This computer virus is highly sophisticated and aims to extort the computer user after taking all data hostage. Since files we keep on our personal or work computers are important (either work, study related or simply personal memories), cybercriminals expect that the user will comply with their demands.

The virus drops ransom-demanding notes

While the cyber-attack is still ongoing, ransom messages known as _readme.txt would also be dropped. It would inform the victim about what has just taken place and why they have to pay the ransom before they would be able to restore their files by using a decryption tool that would be provided by the cybercriminals. To facilitate further discussions, they would equally forward two email addresses (support@bestyourmail.ch and datarestorehelp@airmail.cc). In situations where the victim reaches out to the perpetrators using any of the two emails, they will be notified that $980 has to be paid as a ransom fee. However, a 50% ransom fee slash could be available if payment would be made within 72 hours of getting a go-ahead order, but failure to pay within that time frame nullifies the ransom fee slash offer.To make the matters even more complicated for the victim, the cybercriminals would also state that ransom payment can only be made by purchasing cryptocurrency equivalence of the stated fee and transferring same to their private wallet address. They avoid other conventional payment methods because their real identities would be exposed. Regardless of the pressure, victims of cyber-attack are advised never to comply with the demands of cybercriminals. Likewise, trying to communicate with them is strongly discouraged as well. This recommendation was put forward by the FBI and is supported by other reputable cyber-security organizations across the world. The reasons they gave are reproduced below:

Ransom payment puts the victim at elevated risk of future attacks by cybercriminals because they’re naturally greedy.There is no point in paying ransom fee when there is no guarantee that your encrypted files will be decrypted.When victims pay ransom, they are practically funding their criminal enterprise by making it profitable.

Beware of additional malware dropped

Computer users should note that even though more attention is paid to the primary malware – the ransomware, other secondary malware codenamed RATs are also often attached alongside. RAT stands for Remote Access Trojan and is used by cybercriminals to steal sensitive personal data. They may include banking details, cryptocurrency wallets, passwords, browsing history, software login details, etc. The danger is that victims may not even be aware that such pieces of information have been stolen and would be used to commit further crimes against them. Two of such threats that travel alongside this ransomware are known under VIDAR and AZORULT names. That is why it is very important to remove CCEW ransomware virus as soon as it is found in any computer. There are diverse removal methods but the best is by setting up the computer through Safe Mode with Networking login option before activating an antivirus software. You’re advised to make use of only genuine antivirus software that has a track record of effectiveness. The use of repair tools like RESTORO should also be considered in cases where the Windows Operating Systems have been significantly affected while the cyber-attack was going on.

Ransomware Summary

REPAIR VIRUS DAMAGE The image below demonstrates how encrypted files appear in a folder along a ransom note.

The need to take proactive measures against ransomware

Cybercriminals are always on the lookout for ways through which they could take computer users unawares. That is why it is imperative for one to always shun certain unwholesome activities that put their computer at increased risk of ransomware virus infection. Therefore, trying to use peer-to-peer software sharing channels, the indiscriminate opening of emails and attachments (particularly when the originating source is not known or spooked), browsing online torrent platforms, etc. should all be avoided. Unsolicited emails with attachments that have click-bait titles/tags should be considered a red flag and deleted at source. From our studies over the years, we have been able to notice that cybercriminals often target popular software content. They know that some software users don’t like paying the fee requested by the original content producers, instead, they would be looking for alternative ways they can download them at little or no cost at all. This is what prompts them to pirate such popular software contents, embed them with malware and use them as bait to get their victims. We have compiled a list of such highly demanded software contents as shown below:

Adobe Photoshop;Fifa 20;Adobe Premiere Pro;Adobe Illustrator;Corel Draw;VMware Workstation;AutoCad;Cubase;Tenorshare 4ukey;League of Legends;Internet Download Manager.

From the experiences of other victims, we have realized that trying to make use of cloned software contents could result in severe losses. Some victims that tried to “save cost” in the past by not paying the official fees requested by the copyright owners ended up losing a more in terms ransom fee or lost data, time, or psychological trauma when they became victims of ransomware attack. In addition to the associated risks, those that patronize these illegal channels of distribution are harming the IT industry. On the contrary, we encourage users to always source for their software needs by using the official channels of distribution recognized by the copyright owners. It should also be noted that files such as DOCX, PDF or XLS among similar ones are often used by cybercriminals in their activities. They often exploit their macro functionalities which enable them to embed malware and also trigger them in diverse other computers. Although these files were created with noble intents but cybercriminals are now using them as well to constitute nuisance. For those that are victims of CCEW ransomware virus already, it would be in your best interest to shun websites that make bogus claims of having decryption solutions. So far, we can only vouch for tools by Emsisoft and DiskTuna as the only helpful ones that produce sufficiently good results.

Tips to remove CCEW ransomware virus safely and what to do next

Before we call it a day, there is a need to reiterate that using Safe Mode with Networking option when removing CCEW ransomware virus, produces the best result. In addition to that, the use of antivirus with proven track record is highly recommended. In addition, our team advises downloading RESTORO (see its review here) to identify and repair virus-damaged Windows OS files automatically. After removing CCEW ransomware virus, there are other steps you are supposed to take as well, please check below:

Passwords used in the compromised computer should be changed ASAP.Report the incident to local police or relevant government agency.Replace lost files using any available backup device.In situations where backup is not available, you may consider if there are possible tools that could be used in restoring the damaged files.

OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.

Method 1. Enter Safe Mode with Networking

Before you try to remove CCEW Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users Now, you can search for and remove CCEW Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.

Method 2. Use System Restore

In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.

Alternative software recommendations

Malwarebytes Anti-Malware Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

Decrypt CCEW files

Fix and open large CCEW files easily:

It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.

STOP/DJVU decryption tool usage guide

STOP/DJVU ransomware versions are grouped into old and new variants. CCEW Ransomware Virus is considered the new STOP/DJVU variant, just like BPTO, ISWR, ISZA, BPSM, ZOUU, MBTF, ZNSM (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie. Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible. In order to test the tool and see if it can decrypt CCEW files, follow the given tutorial.

Meanings of decryptor’s messages

The CCEW decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages: Error: Unable to decrypt file with ID: [example ID] This message typically means that there is no corresponding decryption key in the decryptor’s database. No key for New Variant online ID: [example ID]Notice: this ID appears to be an online ID, decryption is impossible This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible. Result: No key for new variant offline ID: [example ID]This ID appears to be an offline ID. Decryption may be possible in the future. If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn’t available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your CCEW extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.

Victims of CCEW Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:

In the United States, go to the On Guard Online website.In Australia, go to the SCAMwatch website.In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.In Ireland, go to the An Garda Síochána website.In New Zealand, go to the Consumer Affairs Scams website.In the United Kingdom, go to the Action Fraud website.In Canada, go to the Canadian Anti-Fraud Centre.In India, go to Indian National Cybercrime Reporting Portal.In France, go to the Agence nationale de la sécurité des systèmes d’information.

If you can’t find an authority corresponding to your location on this list, we recommend using any search engine to look up “[your country name] report cyber crime”. This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities. Another recommendation is to contact your country’s or region’s federal police or communications authority.