Infected with Vapor Ransomware? Need to decrypt your files?

What is Vapor Ransomware

Vapor (other names: Vapor Ransomwarev1 or Vapor Ransomwarev1.exe) is a cryptovirus developed by Ghosty/DeaDHackS. The virus became the most active and spread in early November of this year. First of all, Vapor is aimed at English-speaking users, however, data about the infection came from different parts of the world. As well as similar threats, this changes the extension of the files to .Vapor. In turn, various file formats can be subjected to encryption, for example, office documents, archives, audio and other multimedia. Options for notes with the requirements of fraudsters may be different. Most often, this is the lock screen shown below:

Vapor Ransomware

Vapor Ransomware
You Have Been Caught.
What Happened To Me?
All your private data, files, cookies, application and much more as been encrypted into a strong encryption!
The only way to get it back is by sending a support email at this email:
Please make sure your Client ID is included so we can recognise you and send back the key.
When its done, enter the key into the key box and enjoy your day / night.
You have 48 hours to send the email, if the timer runs out your files will be deleted.
If you restart the PC or kill the program, you will never be able to get your files back since they will be re-encrypted if you re-launch the program.
Basically closing the program in anyway will result in loosing the key.
- Good Luck, Good Time.
- DeaDHackS Team!

The attackers specify 48 hours as the period during which the user must contact them and pay the ransom. Otherwise, scammers are threatening to delete user files. The exact amount of the ransom is not specified, but believe me, it will not be cheap, moreover, as a rule, the ransom of such viruses reach several hundred dollars. Also, the dialogue box contains a timer and, depending on the time, various labels may appear.

Here is the inscription that appears after resetting the timer:

Timer ran out! Your files are being deleted! Bye-Bye!

And this inscription appears after the successful payment of the ransom:

Your Files Were Successfully Decrypted With Key: *****
Good Luck and Good Night!

Other options for notes:

Your Files Are Now Deleted! Good job!

Dear DeaDHackS Member
if you received this email it means you did another victim!

Dear DeaDHackS Member
if you received this email it means we are sending the newest logged infos!

Update: Use following service to identify the version and type of ransomware you were attacked by: ID Ransomware. If you want to decrypt your files, please follow our instruction below or, if you have any difficulties, please contact us: We really can help to decrypt your files.

How Vapor infected your PC

Penetration of Vapor, like other crypto viruses, is caused by the vulnerability of user network settings due to the lack of adequate anti-virus software. Vapor comes as an attachment in spam mailing or as a false update for a program or utility installed on your PC. Use our guides to get rid of it right now and decrypt your files.

First of all, don’t panic. Follow these easy steps below.

1. Start your computer in Safe Mode with networking. To do that, restart your computer before your system starts hit F8 several times. This will stop system from loading and will show Advanced boot options screen. Choose Safe mode with networking option from the options list using up and down arrows on your keyboard and hit Enter.
2. Log in to the system infected with the Vapor virus. Launch your Internet browser and download a reliable anti-malware program and start a full system scan. Once the scan is complete, review scan results and remove all entries detected.

Recommended Solution:

Norton – fully removes all instances of Vapor – files, folders, registry keys.


Download Norton

You may find more detailed information about antivirus products in our article – Top 5 Antivirus Software for Windows

Restore your files using shadow copies


  1. Download and run Stellar Data Recovery.
  2. Select type of files you want to restore and click Next.
  3. Select the drive and folder where your files are located and date that you want to restore them from and press Scan.
  4. Once the scanning process is done, click Recover to restore your files.
Download Stellar Data Recovery

Step 2: Remove following files and folders of Vapor:

Related connections or other entries:

No information

Related files:

No information

How to decrypt files infected by Vapor?

You can try to use manual methods to restore and decrypt your files.

Decrypt files manually

Restore the system using System Restore

system restore

Although latest versions of Vapor remove system restore files, this method may help you to partially restore your files. Give it a try and use standard System Restore to revive your data.

  1. Initiate the search for ‘system restore
  2. Click on the result
  3. Choose the date before the infection appearance
  4. Follow the on-screen instructions

Roll the files back to the previous version

Previous versions can be copies of files and folders created by Windows Backup (if it is active) or copies of files and folders created by System Restore. You can use this feature to restore files and folders that you accidentally modified or deleted, or that were damaged. This feature is available in Windows 7 and later versions.

windows previous versions

  1. Right-click the file and choose Properties
  2. Open the Previous Version tab
  3. Select the latest version and click Copy
  4. Click Restore

Protect your computer from ransomware

hitmanpro alert with cryptoguard

Most modern antiviruses can protect your PC from ransomware and crypto-trojans, but thousands of people still get infected. There are several programs that use different approach t protect from ransomware and lockers. One of the best is HitmanPro.Alert with CryptoGuard. You may already know HitmanPro as famous cloud-based anti-malware scanner. Check out ultimate active protection software from SurfRight.

Download HitmanPro.Alert with CryptoGuard

Written by Rami Douafi

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.