Home / Spyware Help / RansomPlus Ransomware Removal Guide

RansomPlus Ransomware Removal Guide

by 0 Comments

Do you know what RansomPlus Ransomware is?

RansomPlus Ransomware can encipher user’s documents, photographs, and other personal files located on the computer at the time the system gets infected. Luckily, the malicious application is only after specific folders, so at least some of the data might be left unencrypted. For more information about the folders and file types the malware if after, you should read the rest of the text. We will also add a removal guide at the end of this article to help our readers get rid of RansomPlus Ransomware manually. Our researchers recommend deleting it because even if the threat’s creators promise to send the decryption tool for a particular price, there are no guarantees they will hold on to this pledge. Thus, instead of gambling with your money, we encourage you to learn more about the ransomware and eventually eliminate it.

To begin with, the malware may enter the system after launching a malicious file. Such data could reach the victim through suspicious Spam emails. Therefore, our specialists always advise users to be more careful with email attachments and scan them with a reliable antimalware tool before opening. The infected file could seem completely harmless, e.g. it might look like an invoice, picture, photo, and so on. As a result, more careless users might infect their system accidentally. Since the malicious application should work on the computer silently, you may not realize what has happened until you notice the encrypted files or a message from the RansomPlus Ransomware’s developers.RansomPlus Ransomware Removal GuideRansomPlus Ransomware screenshot
Scroll down for full removal instructions

After the system gets infected the malware should search for files it could encipher in the following directories: %ALLUSERSPROFILE%, %ALLUSERSPROFILE%\Application Data, %USERSPROFILE%\Documents, %USERSPROFILE%\Music, %USERSPROFILE%\Pictures, %USERSPROFILE%\Videos, %LOCALAPPDATA%, and %USERPROFILE%\Local Settings\Application Data. Additionally, it may check folders with names from 4 to 6 characters (e.g. Users) in the %HOMEDRIVE% location. All executable files, photographs, pictures, videos, text documents, and other files found in the mentioned directories should be enciphered and marked with the .encrypted extension.

Later, RansomPlus Ransomware could add files called YOUR_FILES_ARE_ENCRYPTED!!!.txt to the locations containing encrypted data. This ransom note might even be opened automatically so the user would see the cyber criminals’ message immediately. In the note, the malicious application’s creators should demand you to pay about 0.25 BTC or around 260 US dollars at the moment of writing. If you would believe what they are saying the decryption tool should be sent to the victim through email after the payment is confirmed. The problem is there are no reassurances, and you cannot expect a refund if anything goes wrong. No doubt, RansomPlus Ransomware’s creators might try to convince you of their good intentions, but who can say they will actually hold on to their promise?

If you do not want to pay the ransom and gamble with your money, we advise you to ignore the cyber criminals’ demands and erase the malware. One way to eliminate it is to delete suspicious data that could be related to RansomPlus Ransomware manually. For a more detailed explanation, take a look at the manual removal guide added below this text. The second way to get rid of the malicious application is to use a reputable antimalware tool. Firstly, install it on the infected computer and see that it performs a full system scan. Then review detected threats and erase them all at the same time while clicking the provided deletion button. Do not forget that if the infection managed to encipher valuable data, you could recover it from copies or try to use recovery tools.

Remove RansomPlus Ransomware

  1. Open the Explorer (Windows Key+E).
  2. Find the following locations one by one:
    %TEMP%
    %USERPROFILE%\desktop
    %USERPROFILE%\downloads
  3. Locate the malicious file you opened before the malware appeared.
  4. Select the infected file and press Shift+Delete.
  5. Erase files called YOUR_FILES_ARE_ENCRYPTED!!!.txt.
  6. Close the Explorer and reboot the system.

In non-techie terms:

RansomPlus Ransomware is one of the newest computer threats created for money extortion. That is why it encrypts personal files and shows a ransom note demanding to pay for a decryption tool. Despite given promises, there are no guarantees the decryption device will be delivered, and if the malicious application’s creators trick you, there will be no way to get the transferred money back. Thus, we advise you to look for alternative ways (e.g., backup copies or recovery software) to recover important files and delete the infection as soon as possible. Users can erase it manually while following the removal guide placed above or use a reliable antimalware tool.