What is Ransomware?

It is quite certain that you have been attacked by Ransomware if your files' extensions are modified with this e-mail address and you cannot open or view them anymore. Although these are not the only signs that this dangerous ransomware threat has managed to sneak onto your system and encrypt your most important files; this infection also informs you unmistakably by a ransom note that is displayed after your files have been taken hostage. According to our malware researchers at, there is no free file recovery tool yet on the web that could decrypt your files after this vicious attack. Therefore, it is possible that you may lose them for good unless you have a backup copy on an external drive or you risk paying the ransom fee. It is important for you to be aware that you can never be 100% sure that criminals will actually send you the decryption key or a tool for your money. It is a hard decision to make, we understand that. But we still believe that in order to restore your virtual security, you need to remove Ransomware ASAP. Let us explain in more detail how this threat can appear on your computer and what you can do against it.test

Where does Ransomware come from?

You may not know this but it is actually possible to avoid ransomware attacks such as this one; and it is all up to you since you are the one who let this beast on board, to be quite frank. Let us tell you how this can happen so that you can protect your system from similar threats in the future. This malware program is mainly spread as a malicious file attachment in spam e-mails. So if you find this ransomware infection on your computer, it simply means that you opened a spam mail, downloaded its attachment, and you ran this file to see its content. Unfortunately, instead of seeing a real file, you activated Ransomware. Maybe you trust your spam filter fully and that is why you do not question the reliability of the mails landing in your inbox. But you need to know that some spam e-mails may manage to slip through and end up there. After fooling your spam filter they have a good chance to trick you, too. The main weapon of these spam mails is deception. They can have totally believable sender mail addresses and eye-catching subjects to convince you that they are urgent and important for you to open them as well as the attachment. This file can show up as an image or macro-enabled document (e.g., .docm) but, in reality, it is a malicious executable file. Since you are lead to believe that it is a picture of an unpaid invoice or this documents has the details of your wrongly given credit card details regarding a flight booking, it is quite likely that you want to see this file. But you need to remember that if you remove Ransomware after the ransom note comes up on your screen, your files will have been encrypted and without the decryption key or a file recovery tool you will not be able to restore them.

How does Ransomware work?

After you activate this ransomware, it targets your personal files, such as your documents, photos, videos, archives, databases, and third-party program files, and encrypts them with the usual AES-256 algorithm. The affected files get a new ".{}" extension, so they will look something like "my_photo.jpg.{}." This whole process could take less than half a minute; therefore, this infection does not give you too much time to realize its sinister presence and to react. When its job is done, it drops a file called "how to restore files.hta" to all infected folders, which is a .html file. In any case, this file is displayed on your screen to inform you about this attack and how you can recover you files.

You are supposed to contact the authors of this threat via the given e-mail address ( for further details regarding the payment of the ransom fee. We have no information yet about the amount of this fee, but we can tell you that normally it ranges from 0.1 to 1 Bitcoin, which is around 60 to 600 US dollars. This note also warns you not to use an anti-virus program or any alternative decryption tool because it would mean the loss of your decryption key resulting in the loss of all your encrypted files. Unfortunately, we have not found a free decryption tool yet that could help you, but it does not mean that there will not be one in the near future. Nevertheless, right now you seem to have two choices to recover your files: one, you risk the payment of the fee knowing that you may get nothing in return, and, two, you copy your backed up files back from a portable drive if you have any. No matter how you decide, though, in the end, you should delete Ransomware from your system.

How can I delete

First of all, you need to bin the file attachment you saved from the spam e-mail. Then, you need to check a couple of folders to find a copy of the malicious executable file and delete them all as well as the ransom notes. You may also find Run registry entries to be removed. We have prepared a step-by-step guide for you with the possible locations. If you follow our instructions, you could eliminate this threat in a few minutes. But, if you do not feel confident enough for the manual method, we suggest that you remove Ransomware by using an up-to-date anti-malware application that will also protect your system automatically from all kinds of malicious attacks. If you need further assistance with regard to this dangerous ransomware, please leave us a comment below.

Remove Ransomware from Windows

  1. Tap Win+E to run File Explorer.
  2. Delete the malicious file you saved from the spam mail.
  3. Delete the executable file that is likely to be found in these folders ("*"=it has a random name):
    %ALLUSERSPROFILE%\Start Menu\Programs\Startup\*.exe
    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe
    %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe
    %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe
    %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\*.exe
    %WINDIR%\Syswow64\*.exe (64-bit)
  4. Remove all instances of the "how to restore files.hta" file.
  5. Empty your Recycle Bin.
  6. Tap Win+Q and type in regedit. Press Enter.
  7. Delete these registry keys ("*"=it has a random name):
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\* (value data: “%WINDIR%\Syswow64\*.exe”) (64-bit)
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\* (value data: “%WINDIR%\System32\*.exe”)
  8. Exit the Editor and reboot your system.
100% FREE spyware scan and
tested removal of Ransomware*

Leave a Comment

Enter the numbers in the box to the right *