What is Ransomware?

Cyber security experts at have come across a new ransomware that has come to be known as Ransomware. We advise that you remove it from your computer as soon as possible because once it infects your PC — it will spring into action immediately and encrypt your most cherished personal files. Once your files have been encrypted, this malware will drop a ransom note asking you to contact the crooks via the provided email address for further instructions on how to pay the ransom and get the decryptor. Hence, this application is part of a money extortion scheme, and there is no telling how much the criminals might want you to pay.test

What does Ransomware do?

If this ransomware happens to infect your computer, then it will scan your computer for files of interest. However, this ransomware is not too picky when it comes to selecting files to encrypt, so it will encrypt most of the files and they include images, audio and video files, executables, documents, and so on. Nevertheless, it will skip some locations, namely %Temp%, %AppData%, %Windows%, and %System32% because the files in these folders are crucial to the operating system.

However, most of the files in all other locations are set to be encrypted using the RSA-2048 encryption key. Ransomware uses a unique encryption algorithm, so no RSA-2048 encryption key is the same. This ransomware is set to create a decryption key that is sent to the main server controlled by the developers, and you can get your unique key by paying the ransom. It is worth mentioning that all encrypted files are to be appended with the .xtbl file extension and a unique ID number and the developers’ email address.

Once this ransomware has finished encrypting your files, it will create a file named Decryption instructions.txt. This file contains text that reads “All of your files are encrypted, to decrypt them write me to email: In case of no answer in 24 hours, write to” Also, it will create another file named how to decrypt your files.jpg that is dropped in C:\Users\[User name].

Where does Ransomware come from?

Our malware analysts found that this particular infection is set to be dropped onto your computer using zipped Windows Script Files that are executed by Windows Script Host. These files come in fake emails: email spam that features attached files that drop the main executable in a given directory. After testing Ransomware, the researchers found that the main executable is set to be named randomly using uppercase and lowercase letters and dropped in one of seven locations that include without limitation %WINDIR%\Syswow64, %WINDIR%\System32, and %ALLUSERSPROFILE%\Start Menu\Programs\Startup. Also, this ransomware will add a registry string at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to run the executable on each system start-up, but it will not encrypt each newly added file, as it is set to encrypt the files only once.

Researchers say that this particular application is similar to the likes of Ransomware, Ransomware, and Ransomware. Unconfirmed information suggests that all of these programs come from Russia-based developers that base their ransomware-type infections on the Crysis ransomware engine. All of these applications are sent in emails containing text in English, but the fake emails are sent all across the globe to random email addresses.

How to remove Ransomware

If your PC has been infected with this particular ransomware, we suggest considering to remove it instead of complying with the cyber criminals’ demands and paying the ransom. It is entirely possible that you will not get the promised decryption tool once you have paid, so to delete this ransomware, you can use an antimalware application such as SpyHunter or the manual instructions provided below.

Delete malicious files

  1. Hold down Windows+E keys on your keyboard
  2. Enter the following paths in the File Explorer’s address box.
    • %WINDIR%\Syswow64
    • %WINDIR%\System32
    • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
  3. Find the executable.
  4. Right-click it and click Delete.
  5. Empty the Recycle Bin.

Delete the registry keys

  1. Hold down Windows+R keys on your keyboard
  2. Enter regedit in the dialog box and click OK.
  3. Go to HKCU\Control Panel\Desktop
  4. Delete the registry sting with the Value data of C:\Users\user\how to decrypt your files.jpg
  5. Go to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers
  6. Find BackgroundHistoryPath0.
  7. Right-click it and click Delete.
  8. Then, go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  9. Locate and delete the randomly named registry string whose Value data points to the directory of the executable.
100% FREE spyware scan and
tested removal of Ransomware*

Leave a Comment

Enter the numbers in the box to the right *