What is Ransomware? Ransomware is yet another application whose purpose is to encrypt your most cherished personal files and offer you to purchase the decryptor to get them back. Removing this application is highly recommended because it might encrypt all newly added files after the first encryption. Furthermore, you cannot expect its creator to keep his/her word and deliver you the decryptor and even if you get it, there is no guarantee that it will work. Many things could go wrong, so risking paying the hefty ransom for the decryption key is not very appealing.test

What does Ransomware do? Ransomware developer makes use of a deceptive and malicious distribution method to get it on your computer, and once it does, it will scan it for encryptable file formats and then proceed to encrypt them. In short, this application can encrypt almost all file formats with the exception of some rarer ones. Testing has shown that it can encrypt most text files, images, videos, and audios. We emphasize that this program is set to target file formats that are likely to contain personal information for which you would be more compelled to pay the ransom.

Our security experts have run some tests of this infection and have come to the conclusion that it uses the RSA cryptosystem with a 2048-bit size key. While encrypting, it generates a unique encryption key that requires a unique decryption key, so no key is the same. The decryption key is sent to the creator of this ransomware and you will be able to get it only after you have paid the asked sum of money. Researchers say that this ransomware’s developer might ask you to pay from 2 to 4 Bitcoins (1211 USD to 2,422 USD respectively) which is a substantial sum of money that may not be even worth the encrypted files. In any case, you can determine whether a file has been encrypted by looking at its name that can have a long extension. For example, it can look like .id-B4500913.{}.xtbl. The first part of the extension is the unique user ID number, then the email address of the developer, and, lastly, the main extension. You are expected to contact the developer using the said email address to receive further instructions on how to buy the decryptor.

Once the encryption is finished, Ransomware will create to non-malicious files that function as ransom notes. The first file is named Decryption instructions.txt and it is placed on the desktop. The text inside it reads “All of your files are encrypted, to decrypt them write me to email: In the case of no answer in 24 hours, write to” the other file is named how to decrypt your files.jpg and is dropped in C:\Users\{Your user name}. This file is set as the desktop wallpaper, so this program’s developer want to make sure that you know what to do to get your files back. However, since you would be dealing with a criminal, you should not expect him/her to keep his/her word and give you the decryption key

Where does Ransomware come from?

Our security specialists have discovered that this newly released ransomware is almost identical to Ransomware, Malevich Ransomware, and Sitaram108 Ransomware, among others, because all of them are based on the Crysis ransomware engine and seem to have come from the same developer that is probably located somewhere in Russia or one of its neighboring counties. Like previous releases, Ransomware comes in a zipped Windows Script File that is set to be launched by Windows Script Host, and this file is sent via email to what appears to be random email addresses. The infection will occur silently, and this ransomware will begin the encryption process once it is on your PC.

How do I remove Ransomware?

That is all of the information we currently have on this ransomware, but we are positive that it is enough to see that you should not go all in and pay the ransom because its unknown developer might not give you the promised decryption tool. So you can remove this infection and you can do this manually or using SpyHunter, our recommended anti-malware tool.

How to delete Ransomware

  1. Hold down Windows+E keys.
  2. In the File Explorer’s address box, enter the following paths.
    • %WINDIR%\Syswow64
    • %WINDIR%\System32
    • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
  3. Find the executable and delete it.
  4. Go to C:\Users\{Your user name}
  5. Find and delete how to decrypt your files.jpg
  6. Go to the desktop and delete How to decrypt your files.txt
  7. Empty the Recycle Bin.
  8. Then, hold down Windows+R keys.
  9. Enter regedit in the box and click OK.
  10. Go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  11. Find the randomly named REG_SZ string with Value data of the executable’s location.
  12. Delete the string.
100% FREE spyware scan and
tested removal of Ransomware*

Leave a Comment

Enter the numbers in the box to the right *