What is Ransomware? Ransomware is one of many CrySIS-engine-based releases to have hit the Internet this summer. Its sole purpose is to infect your computer, encrypt your files and then offer you to purchase a decryption tool to decrypt them. You can risk buying it, but there is no guarantee that you will get it, and this decryption tool does not come cheap. Therefore, suggest removing this ransomware and recovering your files from external drives, provided that you have backups. In this short, article, we will discuss this malicious program’s distribution methods, features and functions, and ways you can get rid of it, so, if your computer has become infected with this ransomware, we invite you to continue reading.test

Where does Ransomware come from?

This new ransomware come from the same developer that is responsible for releasing Ransomware, Ransomware, Ransomware, and many other ransomware-type programs that are nearly identical in their distribution, features, and code. In fact, all of them are the same program, just re-branded and modified a bit to fit a certain requirement. For example, some of the clones have their ransom notes in both Russian and English, while others have theirs in English only. Hence, it is reasonable to think that the ransomware with the Russian ransom note will most likely be distributed in Russia and other parts of Eastern Europe.

Our security experts believe that Ransomware is being distributed through phishing emails that masquerade as payment notices, tax return forms, receipts and other types of correspondence to trick you into opening an attached WSF file that is executed through Windows Script Host. As a result, the attached file drops this ransomware's executable on your computer. However, you must know that the location in which this executable is placed varies with each case, and we think that it is set to be placed in one of seven possible locations that include without limitation %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup and %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup. Once on your computer, the executable will run automatically and is set to run on each system startup as it creates a registry string at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Without a doubt, this application’s distribution method is as malicious as it gets and now it is time to talk about this program’s inner workings.

What does Ransomware do?

Once on your computer, this ransomware will scan it for encryptable files. However, it does not cherry-pick which files to encrypt and encrypts most of them. So, all of your applications, documents, images, videos, and audio files can be encrypted. Note that it encrypts files in almost all folders, but skips system folders because encrypting them will cause the operating system not to work properly. While encrypting, Ransomware is set to append the files with a custom .XTBL extension. Also, it will add a unique ID number and the in each file name. Once the encryption is complete, it will drop two non-malicious files on your machine that serve as ransom notes.

The first file is called Decryption instructions.txt and it is dropped on the desktop. Inside this file, the text reads “All of your files are encrypted, to decrypt them write me to email: In case of no answer in 24 hours, write to” Take note that this text is in English only. The second file is called how to decrypt your files.jpg, and it is set as the desktop wallpaper. This file tells the victims to contact the developer via email in both Russian and English. Notice that the sum of money you are expected to pay for the decryption key is not stated anywhere in the ransom note. Nevertheless, if you were to contact this ransomware’s creator, then you would find out. Based on our experience with its clones, we can say that the decryption tool can cost you anywhere between 2 to 3 BTC (1,200 to 1800 USD respectively,) but there is no way of knowing whether you will receive the decryptor once you have paid.

How do I remove Ransomware?

We hope that this short description was interesting and has shed some light on this particular malicious program. If you choose to pay the hefty ransom for the decryption tool, then be warned that you run the risk of not getting it because the cyber crook might not send it to you. If you want to delete Ransomware, then feel free to make use of the removal guide provided at the bottom or an antimalware program such as SpyHunter that will make light of this infection.

Delete the files manually

  1. Delete Decryption instructions.txt from the desktop.
  2. Hold down Windows+E keys.
  3. In the File Explorer’s address box, enter C:\Users\{Your user name}
  4. Locate how to decrypt your files.jpg and delete it.
  5. Then, In the address box, enter the following addresses.
    • %WINDIR%\Syswow64
    • %WINDIR%\System32
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
  6. Identity the malicious executable and delete it.
  7. Empty the Recycle Bin.

Delete the registry string

  1. Hold down Windows+R keys.
  2. Type regedit in the box and hit Enter.
  3. Go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  4. Find the REG_SZ string with Value data pointing to the executable’s location and delete it.
100% FREE spyware scan and
tested removal of Ransomware*

Leave a Comment

Enter the numbers in the box to the right *