Invisible Empire Ransomware

What is Invisible Empire Ransomware?

Invisible Empire Ransomware is a malicious application set to enter your computer using clandestine methods. Nevertheless, you can remove it without hesitation because the encryption method it uses to encrypt the files on your computer has already been cracked. Therefore, you should not waste time because as long as this infection is active, it will delete three files every hour. In short, this infection was designed with the intention of extorting money from you, and you have an opportunity to deny its developers the means to get it.testtesttest

How does Invisible Empire Ransomware work?

As mentioned, this infection is set to enter your computer using clandestine means, but we will get to that a bit later. When this application infects a computer, it creates several folders and injects executable files to them. Our security analysts have tested this infection and found that it creates files such as wrkms.exe that is dropped in %APPDATA%\Wrkms, systmd.exe that is dropped in %LOCALAPPDATA%\Systmd, and Address.txt, dr, and EncryptedFileList.txt in %APPDATA%\System32Work. Also, this infection is set to create a registry string named wrkms.exe that is located in HKCU\Software\Microsoft\Windows\CurrentVersion\Run. This registry string launches this ransomware’s executable on each system startup.

While running, this infection scans a computer for files of interest, particularly those that are most likely to carry personal, and thus, valuable information for which the victim would be willing to pay the ransom. Our malware analysts say that this ransomware can encrypt many file formats that include, but are not limited to .mp4, .mpa, .mpeg, .mpg, xml, .xqx, .xqx, .dat, .db, .indl, .indt, .inx, .jar, and .java. While encrypting the files, it adds the .payransom file extension. Invisible Empire Ransomware uses the AES encryption cipher which is a very strong encryption method. Nevertheless, Third-party security experts have cracked its encryption and now you can decrypt your files free of charge. You can get the free decrypter from Take note that this decrypter was made for another ransomware called Jigsaw Ransomware, but Invisible Empire Ransomware was made by the same cyber crooks and it is nearly an identical clone, so the decrypter should work fine.

Initially, the cyber crooks ask you to pay $150 USD for the decryption key that you must pay in Bitcoins. They set a deadline of 24 hours in which you have to pay. However, if you do not, then the ransom will increase to $300 USD. If you do not pay within 24 hours again, then the ransom will increase to $450 USD. If you hesitate to pay the ransom, then the infection will delete three files every hour until you do. This is extremely effective against victims that have valuable files. However, we do not recommend that you pay the ransom because you might not get the decryption key. Therefore, we recommend that you remove it using an anti-malware tool or our guide.

Where does Invisible Empire Ransomware come from?

Our malware analysts believe that this infection is disseminated in the same manner that most ransomware is currently being distributed. Email spam is by far the most popular method for distributing this type of malware. The emails contain attachments that inject the malicious files into the system without the user knowing about it. Researchers think that Invisible Empire Ransomware’s files are packed in an executable file that is disguised as a PDF file, and it is set to drop the files once you open it. Hence, you should be cautious of strange emails.

How do I remove Invisible Empire Ransomware?

Now that you know how this infection works we can tell you a bit more about how it is distributed. Alas, we do not know this ransomware’s origins as they are next to impossible to identify. In any case, that is not the most important issue since we know that this ransomware is distributed around the globe.

Testing has shown that using the decrypter made to decrypt files encrypted by Jigsaw Ransomware also works with Invisible Empire Ransomware. This is very good news since most ransomware’s encryptions are impossible to crack. Therefore, we recommend that you give that decrypter a shot, but not before you remove the infection’s files using our featured anti-malware tool called SpyHunter or the manual instructions located below.

Removal Guide

  1. Simultaneously press Windows+E keys.
  2. Enter %APPDATA%\Wrkms in the address box and press Enter.
  3. Find and delete wrkms.exe.
  4. Then go to %LOCALAPPDATA%\Systmd and delete systmd.exe
  5. Then go to %APPDATA%\System32Work and delete Address.txt, dr, and EncryptedFileList.txt

Delete the registry key

  1. Simultaneously press Windows+R keys.
  2. Type regedit in the dialog box and click OK.
  3. Go to HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  4. Find wrkms.exe and delete it.
100% FREE spyware scan and
tested removal of Invisible Empire Ransomware*

Leave a Comment

Enter the numbers in the box to the right *