Serpent Ransomware

What is Serpent Ransomware?

If your operating system has been infected with Serpent Ransomware, your personal files must have been encrypted already. This infection does not waste time, and the moment it is executed, the encryption process begins. The distribution of this ransomware is not surprising because it is spread exactly like CryptoKill Ransomware, Pabluk Locker Ransomware, and many other threats alike that we have reported before. It all comes back to spam emails. Your email address could have been extracted a long time ago using one of the many scams, such as fake prize giveaways or surveys. Once the distributor of the ransomware has a list of emails, it initiates a mass spam email attack where different email addresses are sent the same misleading message with the launcher attached to it. By the looks of it, it appears that the main target of this particular threat are users in Denmark, as they are sent the same corrupted spam email with the subject line “Sidste påmindelse for udestående faktura [number].” If you have opened it, as well as the document attached to it, it is most likely that you now need to remove Serpent ransomware.testtesttest

How does Serpent Ransomware work?

According to our research, the vicious Serpent Ransomware is the newly updated version of the Hadeslocker Ransomware. Its creator, of course, is unknown, but its distribution techniques have been discovered. As mentioned already, the launcher of the infection is hidden in a spam email, and the victims are tricked into launching it themselves. When you try to open the Word Document file that hides the threat (could use different files as well), you are introduced to a pop-up asking to enable macros. If you enable it, the infection is executed, and malicious activity is initiated. Right from the start, Serpent Ransomware creates a registry entry that ensures launch on startup. Also, it deletes Shadow Volume Copies, which ensures that you cannot employ the system restore point feature to recover your files. On top of that, it uses the command “cipher.exe /W:[root_directory_of_drive]” to overwrite the data that was deleted to ensure that you cannot recover it at any point. The encryption of your files is initiated silently, and it appears that the ransomware can utilize AES and RSA encryption algorithms. According to the researchers at, these algorithms are used to encrypt the files and the decryption key that could be used for the decryption proces. The infection will not initiate encryption if you live in Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, and Turkmenistan, which is why it checks your geo-location first.

Once the malicious Serpent Ransomware is settled, it creates a file called “HOW_TO_DECRYPT_YOUR_FILES_***”. This file can either be an HTML file or a TXT file, and the three stars can be replaced by any random characters. You are most likely to find this file on the Desktop, but it should also be placed along with the encrypted files. Speaking of the files, the encrypted ones will have the “.serpent” extension attached to them, and, according to our research, around 900 different types of files could be targeted, which means that all of your personal files are likely to be corrupted. The purpose of the ransom note within the HTML/TXT file is to push you into paying the ransom fee, which starts at 0.75 Bitcoins (~780 EUR), but can go up to 2.25 Bitcoins (~2350 EUR) if you do not pay the initial fee within 7 days. The fee allegedly can buy you a program called “Serpent Decrypter,” but we cannot guarantee that it exists. We also cannot guarantee that the creator of the ransomware will provide you with it when you pay the ransom following the steps listed in the ransom note. Unfortunately, it seems that you can save your files only if they are backed up.

How to remove Serpent Ransomware

It is crucial to delete Serpent Ransomware from your operating system as soon as possible, even if you are unable to find a way to decrypt your files. This infection is operated by very smart and vicious cyber criminals, and you do not want to keep them in control for much longer. Even if your files are unlocked after paying the ransom, you have to remove this malicious threat. Considering that there is a huge problem with your virtual security – if there wasn’t, you would not be dealing with the ransomware – we strongly encourage you to install anti-malware software. First of all, it can automatically ease existing infections. Second, it can ensure reliable full-time protection. If you decide to eliminate the ransomware manually (see the guide below), you should still install anti-malware software sooner rather than later.

Removal Instructions

  1. Right-click and Delete the malicious file you downloaded from the corrupted spam email.
  2. Launch Windows Explorer by simultaneously tapping Win+E keys.
  3. Enter %UserProfile%\AppData\Roaming\ into the bar at the top.
  4. Delete the {random name} folder than contains the malicious {random name}.exe file.
  5. Enter %UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup into the bar at the top.
  6. Delete the {random name}.vbs file.
  7. Right-click the recycle bin and select Empty Recycle Bin.
  8. Immediately scan your PC with a legitimate malware scanner to check for leftovers. Do not skip this step.
100% FREE spyware scan and
tested removal of Serpent Ransomware*

Leave a Comment

Enter the numbers in the box to the right *