best PC tips

“RestorFile” Ransomware Removal Instructions (Free Guide)

Ian Lexner
Question asked by:

Damon L.


My files were renamed to .[restorfile...]. And hackers are asking for a ransom to decrypt my information. How Can I recover my files?


all of my PC files seem to be infected and renamed to something like " .[restorfile...]". I got a ransom note also requiring me to pay a large sum of money in order to get my files back.
Is there a way to recover them without paying these criminals?

I appreciate your response.

Solved issue
Remove Virus Now iolo System Mechanic will optimize your current system & remove the 'restorfile' virus. Purchase of a full license may be required for 100% fix.

The RestorFile ransomware is a new variant of ransomware from the Matrix Ransomware Family that encrypts the files and data on an infected computer. In the process of the encryption, all the names and extensions of the infected files are changed to random characters and the extensions will be changed to “.[[email protected]]”. The extension is actually the email address of the cybercriminals behind the RestorFile Ransomware.

As an example, if the original file is named as Photo.jpg it will be changed to “Yfu2KcQ6F-LPYqWHmbn.[[email protected]]”. Once the encryption is completed, the ransom note from the cyber criminals will be put in infected folders. The ransom note from the cyber criminals behind the RestorFile Ransomware contains a typical ransom message which asks the victim for payment in order for them to get access to their files once again.

RestorFile Ransomware Removal Guide

Threat Summary

Threat NameRestorFile Ransomware
Type of ThreatCrypto Virus, File Encryptor, Ransomware
File ExtensionRandom characters + .[[email protected]]
Ransom Note File Name#Decrypt_Files_ReadMe#.rtf
Contact Details[email protected], [email protected], [email protected] and through Bitmessage
Known Detection NamesMicrosoft (Ransom:Win32/LockedFile.G!MSR), Kaspersky (HEUR:Trojan-Ransom.Win32.Generic), ESET-NOD32 (A Variant Of Win32/Filecoder.LockedFile.D), BitDefender (Generic.Ransom.Matrix.BCB78FDB), Avast (Win32:Malware-gen)
SymptomsFiles and data are encrypted and the RestorFile Ransomware may make the machine vulnerable to other threats
DistributionInstalling applications that were downloaded from malicious software, torrent websites, suspicious email attachments
RemovalUsing a reliable anti-virus tool such as iolo System Mechanic while the computer is in Safe Mode

Here’s the ransom note from the cyber criminals behind RestorFile:


Your documents, databases, backups, network folders and other important files are encrypted with RSA-2048 and AES-128 ciphers.

More information about the RSA and AES can be found here:



It mеаns thаt yоu will nоt bе аblе tо аccеss thеm аnуmоrе until thеу аrе dесrуptеd with yоur pеrsоnаl dесrуptiоn kеy! Withоut уоur pеrsоnаl kеy аnd sреciаl sоftwаrе dаtа rеcоvеrу is impоssiblе! If yоu will fоllоw оur instruсtiоns, wе guаrаntее thаt yоu cаn dесryрt аll yоur filеs quiсkly аnd sаfеly!


Уоu rеаlу wаnt tо rеstоrе yоur filеs? Plеаsе writе us tо thе е-mаils:

[email protected]

[email protected]

[email protected]

In subjеct linе оf your mеssаgе writе yоur pеrsоnаl ID:


Wе rесоmmеnd yоu tо sеnd yоur mеssаgе ОN ЕАСH оf ОUR 3 ЕМАILS, duе tо thе fасt thаt thе mеssаgе mау nоt rеаch thеir intеndеd rеcipiеnt fоr а vаriеtу оf rеаsоns!


If уоu prеfеr livе mеssаging yоu cаn sеnd us Bitmеnssаgеs frоm а wеb brоwsеr thrоugh thе wеbpаgе hxxps:// Bеlоw is а tutоriаl оn hоw tо sеnd bitmеssаgе viа wеb brоwsеr:

1. Оpеn in yоur brоwsеr thе link hxxps:// аnd mаkе thе rеgistrаtiоn bу еntеring nаmе еmаil аnd pаsswоrd.

2. Уоu must cоnfirm thе rеgistrаtiоn, rеturn tо уоur еmаil аnd fоllоw thе instructiоns thаt wеrе sеnt tо уоu.

3. Rеturn tо sitе аnd сlick “Lоgin” lаbеl оr usе link hxxps://, еntеr уоur еmаil аnd pаsswоrd аnd click thе “Sign in” buttоn.

4. Сlick thе “Сrеаtе Rаndоm аddrеss” buttоn.

5. Сlick thе “Nеw mаssаgе” buttоn.

Sеnding mеssаgе:

Tо: Еntеr аddrеss: BM-2cVeq4HtLaXPGTamXgv5rvwDjypapmy8ir

Subjесt: Еntеr уоur ID: –

Mеssаgе: Dеscribе whаt уоu think nеcеssаrу.

Сlick thе “Sеnd mеssаgе” buttоn.


Plеаsе, writе us in Еnglish оr usе prоfеssiоnаl trаnslаtоr!

If yоu wаnt tо rеstоrе yоur filеs, yоu hаvе tо pаy fоr dесrуptiоn in Bitсоins or with оthеr top сrуptосurrеncу.

Thе pricе dереnds оn hоw fаst уоu writе tо us!

Your message will be as confirmation you are ready to pay for decryption key. After the payment you will get the decryption tool with instructions that will decrypt all your files including network folders.

Tо cоnfirm thаt wе cаn dесryрt yоur filеs yоu cаn sеnd us up tо 3 filеs fоr frее dесrурtiоn. Plеаsе nоte thаt filеs fоr frее dесrурtiоn must NОT cоntаin аnу vаluаblе infоrmаtiоn аnd thеir tоtаl sizе must bе lеss thаn 5Mb.

Yоu hаvе tо rеspоnd аs sооn аs pоssiblе tо еnsurе thе rеstоrаtiоn оf yоur filеs, bеcаusе wе wоnt kееp yоur dеcrуptiоn kеys аt оur sеrvеr mоre thаn оne wееk in intеrеst оf оur sеcuritу.

Nоtе thаt аll thе аttеmpts оf dесryptiоn by yоursеlf оr using third pаrty tооls will rеsult оnly in irrеvосаble lоss оf yоur dаtа.

If yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 6 hours, рlеаsе сhеck SРАМ fоldеr!

If yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 12 hours, рlеаsе trу tо sеnd уоur mеssаgе with аnоthеr еmаil sеrviсе!

If yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 24 hours (еvеn if уоu hаvе prеviоuslу rесеivеd аnswеr frоm us), рlеаsе trу tо sеnd уоur mеssаgе with аnоthеr еmаil sеrviсе tо еасh оf оur 3 еmаils!

Аnd dоn’t fоrgеt tо chеck SPАМ fоldеr!”

RestorFile Ransomware Ransom Note
RestorFile Ransomware Ransom Note

Here’s a screenshot of the wallpaper that the RestorFile Ransomware puts on the desktop:

RestorFile Ransomware Wallpaper

Here is a screenshot of what an infected file looks like:

RestorFile Ransomware Infection

How to Avoid Getting Infected with the RestorFile Ransomware & Remove It Automatically?

Remove Virus Now iolo System Mechanic will optimize your current system & remove the 'restorfile' virus. Purchase of a full license may be required for 100% fix.

Being vigilant in surfing the web and careful in downloading and installing files, programs and applications is the number one way to avoid getting infected with the RestorFile Ransomware or any viruses in that matter. Make sure to download files from legitimate sources and avoid downloading from torrenting sites.

Installing a reliable all-in-one anti-virus tool such as iolo System Mechanic will also guarantee a safe web browsing experience. It will also remove the ransomware automatically. With iolo System Mechanic, your machine will not only be safe from viruses due to its automatic detection and virus removal, but it will also keep your machine error-free with its automatic error detection and restoration feature.

iolo System Mechanic

What to Do If Your Computer is Infected with RestorFile Ransomware?

Remove Virus Now iolo System Mechanic will optimize your current system & remove the 'restorfile' virus. Purchase of a full license may be required for 100% fix.

If you determine that your computer has been infected by the RestorFile Ransomware, the first thing to do is to isolate it from the rest of the devices in your network. Doing this first step ensures that the infection will be isolated in one machine and not spread to other devices in the network.

Follow these steps on how to isolate your computer from the network:

  • Disconnect your computer from the network/internet – The easiest way to go about this is to disconnect your computer from the WiFi or unplug the network cable from your machine. You may also follow these steps to do it from the control panel.
  • Open the Run Command window by holding down the “Window” key on your keyboard and press the letter “R” and type in “ncpa.cpl” and press enter
Opening Network Connections
  • Click on your “Local Area Network” and click “Disable This Network Device
Disabling Local Area Network
  • Unplug all connected external storage devices – If you have a flash drive or any external storage devices plugged in to your computer, it is best to safely unplug them so that it will not infect the files on the external device.

You can simply click the “Arrow” that is pointing up beside the clock on the bottom left corner on your desktop, and click on the connected media icons and click on the “Eject” on the external storage device.

Unplug External Storage Devices
  1. Logout form all Cloud Storage Accounts – When an infection hits a computer, it will affect all the files in the machine including files in the Cloud Storage. That is why we strongly suggest to disconnect your computer from the internet so that if you do not have the time to logout from the Cloud, at least the infection cannot spread to it through the internet.

Manual RestorFile Ransomware Removal Process

Remove Virus Now iolo System Mechanic will optimize your current system & remove the 'restorfile' virus. Purchase of a full license may be required for 100% fix.

To effectively remove the RestorFile Ransomware infection on a computer, a reliable anti-virus tool should be utilized while the computer is in Safe Mode with Networking. When a computer is in Safe Mode, it only runs essential drivers that are required in order for the computer to work properly. Most of these drivers are from Microsoft itself and the rest of the installed drivers are disabled.

Here are the steps on how to boot a computer in Safe Mode with Networking:

Remove Virus Now iolo System Mechanic will optimize your current system & remove the 'restorfile' virus. Purchase of a full license may be required for 100% fix.

For Windows 10/Windows 8:

  1. Click the “Windows” button that is found on the desktop and hold down the “Shift” button on the keyboard and click “Power” and click “Restart
Rebooting computer to safe mode with networking
  1. Click the “Advanced Options” in the next screen
Selecting Advanced Boot Options
  1. Select option number 5 or “Enable Safe Mode with Networking” in the Startup Settings
Select Enable Safe Mode with Networking

For Windows XP/Windows 7/Windows Vista:

  1. Click the “Start” or Windows” button on the desktop and click the arrow beside “Shut Down” and select “Restart
Rebooting computer to safe mode with networking
  1. While the computer is turning back on, keep on tapping the “F8” key on the keyboard until you see the “Advanced Boot Options” and use the arrow keys to select “Safe Mode with Networking
Select Safe Mode with Networking

Once the computer is already in Safe Mode with Networking, download and install a reliable anti-malware tool such as iolo System Mechanic. Make sure that it is updated to its latest version and perform a full system scan. Once the scan is complete, let iolo System Mechanic finish the rest of the removal process and restart the machine normally and confirm if the threat has already been removed.

Additional Safety Tips & Lost Data Recovery

To avoid a disastrous data loss, we strongly suggest doing a backup of your important files. You may create a backup copy of your files by creating a copy of them in an external storage device or on the cloud. You may also use software to automatically do a backup of your files. We suggest using software such as Wondershare RecoverIT, you may download it by clicking here.

Install a Reputable Anti-Virus Software

If you want to feel at ease when it comes to browsing the internet and downloading stuff online then you should definitely install a reliable and reputable anti-virus tool on your computer. Having anti-virus software such as iolo System Mechanic can help in monitoring suspicious activities that are happening in the background of your computer.

iolo System Mechanic can detect and remove threats from the machine and it can also optimize its performance as it is an all-in-one tool that fixes common Windows errors, corrupted or missing DLL files and get ride of junk files to make your computer running at its optimal performance.

About the author
Ian Lexner photo
Ian Lexner - PC & Mac repair expert
Ian is the editor on He has been involved with PCs since he was a teenager. He has experience in software development, computer hardware, virus removals & other security stuff. Currently, his main job and hobby, at the same time, is to help others to deal with various computer-related issues. Whether it's viruses, spyware, all sorts of errors and "bugs" -- Ian and are here to help.


Get iolo System Mechanic® Now Get Rid of RestorFile Virus Now

iolo System Mechanic® — is a patented PC & MAC repair tool & the only program of its kind. Not only it’s a registry fix, PC optimizer, or an anti-virus/malware remover – The iolo System Mechanic® technology reverses the damage done to Windows or Mac, eliminating the need for time-consuming reinstallations & costly technician bills.
It is available for FREE. Although, for some more advanced features & 100% effective fixes you may need to purchase a full license.

If your Restorfile ransomware is still not removed— don’t hesitate and contact us via email, or a Facebook messenger (the blue ‘bubble’ on the bottom-right of your screen).

Get Rid of RestorFile Virus Now