Ransomware Removal Guide

Do you know what Ransomware is? Ransomware is an extremely malicious application that once on your computer will encrypt all of its files. Unfortunately, once it has encrypted your files, it is too late to do anything about it, but paying the ransom to get them back is not an option because you might not get the promised decryption key. Therefore, we are of the opinion that you have to remove this ransomware instead of complying with the cyber criminals’ demands. If you pay the ransom, then you will only encourage this ransomware’s developers to release more similar infections.

Our malware analysts have found that Ransomware is very similar to Ransomware, Redshitline Ransomware, Saraswati Ransomware, and a few other ransomware’s. It seems that all of these infections come from the same developers. Previously released malware contained hints that it has made in India, but this new release makes no mention of this. Regardless, we are positive that it comes from the same Ransomware Removal Ransomware screenshot
Scroll down for full removal instructions

As far as this ransomware’s distribution channels go, researchers think that it is most likely disseminated using email spam sent to random email addresses from a dedicated server. The emails are probably disguised as invoices, but they can also feature text that says that it contains a receipt in an attached document that can appear as if it is a Word or PDF file. However, this file is fake, and it is actually a dropper file that secretly places Ransomware’s executable on your computer.

Testing has shown that this ransomware consists of only one executable file. However, it is named randomly and can be placed in several locations. Researchers say that it can be found in either %ALLUSERSPROFILE%\Start Menu\Programs, %APPDATA%\Microsoft\Windows\Start Menu\Programs, %USERPROFILE%\Microsoft\Windows\Start Menu\Programs, %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs, %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs or %APPDATA%. Once on your computer, the ransomware will execute automatically and scan your computer for files of interest. This ransomware is capable of encrypting hundreds of file formats that include .doc, .xls, .ppt, .jpg.exe, .dll, and so on. So this ransomware is configured to encrypt all of your personal and other valuable files. Research has shown that it encrypts the files using a unique RSA-2048 encryption algorithm. The RSA-2048 is a secure encryption algorithm and, currently, there is no free decryption key for the unique key used in this ransomware.

While encrypting, this ransomware appends the file names with the id-78684129.{}.xtbl extension. Once the encryption process is complete, the ransomware will change the desktop wallpaper with an image named How to decrypt your files.jpg that says that you have to contact “technical support” to get your files back. Furthermore, it creates a file named How to decrypt your files.txt that also says that you have to contact one of two provided emails to decrypt your files. However, decryption does not come free because this is a ransomware after all. We do not know how much money the cyber criminals want you to pay, but you should not pay the ransom regardless.

The cyber criminals want you to contact them using either or They might ask you to send them one small file that they will promise to decrypt to assure you that they mean business and can actually decrypt the files. Previously released infections gave the victims only three days to contact the developers to decrypt the files. However, Ransomware does not give you a deadline, but that does not matter because paying the ransom is not a good idea.

Researchers say that the cyber crooks might not send you the decryption key or the decryption software and even if they do, there is no guarantee that it will work. If you do not have valuable files, then paying to get them back is pointless. In any case, you should not allow yourself to be bullied by some secretive malware developers. Our malware analysts have composed a guide that can help you remove this ransomware, so feel free to use it.

How to remove Ransomware

  1. Hold down Windows+E keys on the keyboard.
  2. Enter each of the following file paths in the File Explorer’s address box.
    • %ALLUSERSPROFILE%\Start Menu\Programs\
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\
    • %APPDATA%\
  3. Identify the malicious executable file and right-click it.
  4. Click Delete.

Delete the registry keys

  1. Hold down Windows+R keys on the keyboard.
  2. Type regedit in the dialog box and hit Enter.
  3. Navigate to HKCU\Control Panel\Desktop
  4. Delete the string named Wallpaper.
  5. Then, go to KCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers
  6. Delete BackgroundHistoryPath0
  7. Finally, go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  8. Identify and delete the string that features the Value data C:\Users\user\AppData\Roaming\randomlynamed.exe

In non-techie terms:

Our researchers have tested Ransomware and found that it is typical infection that is set to encrypt your files and demand that you pay a ransom to decrypt them. It uses a strong encryption algorithm, so, at the moment, decrypting them using a third-party tool is not possible. There is no guarantee that this ransomware’s developers will give you the decryption tool after you have paid, so we recommend that you remove this infection using the guide above or an anti-malware application called SpyHunter if you are unable to identify its executable.