What is Ransomware? Ransomware is an oddly-named malware whose objective is to encrypt your files and demand that you pay a ransom in return for the decryption software. However, we suggest that you remove it instead of paying the ransom because the cyber crooks might not keep their word and send you the decryption tool. This ransomware has been discovered only recently, so a free decryptor has yet to be developed. To find out more about this malware, please read this whole description.testtesttest

Where does Ransomware come from? Ransomware is yet another ransomware that has been based on the CrySIS ransomware engine. The fact that this particular ransomware is based on this engine is no coincidence because we have recently analyzed many similar infections that include the likes of Ransomware, Ransomware, Ransomware, and Ransomware. All of these malicious applications are quite similar. However, it seems that some of them were tailored for the English speaking demographic only, while others target both English and Russian-speaking Internet users. Whenever a malicious application is made in a language other than English, it is most likely that it was developed in that particular country where that language is spoken. Therefore, our malware researchers believe that this ransomware, as well as its clones, have been developed by Russia-based cyber criminals.

Our security experts have received information suggesting that Ransomware is disseminated using at least to methods. It is said that, like its counterparts, this ransomware’s dropper file is included in malicious emails that are made to look as if they come from legitimate websites such as Amazon or FedEx. The malicious dropper file is included in a file archive that is set to run a malicious script once opened to drop this ransomware’s executable in possibly in several locations, so the executable might have several copies.

What does Ransomware do?

Our malware researchers say that, in most cases, this ransomware drops the executable in %WINDIR%\Syswow64 and %WINDIR%\System32, but some slightly modified versions might place the file in a different location (full list in the removal guide.) Take note that the executable file is named randomly using random uppercase and lowercase characters with the possibility of featuring other symbols. Thus, when identifying the executable, look for .exe files that are out of the ordinary. Alternatively, you can get an anti-malware tool to find and delete it for you.

When this ransomware infects a computer, it scans it for files to encrypt but skips specific locations to keep the operating system running smoothly. However, it will encrypt third-party applications located in default directories such as C:\Program Files (x86) and C:\Program Files. Researchers say that this ransomware is capable of encrypting the most popular file formats that contain images, videos, audio, and text. In short, where we are going with this is that this ransomware can encrypt your personal files that you might want to get back. Ransomware encrypts the files using the RSA-2048 algorithm and decrypting its public key is not possible without having the private key that is uploaded to the Command and Control Server of this ransomware. The cyber criminals want you to purchase the decryptor and decryption key, but, again, there is no guarantee that you will get it after you have paid the unspecified sum of money. Indeed, you will find how much you have to pay only after contacting the criminals via the provided email address that is included the two files that this ransomware drops, namely How to decrypt your files.jpg which is set as the desktop wallpaper and How to decrypt your files.txt that is dropped on the desktop.

How to remove Ransomware

Since there is no way of knowing whether the cyber criminals will give you the promised decryption software and key, we recommend that you delete it instead of paying the possibly hefty ransom. There are two ways you can get rid of it. You can either use the manual removal guide which requires some knowledge about computers to use or an anti-malware tool such as SpyHunter that will wipe out this malware automatically.

Removal Instructions

  1. Press Windows+E keys to open File Explorer.
  2. In the address box, enter the following paths and deletethe executable if found.
    • %WINDIR%\Syswow64
    • %WINDIR%\System32
    • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
  3. Close File Explorer.
  4. Press Windows+R keys to open Run.
  5. Type regedit and click OK.
  6. In the Registry Editor, navigate to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers
  7. Find and delete BackgroundHistoryPath0
  8. Then, go to HKCU\Control Panel\Desktop
  9. Find and delete Wallpaper.
  10. Go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  11. Find two randomly named strings with the Value data of %WINDIR%\Syswow64\executable.exe and %WINDIR%\System32\executable.exe
  12. Delete the strings.
100% FREE spyware scan and
tested removal of Ransomware*

Leave a Comment

Enter the numbers in the box to the right *