How to Uninstall CORE Ransomware from Your System

CORE is a rogue program designed to encrypt the data on your computer. The program belongs to the Matrix ransomware family. It then asks you to pay a ransom amount in exchange for the decryption tool. Usually, it is impossible to recover your files without using the proper decryption software, given you do not have a backup. 

Uninstall CORE Ransomware

You can also notice that the ransomware program renames the compromised files. The new name has the cybercriminals’ email-id, a ransom string of characters, and the “.CORE” extension. For instance, it would rename a file from “Test.jpg” to something like “[BatHelp@protonmail.com].4bq9EjhK-hPgYPJMc.CORE” after encryption.

Later, the ransomware program creates a ransom note titled “#CORE_README#.rtf” in each compromised folder. The text in the message informs you that the ransomware program has encrypted your files. It also says that you can recover your files since they are not damaged. 

The program uses AES-128 and RSA-2048 encryption algorithms to encrypt the files. Therefore, you would need a proper decryption key to decrypt the data. The message informs that the decryption key is stored on a secured server. However, the cybercriminals would delete it after seven days to protect their identity.

The note does not mention any ransom amount. That means you would get further instructions only after contacting the cybercriminals. However, they often take your money but do not provide the promised tool. There we highly advise you not to pay the ransom to these cyber criminals under any circumstances. 

Besides, it is vital to uninstall the CORE ransomware from the system to avoid further damage. We recommend using a robust antimalware application for the purpose. It can detect and remove any malicious program instantly from your computer. Moreover, it would defend your system from similar attacks in the future as well.

This guide was written to help you remove the infection itself from your computer, and if a 100% proven method to recover the encrypted files is found we will update this guide.

We cannot help you recover your files and we can only recommend that you use ShadowExplorer or free file recovery software to restore your documents.

1. How did the CORE ransomware get on my computer?

The CORE ransomware is distributed via spam email containing infected attachments or by exploiting vulnerabilities in the operating system and installed software.

Cyber-criminals spam out an email, with forged header information, tricking you into believing that it is from a shipping company like DHL or FedEx. The email tells you that they tried to deliver a package to you, but failed for some reason. Sometimes the emails claim to be notifications of a shipment you have made. Either way, you can’t resist being curious as to what the email is referring to – and open the attached file (or click on a link embedded inside the email). And with that, your computer is infected with the CORE ransomware.

This ransomware was also observed attacking victims by hacking open Remote Desktop Services (RDP) ports. The attackers scan for the systems running RDP (TCP port 3389) and then attempt to brute force the password for the systems.


2. What is CORE ransomware?

  • Ransomware family: Matrix
  • Extensions: .CORE
  • Ransom note: #CORE_README#.rtf
  • Ransom: Undisclosed
  • Contact: BatHelp@protonmail.com, BatHelp@tutanota.com, BatHelp@india.com and via Bitmеssаgеs

This CORE ransomware variant restricts access to data by encrypting files with the .CORE extension. It then attempts to extort money from victims by asking for “ransom”, in form of Bitcoin cryptocurrency, in exchange for access to data.

This ransomware targets all versions of Windows including Windows 7, Windows 8.1 and Windows 10. CORE ransomware searches for files with certain file extensions to encrypt. The files it encrypts include important productivity documents and files such as .doc, .docx, .xls, .pdf, among others. When these files are detected, this infection will change the extension to .CORE, so they are no longer able to be opened.

The CORE ransomware changes the name of each encrypted file to the following format: .CORE.

Files targeted are those commonly found on most PCs today; a list of file extensions for targeted files include:

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

Once your files are encrypted with the .CORE extension, this ransomware will create the #CORE_README#.rtf ransom note in each folder that a file has been encrypted and on the Windows desktop.
When the infection has finished scanning your computer it will also delete all of the Shadow Volume Copies that are on the affected computer. It does this so that you cannot use the shadow volume copies to restore your encrypted files.


3. Is my computer infected with CORE Ransomware?

When CORE ransomware infects your computer it will scan all the drive letters for targeted file types, encrypt them, and then append the .CORE extension to them. Once these files are encrypted, they will no longer able to be opened by your normal programs. When this ransomware has finished encrypting the victim’s files, it will create a #CORE_README#.rtf text file which includes instructions on how to recover the files.

Below is the message that you will see in the #CORE_README#.rtf file:

HOW TO RECOVER YOUR FILES INSTRUCTION

ATENTION!!!
We are realy sorry to inform you that ALL YOUR FILES WERE ENCRYPTED by our automatic software. It became possible because of bad server security.
ATENTION!!!
Please don't worry, we can help you to RESTORE your server to original state and decrypt all your files quickly and safely!

INFORMATION!!!
Files are not broken!!!
Files were encrypted with AES-128+RSA-2048 crypto algorithms.
There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data!
* Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!
* Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.

HOW TO RECOVER FILES???
Please write us to the e-mail (write on English or use professional translator):
BatHelp@protonmail.com
BatHelp@tutanota.com
BatHelp@india.com
You have to send your message on each of our 3 emails due to the fact that the message may not reach their intended recipient for a variety of reasons!

In subject line write your personal ID:
2BCCF1909D24D7CC
We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files.
* Please note that files must not contain any valuable information and their total size must be less than 5Mb.

OUR ADVICE!!!
Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.

We will definitely reach an agreement ;) !!!

ALTERNATIVE COMMUNICATION

If yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 24 hours please sеnd us Bitmеssаgеs frоm а wеb brоwsеr thrоugh thе wеbpаgе hxxps://bitmsg.me. Bеlоw is а tutоriаl оn hоw tо sеnd bitmеssаgе viа wеb brоwsеr:
1. Оpеn in yоur brоwsеr thе link hxxps://bitmsg.me/users/sign_up аnd mаkе thе rеgistrаtiоn bу еntеring nаmе еmаil аnd pаsswоrd.
2. Уоu must cоnfirm thе rеgistrаtiоn, rеturn tо уоur еmаil аnd fоllоw thе instructiоns thаt wеrе sеnt tо уоu.
3. Rеturn tо sitе аnd сlick "Lоgin" lаbеl оr usе link hxxps://bitmsg.me/users/sign_in, еntеr уоur еmаil аnd pаsswоrd аnd click thе "Sign in" buttоn.
4. Сlick thе "Сrеаtе Rаndоm аddrеss" buttоn.
5. Сlick thе "Nеw mаssаgе" buttоn.
6. Sеnding mеssаgе:
Tо: Еntеr аddrеss: BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm
Subjесt: Еntеr уоur ID: -
Mеssаgе: Dеscribе whаt уоu think nеcеssаrу.
Сlick thе "Sеnd mеssаgе" buttоn.
NEX92JhO


4. Is it possible to decrypt files encrypted with the CORE ransomware?

The security companies and government officials often release decryptors for ransomware. You can take help of these decryptors to decrypt your encrypted files by CORE ransomware.

However, it is not necessary that decryptors are available for kind and type of the ransomware you got infected. Especially if the ransomware is new and widespread, then it is most likly that you won't find decryptors for it. If it is an old and popular ransomware then you might find the decryptors.

The first step towards finding the decryptor is to know the acutal name and type of ransomware you get infected. To do that you can take help of NoMoreRansom.org. Visit the website and paste the ransom note in box provided. You can also upload the encrypted file to know the ransomware name. Once you do that click on GO! FIND OUT button.

Now the website will tell you about the type of ransomware and also provide you link if there is a decryptor available.

ID Ransomware is a similar website, you can upload the ransom note, sample encrypted file, or the contact email address to know about the type of ransomware. Once you know about it you can find the decryptors on the internet. But do not download decryptors from shady websites they may further infect your computer.

If you haven't find the decryptors then it is not possible to get your files back. That doesn't mean you should pay ransom to the cybercriminals. Do not pay any money to recover your files. Even if you were to pay the ransom, there is no guarantee that you will regain access to your files.

If you’ve already paid the ransom, immediately contact your bank and your local authorities. If you paid with a credit card, your bank may be able to block the transaction and return your money.
You can also contact the following government fraud and scam reporting websites:

If your country or region isn’t listed here, we recommend that you contact your country or region’s federal police or communications authority.


5. How to remove the CORE ransomware (Virus Removal Guide)

It’s important to understand that by starting the removal process you risk losing your files, as we cannot guarantee that you will be able to recover them. MalwareFox and HitmanPro can detect and remove this infection, however, these programs cannot recover your documents, pictures, or files. Your files may be permanently compromised when trying to remove this infection or trying to recover the encrypted documents. We cannot be held responsible for losing your files or documents during this removal process.

STEP 1: Use MalwareFox to remove CORE ransomware

MalwareFox is antimalware that works on heuristic approach to detect and remove malware from your PC. It analyzes the malware signatures as well as their behaviour. If a program acts like a malware then MalwareFox blocks it right there. It is lightweight on your system resource and finishes the scan quickly.

Its not like I am recommending you to install a costly software to remove the malware. The MalwareFox subscription charges are fairly low. But that is for a fully featured program with real-time protection capabilities. The scanning works even with the free version, though you can try the MalwareFox Premium for 14 days. Also, you don't need to remove your current antivirus, MalwareFox will work effectively without any conflicts.

  1. Download MalwareFox.

    You can download MalwareFox by clicking the link below.

    MALWAREFOX DOWNLOAD LINK
    (The above link will open a new page)
  2. Double-click on the MalwareFox setup file.

    Once the MalwareFox is downloaded, double click on MalwareFox.exe file to install it on your PC. The downloaded files are mostly saved to the Downloads folder.

    Double Click on MalwareFox.exe to Install MalwareFox
    You will see an User Account Control pop-up asking if you want to allow MalwareFox to make changes to your device. Click on “Yes” to proceed with the installation steps.
    Windows asking for permission to install MalwareFox

  3. Follow the on-screen prompts to install MalwareFox.

    First MalwareFox installer ask you to choose the language, select your preferend language and click on OK.
    MalwareFox Installation - Select Language

    Then the MalwareFox installation Wizard appears, click on Next and follow the screen instructions to setup MalwareFox on your PC.
    MalwareFox Installation Wizard - Click Next

    Once the installation is complete, MalwareFox will download the latest version and virus signatures from the server. Let it update.
    MalwareFox is Installing

  4. Click on “Scan” Button.

    To perform a system scan, click on the “Scan” button.
    Start a scan with MalwareFox

  5. Wait for MalwareFox scan to complete.

    MalwareFox is now scanning your computer for adware, pop-ups, browser hijackers, and other malicious programs. This process can take a few minutes, so you can do some other work while it is scanning your PC, don't worry the PC won't get slow during the scan.
    MalwareFox scanning PC for malware

  6. Click on “Next”.

    Once the scan has completed, you will see the list of detected threats on your PC. To remove the malware that MalwareFox has found, click on the “Next” button.
    Click on the Next button to remove CORE virus

    When the malware removal process is complete, you can close MalwareFox and continue with the rest of the instructions.


STEP 2: Use HitmanPro to scan for malware and unwanted programs

HitanPro works on unique cloud-based approach to detect the threats. You can use it as a second opinion malware scanner. HitmanPro also observe the behaviour active programs and checks the locations where malware normally resides. If there is a suspicious file then it upload thes file to cloud where it is scanned by Bitdefender and Kaspersky antivirus engines.

HitmanPro is available for a 30-days trail that lets you to clean the threats. After that you may need to purchase it which costs around $24.95 for 1 year single PC. If you won't upgrade then you can scan using the HitmanPro however it won't let you remove or quarntine the detected threat.

  1. Download HitmanPro.

    You can download HitmanPro by clicking the link.

    HITMANPRO DOWNLOAD LINK
    (The link will open a new page from where you can download HitmanPro)
  2. Install HitmanPro.

    When HitmanPro has finished downloading, double-click on “hitmanpro.exe” if you have 32-bit Windows or “hitmanpro_x64.exe” if you have 64-bit windows, to install this program on your PC. In most cases, downloaded files are saved to the Downloads folder.
    Double-click on the HitmanPro setup file - Help Guide
    Now you will see an User Account Control pop-up asking if you want to allow HitmanPro to make changes to your device. Click “Yes” to install it on your PC.
    Windows asking for permissions to run the HitmanPro

  3. Follow the screen instructions.

    When HitmanPro starts you will see the start screen as shown below. Click on the “Next” button to perform a system scan.

    Click Next to install HitmanPro

    HitmanPro final installer screen

  4. Wait for the HitmanPro scan to complete.

    HitmanPro will now start scanning your PC for malware. This process may take a few minutes.
    HitmanPro while scanning for malware - Help Guide

  5. Click on “Next”.

    Once HitmanPro finished the scan, you will see a list of all the malicious programs that it found in your system. Click on the “Next” button to remove the malware.
    Click Next to remove CORE pop-up ads

    When the process is complete, you can close HitmanPro and continue with the rest of the instructions.

STEP 3: Restore the files encrypted by CORE ransomware with recovery software

In some cases, it may be possible to recover previous versions of the encrypted files using CORE Restore or other recovery software used to obtain “shadow copies” of files.

Option 1: Restore your files encrypted by CORE ransomware with ShadowExplorer

CORE will attempt to delete all shadow copies when you first start any executable on your computer after becoming infected. Thankfully, the infection is not always able to remove the shadow copies, so you should continue to try restoring your files using this method.

  1. You can download ShadowExplorer from the below link:
    SHADOW EXPLORER DOWNLOAD LINK (This link will open a new web page from where you can download “ShadowExplorer”)
  2. Once you have downloaded and installed ShadowExplorer, you can follow the below video guide on how to restore your files while using this program.

Option 2: Restore your files encrypted with the CORE extension with File Recovery Software

When the files are encrypted with the CORE, this ransomware first makes a copy of them, encrypts the copy, and then deletes the original. Due to this you can use file recovery software such as:

  • Recuva
    You can follow the below guide on how to use Recuva:

How to prevent your computer from becoming infected by CORE ransomware

To protect your computer from the CORE ransomware, you should a strong antimalware on your system like MalwareFox and keeps its real-time protection enabled. Also, you need to take backup of your personal documents.


Your computer should now be free of the CORE ransomware infection. If you are still experiencing problems while trying to remove CORE ransomware from your computer, please comment below we will try to help you as much as possible.