Encryptile Ransomware Removal Guide

Do you know what Encryptile Ransomware is?

Encryptile Ransomware is a file-encrypting infection that was first released at the beginning of August, 2016. It is a new threat, so, consequently, it is not very prevalent if compared to other well-known ransomware infections. Of course, it does not mean that it cannot slither onto your computer one day. Our experts have revealed that the majority of people who discover Encryptile Ransomware on their computers remember opening an attachment from some kind of spam email they found in the spam mail folder. Once Encryptile Ransomware is inside the computer, it downloads two malicious files notepad.exe and encryptile.exe (they are both located in the %LOCALAPPDATA% directory and have points of execution in the Run registry key), kills .exe files launched, and then encrypts files using the AES encryption algorithm and the RSA key so that it would be impossible to decrypt files without purchasing the special key. As has probably become clear after reading this paragraph, this ransomware infection does not try to camouflage itself and work in the background, so it will become clear very soon that it is performing activities inside your system.

Even though Encryptile Ransomware is a new ransomware infection, it does not differ much from similar infections released some time ago. Our researchers have found that this threat also changes the Desktop background, creates .html (Decrypt_[10-character ID].html), .jpg (Decrypt_[10-character ID].jpg), and two .txt files (Decrypt_[10-character ID].txt and How to buy bitcoin_[10-character ID].txt) in every folder containing encrypted files. The program it opens after placing files on the system and encrypting personal files contains an explanation about the condition files: “Your files are safely encrypted with strongest AES encryption and a private RSA key.” Also, it is said there that users have to send 0.0545542 Bitcoin within 3 days to the provided Bitcoin address to get the private key and thus unlock files. The list of encrypted files (the information is taken from the Readlist.txt file created by the ransomware infection) is also available there to show users that a number of files will be of no use if they decide not to pay the required amount of money.Encryptile Ransomware Removal GuideEncryptile Ransomware screenshot
Scroll down for full removal instructions

As our researchers have found, Encryptile Ransomware targets every folder inside the %HOMEDRIVE% directory. Luckily, it skips the %WINDIR% directory containing Windows files and a few folders in %PROGRAMFILES%. It is not hard at all to say which of the personal files have been encrypted because the component [file]EncrypTile.[original extension], for example, picture.jpg.EncrypTile.jpg, will be added to every file Encryptile Ransomware touches. We have to admit that the size of the ransom (~ 40 USD) asked by this infection is very tiny if compared to amounts of money asked by similar infections; however, it does not mean that we encourage users to make a payment. The reason is one – you might not get anything from cyber criminals even though you transfer money. It is up to you whether or not to risk paying money but do not forget that it is still a must to delete Encryptile Ransomware fully from the system because it will be impossible to use the computer, this infection will keep connecting to the Internet without permission, and, finally, it might strike once again if you do not get rid of it soon.

It has become evident after research carried out by our team of experts that Encryptile Ransomware is disseminated exactly like other ransomware infections, i.e. through spam emails; however, it might enter computers differently as well, for example, with the help of a Trojan infection. Do not expect that it is easy to protect the system from ransomware infections because they are really dangerous threats that can quickly enter computers without permission. Of course, we do not say that you cannot do anything about that. According to specialists, users should install reputable security tools on their computers and activate them to make sure that malicious software cannot enter their systems.

Encryptile Ransomware differs from other ransomware infections in a sense that it starts in Safe Mode and blocks system utilities. This also indicates that it will be extremely hard to remove it. Do not worry; there is still a way to do that using the so-called live version of Windows. Find the manual ransomware removal instructions below.

Delete Encryptile Ransomware

  1. Download Hiren’s Boot CD software for Windows.
  2. Burn it to a USB flash drive or CD using another machine that is not infected.
  3. Insert your USB flash drive or CD in the infected computer.
  4. Boot into the USB flash drive or CD.
  5. Click Mini Windows Xp.
  6. Click on the icon of Hiren’s BootCD Program Launcher you will find on Desktop.
  7. Open Registry and then select Registry Editor PE.
  8. Go to HKLM\_REMOTE_SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKLM\_REMOTE_SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce .
  9. Find Values Unikey Manager, Service Runtime, etc. belonging to the ransomware infection.
  10. Right-click on these Values and then select Delete.
  11. Boot up into your Windows OS normally.
  12. Tap Win+E and then type %LOCALAPPDATA% into the URL bar.
  13. Remove files notepad.exe, encryptile.exe, and Readlist.txt (they might have different names).
  14. Remove .html, .jpg, and two .txt files from Desktop.
  15. Empty the Recycle bin.

In non-techie terms:

Even though you have removed Encryptile Ransomware from your computer, you might have other infections hiding there too. Since they work in the background silently, it is very likely that you do not know anything about them. It is very hard to detect those threats manually, so specialists recommend using automatic scanners. Scan your PC right after the deletion of Encryptile Ransomware to find out whether or not other infections are hiding on your computer. You will also find out whether or not you have fully deleted Encryptile Ransomware.