
- Make sure that you were supposed to receive such email;
- Look up for grammar mistakes or other language errors in the body;
- Do not open attachment if the body or subject line is empty;
- Check the attachment with online virus scanners.
However, file-encrypting viruses might find the way to the device using other methods too. So, you need to be careful when browsing the web and create backups. Installing powerful antivirus is also recommended precautions, but even the most powerful tool cannot protect you if you do not watch your clicks and downloads online.
Eliminate Yyto virus and try to restore your files
To remove Yyto from the machine entirely, you need to use professional tools like FortectIntego, Malwarebytes or SpyHunter 5Combo Cleaner. Virus elimination without security software is not recommended due to the specifications and operation of the ransomware. This cyber threat includes lots of files, programs and might affect various system processes. So, it’s hard to detect and get rid of safely.
However, Yyto removal might require taking some additional steps. The virus can block installation of an anti-malware program or system scans, so you need to reboot the device to Safe Mode with Networking. At the end of the article, you can find virus removal instructions and data recovery options.
Getting rid of Yyto virus. Follow these steps
In-depth guide for the Yyto elimination
Booting to Safe Mode with Networking helps to get rid of the virus easily.
Important! →
The elimination guide can appear too difficult if you are not tech-savvy. It requires some knowledge of computer processes since it includes system changes that need to be performed correctly. You need to take steps carefully and follow the guide avoiding any issues created due to improper setting changes. Automatic methods might suit you better if you find the guide too difficult.
Step 1. Launch Safe Mode with Networking
Safe Mode environment offers better results of manual virus removal
Windows 7 / Vista / XP
- Go to Start.
- Choose Shutdown, then Restart, and OK.
- When your computer boots, start pressing the F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) a few times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click the Start button and choose Settings.
- Scroll down to find Update & Security.
- On the left, pick Recovery.
- Scroll to find Advanced Startup section.
- Click Restart now.
- Choose Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Choose 5) Enable Safe Mode with Networking.
Step 2. End questionable processes
You can rely on Windows Task Manager that finds all the random processes in the background. When the intruder is triggering any processes, you can shut them down:
- Press Ctrl + Shift + Esc keys to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes.
- Look for anything suspicious.
- Right-click and select Open file location.
- Go back to the Process tab, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check the program in Startup
- Press Ctrl + Shift + Esc on your keyboard again.
- Go to the Startup tab.
- Right-click on the suspicious app and pick Disable.
Step 4. Find and eliminate virus files
Data related to the infection can be hidden in various places. Follow the steps and you can find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive (C: is your main drive by default and is likely to be the one that has malicious files in) you want to clean.
- Scroll through the Files to delete and select the following:
Temporary Internet Files
Downloads
Recycle Bin
Temporary files - Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
After you are finished, reboot the PC in normal mode.
Eliminate Yyto using System Restore
-
Step 1: Restart your computer in Safe Mode with Command Prompt
Windows 7 / Vista / XP- Go to Start → Shutdown → Restart → OK.
- As soon as your computer starts, start pressing F8 key repeatedly before the Windows logo shows up.
-
Choose Command Prompt from the list
Windows 10 / Windows 8- Click on the Power button at the Windows login screen, and then press and hold Shift key on your keyboard. Then click Restart.
- Then select Troubleshoot → Advanced options → Startup Settings and click Restart.
-
Once your computer starts, select Enable Safe Mode with Command Prompt from the list of options in Startup Settings.
-
Step 2: Perform a system restore to recover files and settings
-
When the Command Prompt window appears, type in cd restore and press Enter.
-
Then type rstrui.exe and hit Enter..
-
In a new window that shows up, click the Next button and choose a restore point that was created before the infiltration of Yyto and then click on the Next button again.
-
To start system restore, click Yes.
-
When the Command Prompt window appears, type in cd restore and press Enter.
Bonus: Restore your files
Using the tutorial provided above you should be able to eliminate Yyto from the infected device. novirus.uk team has also prepared an in-depth data recovery guide which you will also find above.There are a couple of methods you can apply to recover data encrypted by Yyto:
Try Data Recovery Pro to restore files
This professional recovery tool might be helpful after the ransomware attack.
- Download Data Recovery Pro;
- Install Data Recovery on your computer following the steps indicated in the software’s Setup;
- Run the program to scan your device for the data encrypted by Yyto ransomware;
- Recover the data.
Windows Previous Versions feature helps to restore individual files
If System Restore was enabled before ransomware attack, you can recover individual files using this method:
- Right-click on the encrypted document you want to recover;
- Click “Properties” and navigate to “Previous versions” tab;
- In the “Folder versions” section look for the available file copies. Choose the desired version and press “Restore”.
ShadowExplorer can recover files from Shadow Volume Copies
If ransomware did not delete Shadow Volume Copies of the targeted files, you can use this tool and restore needed data:
- Download Shadow Explorer (http://shadowexplorer.com/);
- Install Shadow Explorer on your computer following the instructions in the software’s Setup Wizard;
- Run the program. Navigate to the menu on the top-left corner and select a disk containing your encrypted files. Look through the available folders;
- When you find the folder you want to recover, right-click it and select “Export”. Also, choose where the recovered data will be stored.
Yyto decryptor hasn’t been created yet
It is strongly recommended to take precautions and secure your computer from malware attacks. To protect your PC from Yyto and other dangerous viruses, you should install and keep a powerful malware removal tool, for instance, FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes.
How to prevent from getting ransomware
A proper web browser and VPN tool can guarantee better safety
As online spying becomes an increasing problem, people are becoming more interested in how to protect their privacy. One way to increase your online security is to choose the most secure and private web browser. But if you want complete anonymity and security when surfing the web, you need Private Internet Access VPN service. This tool successfully reroutes traffic across different servers, so your IP address and location remain protected. It is also important that this tool is based on a strict no-log policy, so no data is collected and cannot be leaked or made available to first or third parties. If you want to feel safe on the internet, a combination of a secure web browser and a Private Internet Access VPN will help you.
Recover files damaged by a dangerous malware attack
Despite the fact that there are various circumstances that can cause data to be lost on a system, including accidental deletion, the most common reason people lose photos, documents, videos, and other important data is the infection of malware.
Some malicious programs can delete files and prevent the software from running smoothly. However, there is a greater threat from the dangerous viruses that can encrypt documents, system files, and images. Ransomware-type viruses focus on encrypting data and restricting users’ access to files, so you can permanently lose personal data when you download such a virus to your computer.
The ability to unlock encrypted files is very limited, but some programs have a data recovery feature. In some cases, the Data Recovery Pro program can help recover at least some of the data that has been locked by a virus or other cyber infection.
If you found this free tutorial helpful, please consider making a donation to support us. Even the smallest amount will be appreciated and will help to keep this service alive.