Defender Ransomware Removal Guide

Do you know what Defender Ransomware is?

Defender Ransomware is a file-encryptor that does not actually demand a ransom. Due to this, it is not exactly right to classify this threat as a ransomware, but since this is the category we place all file-encryptors into – as they usually demand a ransom – this is what we identify the threat as in this situation too. It is unknown how exactly this threat is distributed, but it is possible that different methods of distribution could be tested. Our research team suggests that this malicious threat might have been created to help cyber criminals test the possibilities of a file-encryptor, and so they could experiment with the distribution too. It is not known if the threat could affect regular Windows users either, but if that happens, recovering files would be impossible. Even if that is the case, removing Defender Ransomware is important, and this report is supplemented with a complete removal guide.

After analyzing the code of the malicious Defender Ransomware, it was found that the threat is set to encrypt files in 4 specific directories: %USERPROFILE%\Desktop, %USERPROFILE%\Documents, %USERPROFILE%\Music, and %USERPROFILE%\Videos. When the infection encrypts files – which it does using the widely-used AES encryption algorithm – the “.defender” extension is attached to their original names. Unfortunately, decrypting these files is not possible, and you cannot recover them. You are informed about that via a ransom note file called “Defender_Ransomware.txt.” This file is downloaded by Defender Ransomware without authorization from, and it is placed in every directory that the infection targets. This file is useless, and so you can delete it right away. The message inside the file reads: “YOUR FILES HAVE BEEN ENCRYPTED BY DEFENDER RANSOMWARE. THE WALL WILL NOT FALL. THIS RANSOMWARE IS NOT DECRYPTABLE. SORRY ABOUT THAT.” This clearly indicates that the threat was created to encrypt files without the possibility of decryption.Defender Ransomware Removal GuideDefender Ransomware screenshot
Scroll down for full removal instructions

The malicious Defender Ransomware is capable of copying itself to ensure that the victim cannot delete it easily. According to our research, the infection copies itself to the %Temp%\Cache\ folder as “MpCmdRun.exe.” We cannot guarantee that the name will be the same in all cases. The folder hosting the copy is hidden to further ensure that you cannot access and remove it. Of course, there is a way to show hidden files, and if you follow the manual removal instructions below, you will learn how to achieve that. If you are choosing to postpone the elimination of this malware because you are still hopeful that your files could be restored, we cannot give you any promises. While there is a chance that a decryptor could become available, it is so small that you should not even think about it. Hopefully, your personal files are stored in a backup, and you can access them after you delete Defender Ransomware from your Windows operating system.

Do not be intimidated by the steps shown in the guide below. Although there are quite a few steps, they are not complicated, and you should be able to get rid of Defender Ransomware successfully. Needless to say, your files will not be decrypted if you erase this threat, but you want to get rid of it as soon as possible because it is in the hands of malicious cyber attackers, and you do not want to give them other opportunities to attack you. Note that manual removal is just one of the options. You can also install an anti-malware tool. As a matter of fact, this is the best option because the right tool can automatically clean your system and protect it thereafter to ensure that other malicious threats cannot slither in again.

Remove Defender Ransomware

  1. Delete the original ransomware launcher file, {random name).exe (name and location are random).
  2. Launch Windows Explorer by tapping Win+E keys on the keyboard.
  3. Enter %TEMP% into the bar at the top.
  4. Click the Organize button on the left top corner of the window.
  5. Select Folder and Search options and then click the View tab.
  6. Under Hidden files and folders mark Show hidden files, folders, or drives.
  7. Click Apply and then exit the Folder Options menu.
  8. Open the folder named Cache and then Delete the ransomware copy file (should be named MpCmdRun.exe).
  9. Enter these paths into the bar at the top and Delete the Defender_Ransomware.txt file:
    • %USERPROFILE%\Desktop
    • %USERPROFILE%\Documents
    • %USERPROFILE%\Music
    • %USERPROFILE%\Videos
  10. Launch RUN by tapping Win+R keys on the keyboard.
  11. Enter regedit.exe and click OK to access Registry Editor.
  12. Navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  13. Delete the ransomware value (should be named MpCmdRun) and then exit Registry Editor.
  14. Empty Recycle Bin and then immediately perform a full system scan to check for leftovers.

In non-techie terms:

Defender Ransomware is an incredibly malicious file-encryptor that appears to have been created for testing purposes only. It is unknown if the current version of this threat is used to corrupt the files of real Windows users, but if you happen to encounter this infection, your files are encrypted, and decrypting them is impossible. The creators of the ransomware do not even demand a ransom, which is how most other file-encryptors work. Hopefully, you still can do something to protect your system and your files against this malware, and we suggest employing anti-malware software. If it is too late to protect yourself against this particular threat, you still want to install anti-malware software to ensure protection in the future. Note that this software can also automatically delete Defender Ransomware and other threats that might be active.