PROTON Virus 🔐 (.PROTON Files) — How to Remove?

The Proton virus belongs with the ransomware type of infection. Ransomware of such sort encrypts all the data on your PC (photos, documents, excel tables, audio files, videos, etc) and adds its specific extension to every file, leaving the README.txt files in each folder containing encrypted files.

Proton virus: what is known so far?

☝️ A strictly correct denomination for the Proton is “a ransomware-type infection”.

The scheme of renaming is the following: .Proton. In the process of encryption, a file named, for example, “report.docx” will be altered to “report.docx.[[email protected]].Proton”. Alternatively, this malware may apply the pattern “[contact-email][victimID].kigatsu, hiding under a different name. The files will then have names like recipe.txt.[[email protected]][719149DF].kigatsu”

In each folder with the encoded files, a README.txt file will appear. It is a ransom money memo. Therein you can find information about the ways of paying the ransom and some other remarks. The ransom note usually contains instructions on how to purchase the decryption tool from the racketeers. You can obtain this decryptor after contacting [email protected] by email. That is how they do it.

Proton summary:

The README.txt document coming in package with the Proton ransomware provides the following dispiriting information:

~~~ Proton ~~~
>>> What happened?
We encrypted and stolen all of your files.
We use AES and ECC algorithms.
Nobody can recover your files without our decryption service.

>>> How to recover?
We are not a politically motivated group and we want nothing more than money.
If you pay, we will provide you with decryption software and destroy the stolen data.

>>> What guarantees?
You can send us an unimportant file less than 1 MG, We decrypt it as guarantee.
If we do not send you the decryption software or delete stolen data, no one will pay us in future so we will keep our promise.

>>> How to contact us?
Our Telegram ID: @ransom70
Our email address: [email protected]
In case of no answer within 24 hours, contact to this email: [email protected]
Write your personal ID in the subject of the email.

>>>>> Your personal ID: - <<<<<

>>> Warnings!
- Do not go to recovery companies, they are just middlemen who will make money off you and cheat you.
They secretly negotiate with us, buy decryption software and will sell it to you many times more expensive or they will simply scam you.
- Do not hesitate for a long time. The faster you pay, the lower the price.
- Do not delete or modify encrypted files, it will lead to problems with decryption of files.

An alternative, “genuine” Proton ransom note is as following:

!!! Proton !!!
We encrypted and stolen all of your files.
Our email address:
[email protected]
In case of no answer within 24 hours, contact to this email: [email protected]
Your personal ID: -

In the screenshot below, you can see what a directory with files encrypted by the Proton looks like. Each filename has the “.Proton” extension appended to it.

How did my machine catch Proton ransomware?

There are plenty of possible ways of ransomware infiltration.

Nowadays, there are three most popular ways for tamperers to have the Proton virus working in your digital environment. These are email spam, Trojan introduction and peer-to-peer file transfer.

If you open your inbox and see emails that look just like notifications from utility services providers, delivery agencies like FedEx, Internet providers, and whatnot, but whose addresser is strange to you, beware of opening those letters. They are most likely to have a malicious item attached to them. So it is even more dangerous to open any attachments that come with emails like these.

Another thing the hackers might try is a Trojan horse model. A Trojan is an object that infiltrates into your PC pretending to be something different. For example, you download an installer for some program you need or an update for some program. But what is unpacked turns out to be a harmful program that compromises your data. Since the installation file can have any title and any icon, you have to make sure that you can trust the source of the stuff you’re downloading. The best way is to trust the software developers’ official websites.

As for the peer-to-peer file transfer protocols like torrent trackers or eMule, the danger is that they are even more trust-based than the rest of the Web. You can never guess what you download until you get it. So you’d better be using trustworthy resources. Also, it is a good idea to scan the folder containing the downloaded files with the anti-malware utility as soon as the downloading is done.

How do I get rid of the Proton virus?

It is important to note that besides encrypting your files, the Proton virus will probably install Vidar Stealer on your machine to seize your credentials to different accounts (including cryptocurrency wallets). That program can derive your logins and passwords from your browser’s auto-filling data.

Sometimes racketeers would unblock few of your files to prove that they really have the decryption program. Since Proton virus is a relatively recent ransomware, security software engineers have not yet found a way to undo its work. However, the anti-ransomware instruments are frequently updated, so the effective countermeasure may soon arrive.

Understandably, if the malefactors succeed in encrypting victim’s essential data, the hopeless person will most likely fulfill their demands. Despite that, paying a ransom gives no guarantee that you’re getting your files back. It is still dangerous. After receiving the money, the racketeers may deliver a wrong decryption code to the victim. There were reports of ransomware developers just vanishing after getting the money without even bothering to reply.

The optimal countermeasure to ransomware is to have aan OS restore point or the copies of your essential files in the cloud disk or at least on an external disk. Surely, that might be insufficient. Your most important thing could be that file you were working on when it all went down. Nevertheless, it is something. It is also reasonable to scan your PC for viruses with the anti-malware utility after the system restoration.

There are other ransomware products, besides Proton, that work similarly. For instance, Nifr, Niwm, Coty, and some others. The two basic differences between them and the Proton are the ransom amount and the method of encryption. The rest is the same: documents become blocked, their extensions changed, ransom notes are found in every folder containing encrypted files.

Some lucky users were able to decode the arrested files with the help of the free tools provided by anti-ransomware specialists. Sometimes the hackers mistakenly send the decoding code to the victims in the ransom note. Such an extraordinary fail allows the injured part to restore the files. But of course, one should never expect such a chance. Remember, ransomware is a tamperers’ tool to lay their hands on the money of their victims.

How сan I avert ransomware infection?

Proton ransomware has no superpower, so as any similar malware.

You can armour yourself from ransomware infiltration taking several easy steps:

• Ignore any letters from unknown mailers with strange addresses, or with content that has likely no connection to something you are expecting (how can you win in a lottery without even taking part in it?). If the email subject is more or less something you are expecting, scrutinize all elements of the suspicious letter carefully. A hoax letter will always contain a mistake.
• Avoid using cracked or unknown programs. Trojan viruses are often spreaded as a part of cracked products, most likely as a “patch” which prevents the license check. Understandably, untrusted programs are very hard to tell from trustworthy ones, as trojans may also have the functionality you seek. You can try to find information on this software product on the anti-malware message boards, but the best way is not to use such software.

Reasons why I would recommend GridinSoft¹

Download Removal Tool.

Run the setup file.

Press “Install” button.

Once installed, Anti-Malware will automatically run.

Wait for the Anti-Malware scan to complete.

Click on “Clean Now”.

FAQ

🤔 Can I somehow access “.Proton” files?

Unfortunately, no. You need to decipher the “.Proton” files first. Then you will be able to open them.

🤔 What should I do to make my files accessible as fast as possible?

Hopefully, you have made a copy of those important files. In case you haven’t, there is still a chance that you do have a Restore Point from some time ago to roll back the whole system to the moment when it had no virus yet, but already had your files. There are other ways to beat ransomware, but they take time.

🤔 What should I do if the Proton malware has blocked my computer and I can’t get the activation code.

🤔 And what should I do now?

Some of the blocked data can be found elsewhere.

• If you exchanged your important files through email, you could still download them from your online mailbox.
• You might have shared images or videos with your friends or relatives. Just ask them to post those images back to you.
• If you have initially got any of your files from the Web, you can try downloading them again.
• Your messengers, social media pages, and cloud disks might have all those files too.
• Maybe you still have the needed files on your old computer, a portable device, phone, external storage, etc.

USEFUL TIP: You can use data recovery programs³ to get your lost data back since ransomware encodes the copies of your files, deleting the authentic ones. In the video below, you can learn how to use PhotoRec for such a recovery, but be advised: you can do it only after you kill the ransomware itself with an anti-malware program.

Also, you can contact the following governmental fraud and scam sites to report this attack:

• In the United States: On Guard Online;
• In Canada: Canadian Anti-Fraud Centre;
• In the United Kingdom: Action Fraud;
• In Australia: SCAMwatch;
• In New Zealand: Consumer Affairs Scams;
• In France: Agence nationale de la sécurité des systèmes d’information;
• In Germany: Bundesamt für Sicherheit in der Informationstechnik;
• In Ireland: An Garda Síochána;

To report the attack, you can contact local executive boards. For instance, if you live in USA, you can have a talk with FBI Local field office, IC3 or Secret Service.

1. Here’s the list of Top 10 Data Recovery Software Of 2023.