Ransomware Removal Guide

Do you know what Ransomware is?

If your computer gets hit by Ransomware, you should be prepared to possibly lose most of your precious files. This devious program can encrypt all your personal files, including photos, videos, text files, and program files as well. This could be an awful loss if you do not have a backup copy saved onto an external hard disk or a pendrive. Although you are given a chance by your attackers to get hold of the private key and the decryption program they store on a secret server, but you have to pay for it, of course. But what are your guarantees that they will actually send you the key and the tool to be able to recover your files? While in some cases it is possible that crooks keep their promise, experience shows otherwise. According to our researchers who tested this dangerous ransomware infection in our internal lab, you should remove Ransomware immediately unless you plan to risk paying the ransom fee to these cyber criminals. But even in that case you need to eliminate this threat after recovering your files; if you get what you pay for, of course.

The first and most important thing to know about a ransomware infection is that how it can enter your operating system and how it is activated to make such a nightmarish destruction on your computer. This way you could probably avoid the next attack and save yourself a lot of headaches that may come with the possibility of losing your precious files. Ransomware has been found mostly spreading as a malicious file attachment in spam e-mails. This method is probably the most often used one apart from Exploit Kits and malicious Ransomware Removal Ransomware screenshot
Scroll down for full removal instructions

Criminals can be quite resourceful when it comes to fooling computer users with fake e-mails. They can make up fake invoices and problems with credit card details or hotel bookings and pretend to attach them to the spam messages as an image or document file. However, when you want to view the attachment, you actually initiate the attack. If you do not want similar threats crawling onto your computer, you need to be more alert when clicking on e-mails in your inbox. Just because you have a spam filter it does not mean that you are 100% protected. If you are offered any suspicious file as an attachment that raises your doubt whether it regards you personally or not, you should try to contact the sender first before you save it and open it and figure out if it was really meant for you or not. Because if you let such a beast onto your computer, removing Ransomware will not save your files; it would be too late to act even if this is what you should do if you want to restore your system security.

Our researchers found that this infection is nothing new on the palette of ransomware threats as it is also based on the infamous CrySIS Ransomware engine just like a number of other infections that has hit the net recently, including Ransomware and Ransomware. Once this beast starts up it targets your most precious files and encrypts them with the RSA-2048 algorithm to make sure you will be more likely willing to pay the ransom fee. All the files that are taken hostage get a “.id-B4500913.{}.xtbl” extension. Two files are also dropped by this ransomware onto your system. One is the background image (“how to decrypt your files.jpg”) that replaces your desktop wallpaper after the encryption finishes, and a text file ("Decryption instructions.txt") in all directories where files have been affected by this malware.

In order to get more information about the payment and how you can get your files back, you are supposed to send an e-mail to The most probable scenario is that you will be asked to transfer the ransom fee in Bitcoins to a given address. This amount can greatly vary from one ransomware to another. We have no information on how much these crooks are asking for, but we can tell you that the usual amount ranges from 0.1 BTC up to 1 BTC, which is around 61 USD to 610 USD. We cannot state categorically that you will not get the private key and the tool from these criminals, but, unfortunately, experience shows that such an attack is mostly a scam to extort money from the victims without decrypting their files. No matter how you decide, though, in the end you should delete Ransomware to secure your computer.

Finally, it is time for us to talk about solutions. If you want to remove Ransomware from your system, you need to clean some files and registry keys. If you feel up to it, please follow our instructions below this article. The protection of your files and your operating system should be your priority if you want to feel safe while your computer is on. Therefore, we advise you to consider employing a professional malware removal tool, such as SpyHunter or any other of your choice. But beware of rogue programs that claim to be security tools. You should do a proper web search before downloading any software. Ransomware Removal from Windows

  1. Tap Win+E to run File Explorer.
  2. Delete the saved malicious file.
  3. Delete the executable file that could be found in these folders (it may be a random name or “Payload1.exe” or “Payload_c.exe”):
    %ALLUSERSPROFILE%\Start Menu\Programs\Startup\*.exe
    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe
    %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe
    %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe
    %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start
    %WINDIR%\Syswow64\*.exe (64-bit)
  4. Remove “C:\Users\user\how to decrypt your files.jpg” as well.
  5. Bin all the "Decryption instructions.txt" files you can find.
  6. Empty your Recycle Bin.
  7. Tap Win+Q and type in regedit. Press Enter.
  8. Change these registry values to change your desktop wallpaper:
    HKCU\Control Panel\Desktop\Wallpaper (value data: “C:\Users\user\how to decrypt your files.jpg”)
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers\BackgroundHistoryPath0 (value data: “C:\Users\user\how to decrypt your files.jpg”)
  9. Delete these registry keys (may have random names):
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\* (value data: “%WINDIR%\Syswow64\*.exe”) (64-bit)
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\* (value data: “%WINDIR%\System32\*.exe”)
  10. Close the Editor and reboot your PC.

In non-techie terms: Ransomware is a dangerous threat to your personal files, which you may lose in this attack if you do not have a backup. This infection encrypts all your photos, videos, and other program files, which are the most important for you, and offers you the private key and a decryption tool for a certain price also known as “ransom fee.” However, you cannot trust these criminals that they will really deliver. It is up to you, though, how you decide. The best solution would be for you to have a backup copy that you could transfer back onto your PC. But either you have that or not, the first move you should make is to remove Ransomware as soon as possible. If you do not want to risk manual removal, we advise you to install a reputable anti-malware program that will also defend your system from all known malware infections.