Malevich Ransomware

Posted by Max Lehmann on August 29, 2016

What is Malevich Ransomware?

Malevich Ransomware is named this way because the malicious program changes user’s Desktop wallpaper with an image that contains the word “Malevich.” This picture should appear after the malware finishes encrypting user’s personal and program data. Besides, the new wallpaper, the user should also notice a text document created after the encryption. It is a ransom note left by the cyber criminals who developed the malware. Instead of giving detailed instructions, Malevich Ransomware’s creators want to be contacted via email. Thus, it is hard to tell what the price could be, as it might be different for each user or all the same to everyone. However, what we do know is that paying the ransom could be risky. As you continue reading the article, we will provide you with more information and most importantly we will place step by step deletion instructions below the article.testtest

Where does Malevich Ransomware come from?

If you are uncertain how the malware got in, we can tell you that there are two main possibilities. Firstly, you may have visited a malicious website and either clicked or downloaded some suspicious content. Secondly, Malevich Ransomware might be spread via infected email attachments, so users could allow the treat to enter by launching such files. Either way, it probably happened because you were too careless. If you do not want this ever happen again, it would be advisable to clean the system, get a reliable antimalware tool and stay away from suspicious content.

How does Malevich Ransomware work?

As the malicious application installs itself, it should create a lot of executable files with random names. Such data could be placed in the %ALLUSERSPROFILE%, %APPDATA%, %USERPROFILE% and %WINDIR% directories. Moreover, the infection could also alter and add a couple of keys in the Windows Registry. Other ransomware applications delete themselves after they encrypt user’s data, but Malevich Ransomware leaves it be. If you do not want to take any chances, it would be better to get rid of this malicious data.

When the infection locks your files, it adds a second extension to each of it. This extension is made of an individual user’s ID number and decryptformoney@india.com email address. Additionally, it should also add the Decrypt instruction.txt. The text inside it says to contact the malware’s creators through the same email that appears on every encrypted file. It is most likely that the cyber criminals should suggest you to purchase decryption tools. It may look so, but buying the decryptor might be not the same things as purchasing something online. You might not even get it and if you do not, there is no doubt that you will not get any money back.

How to remove Malevich Ransomware?

You could erase the threat manually on your own, although the process may look rather complicated for users who do not have much experience. Thus, it would be better to follow the removal instructions placed at the end of this text. There might be also an easier option if you are willing to download an antimalware tool. In that case, you would need to install it and leave it to scan the system. During the scan, the antimalware tool should detect all malicious data that belongs to Malevich Ransomware or for other possible threats. Afterward, you can just click the deletion button, and the tool will take care of all detections.

Remove Malevich Ransomware

  1. Press Windows Key+E to open the Explorer.
  2. Copy and paste these directories into the Explorer one by one:
    %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
    %WINDIR%\Syswow64
    %WINDIR%\System32
  3. Find an executable file with a random name in each of the directories listed above.
  4. Right-click these executable files separately and press Delete.
  5. Close the Explorer.
  6. Press Windows Key+R, type regedit, and click Enter.
  7. Go to HKCU\Control Panel\Desktop and locate a value name titled as Wallpaper.
  8. Right-click it, press Modify and replace Decryption instructions.jpg with another image.
  9. Navigate to this location HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers and search for a value name called BackgroundHistoryPath0.
  10. Right-click it, select Modify and replace Decryption instructions.jpg with another image.
  11. Find this path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  12. Look for value names with random titles (their value data would point to %WINDIR%\Syswow64\*.exe and %WINDIR%\System32\*.exe).
  13. Right-click these value names separately and select Delete.
  14. Empty the Recycle bin.
100% FREE spyware scan and
tested removal of Malevich Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *