Ransomware Removal Guide

Do you know what Ransomware is? Ransomware is yet another ransomware that comes from a family of ransomware that uses the CrySIS ransomware engine. It is dedicated to encrypting all of your files and demanding that you purchase the decryption tool from its developer to restore your files, but the problem is that you might not get this tool. Therefore, our security experts at recommend that you remove this malicious application. We have obtained a sample of it and, in this article, we are going to discuss the findings of the analysis performed by the malware researchers. If your computer has been infected with it, then please check below for our manual removal guide. Ransomware was created by a developer that our researchers think is based in Russia. This developer has been releasing similar infections for months now, and some of its newer releases, such as Ransomware,, and are still out there being distributed using deceptive means. So Ransomware is by no means meant to replace previously released infections but add to the already large family of ransomware. Now let us talk Ransomware Removal Ransomware screenshot
Scroll down for full removal instructions

Our researchers think that this particular ransomware is distributed using email spam. Now, email spam is used by many developers of ransomware to infect the computers of unsuspecting users, so our researchers were not surprised to learn that this particular infection is distributed in the same manner. The malicious emails to do not come from obscure email addresses as the email addresses attempt to impersonate employees of world-known companies such as eBay, FedEx, and so on. The emails feature attachments that can be disguised as PDF files but are actually malicious executables that are set to drop Ransomware’s main executable to one of several predetermined locations.

While conducting their research, our security experts have concluded that this ransomware is set to drop the main executable file in one of seven possible locations that include the most likely ones that are %WINDIR%\Syswow64 and %WINDIR%\System32. Also, the ransomware is set to create a randomly named registry string at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run that has the Value data of the location of the main executable (e.g. %WINDIR%\Syswow64\executable.exe.) Once everything is in order, this ransomware will connect to the Internet and subsequently its server that stores the private decryption keys sent by this application.

It will begin the encryption of the files. Take note that it does not cherry-pick particular file types that are most likely to contain valuable information for which you would be willing to pay the most money. No, it encrypts almost all files in all locations with the exception of %AppData%, %System32%, %Windows%, and %Temp%. It uses the RSA-2048 bit encryption key to encrypt the files. Currently, no free decryption tool could decrypt your files, but it may be underway. While encrypting, Ransomware adds the file extension with a unique ID number and an email address that you must use to contact the developer to get further instructions on how to pay the ransom. The sum of money the victim is expected to pay is not specified, but our researchers say that it can be anywhere between 3 and 4 BTC which is 1715 USD and 2287 USD respectively. These are substantial amounts of money that may not be worth paying.

In any case, once the encryption is complete, this ransomware will create a file named How to decrypt your files.txt. The text in site this file reads “DECRYPT FILES EMAIL All third party programs, pictures and documents are encrypted.” This program does not lock the screen, so you will be able to use your computer with limited functionality. However, since the ransom you are expected to pay is vast and there is no guarantee that you will receive the promised decryption key, we recommend that you remove Ransomware.

Our security experts have created a manual removal guide that will help you eradicate this infection in its entirety. However, since its main executable’s name is randomized and the location it is dropped varies with some degree, we suggest using SpyHunter, our featured anti-malware application, in case you cannot locate the executable by yourself.

Manual removal guide

  1. Press Windows+E keys.
  2. In the File Explorer’s address box enter each of the following locations.
    • %WINDIR%\System32
    • %WINDIR%\Syswow64
    • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
  3. Find the executable (.exe) file and delete it.
  4. Close the File Explorer.

Delete the registry key

  1. Press Windows+R keys.
  2. Type regedit and hit Enter.
  3. Go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  4. Find a randomly named string whose Value data features the path of the executable (e.g.%WINDIR%\Syswow64\executable.exe)
  5. Right-click it and click Delete.

In non-techie terms: Ransomware is a malicious application dedicated to encrypting nearly all of the files on your computer and “offering” you to purchase the decryption tool to decrypt them. The criminal behind this infection may want you to pay a large and unreasonable sum of money and there is no guarantee that you will get it after you have paid. Therefore, we advise that you delete this ransomware using the guide above or our suggested program.