BlackShades Crypter Ransomware Removal Guide

Do you know what BlackShades Crypter Ransomware is?

BlackShades Crypter Ransomware is a dangerous Trojan that has been created and released by cyber criminals seeking to extort money from computer users. It declares that it uses a strong cipher RSA-4096, and if it is true, it means that it is very hard to gain access to files it locks. Yes, this ransomware infection is going to lock all your files and then will demand a ransom in exchange for the key for unlocking files. Of course, nobody knows whether this key will be really sent to you, so it is quite risky to pay money. Unfortunately, an alternative method to unlock files does not exist. You can restore them only if you have copies of your main files. Also, a free decryptor might be released in the future too. If you are not going to wait for this to happen and are not planning on paying a ransom, you need to delete BlackShades Crypter Ransomware from your computer ASAP because this threat might launch itself again and then encrypt all new files. More information regarding the removal of this infection can be found in the following paragraphs of this report.BlackShades Crypter Ransomware Removal GuideBlackShades Crypter Ransomware screenshot
Scroll down for full removal instructions

Researchers say that BlackShades Crypter Ransomware is not a unique threat at all; however, it has been noticed that it encrypts files completely silently, i.e. it does not inform users about that. Of course, they notice that files have been locked very quickly because they cannot open any of them. Besides, people notice that the filename extensions of all their files have been changed to .silent. As ransomware infections seek to extort money, it is not very surprising that you will be asked to pay money to make it possible to remove all these extensions and thus unlock files. Fortunately, the sum of money this threat asks to transfer is not large, only 0.07 BTC, which is approximately $30; however, we believe that it is worth transferring money to cyber criminals only if very important files have been locked. Before you pay a ransom, make sure that you do not have copies of your files. If it turns out that you do, you can restore them in a click of a button free of charge. Remove BlackShades Crypter Ransomware from your PC first!

To make sure that you know what has happened to your files, cyber criminals programmed this Trojan in such a way that it would create files on Desktop right after it finishes encrypting files. You will see three files on your Desktop and their copies in other directories:

  • Hacked_Read_me_to_decrypt_files.html
  • YourID.txt
  • Ваш идентификатор

The first file contains messages in both English and Russian saying that “You have been strucked with BlackShades Crypter.” Also, users will be informed what they have to do in order to decrypt files. YourID.txt and Ваш идентификатор files contain the unique user’s ID. Do not delete these files if you are thinking of paying the ransom.

Our security specialists have tested the infection and found that it puts two copies of itself to the system: one copy will appear in %APPDATA%\Windows, whereas the other one will be put in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup. On top of that, BlackShades Crypter Ransomware will create the point of execution in HKCU\Software\Microsoft\Windows\CurrentVersion\Run. As can be seen, this threat applies quite many changes. Fortunately, they can all be restored quickly.

To remove BlackShades Crypter Ransomware from your computer, you will have to remove all of its files and the Value it creates in the Run registry key. If it is your first time, you should use instructions that can be found below this article. You can also delete the ransomware infection in an automatic way, but you will have to transfer a setup to your computer from a USB flash or another device. Keep in mind that our manual removal instructions will only help you to delete BlackShades Crypter Ransomware. In other words, your system might still contain other threats, and you need to take care of them all too.

Delete BlackShades Crypter Ransomware

  1. Open the Windows Explorer (Win + E).
  2. Enter %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup in the address bar.
  3. Tap Enter.
  4. Delete win.exe (the name might change) and the .html file (Hacked_Read_me_to_decrypt_files).
  5. Tap the Windows key + R and enter regedit.exe. Click OK.
  6. Go to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
  7. Locate the Driver Value.
  8. Right-click on it and select Delete.
  9. Remove files from Desktop: YourID.txt, Ваш идентификатор, and Hacked_Read_me_to_decrypt_files.html.
  10. Empty the Recycle bin and reboot your PC.

In non-techie terms:

You already know how BlackShades Crypter Ransomware acts. Now you should know how it is spread. It is known that ransomware infections are usually distributed through spam emails. To be more specific, they pretend to be useful documents. Therefore, users so often download these files and thus allow malware to enter their systems. The easiest way to make sure that any threat cannot sneak onto the computer is to install security software. Of course, users have to browse the web more carefully either, e.g. immediately close a suspicious-looking website.