Resurrection Ransomware Removal Guide

Do you know what Resurrection Ransomware is?

Resurrection Ransomware is a crypto-threat based on Hidden-Tear, an open-source ransomware. Although it is a newly-discovered ransomware infection, it does not differ much from older ransomware infections analyzed by our experienced specialists some time ago. First, it finds a security loophole and enters the system illegally. Then, right after doing that, it finds where .xltm, .zip, .slk, .potm, .jpg, .edb, .efx, .dip, .docx, .dot, .3dm, .bat, .jar, .java, .as3, .QBR, .Des, and other valuable files are located and encrypts them all. Unfortunately, all these files are locked using a strong encryption algorithm AES (Advanced Encryption Standard), so it is not a piece of cake to unlock them. Frankly speaking, it might even be impossible to get them back without the decryption key. Cyber criminals are well aware of that, so they have released a malicious application locking files on purpose and then demand money from users when they get infected with it and find their personal data encrypted. You should not send money to cyber criminals by any means because you might get nothing from them. In such a case, your money will not be sent back to you either.

The second Resurrection Ransomware slithers onto users’ PCs, it tries to establish communication with its C&C server (http://resurrection.redirectme.net/write.php?info=) to get the key for locking those valuable files it finds on users’ computers. It affects pictures, documents, videos, etc. without mercy, and appends a new extension .resurrection to all files. Also, it drops a ransom note README.html in three directories: %USERPROFILE%\Desktop, %USERPROFILE%, and %HOMEDRIVE%. You will find it in these directories after the entrance of Resurrection Ransomware even if your files do not become locked, i.e. even if you encounter a version that does not work properly. Users are first told that it is not a joke – they have encountered a serious malicious application locking files, i.e. a crypto-threat. Then, the ransom note tells them that they can unlock their files only by purchasing a key from cyber criminals within 36 hours. Its price is 1.77 Bitcoin (~4300 USD) at today’s price. After sending money, users have to write an email to resurrection777@protonmail.com. Unfortunately, we cannot guarantee that they will get an answer with a decryption key. This is the main reason we believe that sending money to cyber criminals is a very bad idea. There is not much you can do to unlock your files without the private decryption key. In fact, there is only one way to get files back for free – recover them all from a backup.Resurrection Ransomware Removal GuideResurrection Ransomware screenshot
Scroll down for full removal instructions

Our experienced specialists have carried out research to find more about Resurrection Ransomware recently, but, unfortunately, they could not find much about its distribution because it is still quite a new infection. Despite the fact that not much is known about its dissemination, our researchers are 99% sure that this ransomware infection is spread via spam email campaigns mainly. Stay away from spam emails the next time in order not to get infected with dangerous malware again. Our experienced security specialists say that users should stay away from software on dubious P2P pages too because ransomware infections might be disguised as decent software on them. Most probably, you were not successful in trying to ensure the maximum protection of your computer if your files have been encrypted, you see a new file README.html in several directories, and can easily locate a file Recovery.key on Desktop.

Your level of expertise in malware removal determines whether you can go to remove Resurrection Ransomware from your computer manually or need to leave this job for an automatic scanner. If you are not a very experienced user, you should use an automatic tool to remove it. If you have some experience in malware removal and knowledge about computers, you should be able to delete this ransomware infection from your system manually without difficulties. Use the manual removal guide which you will find below this article, if needed.

How to remove Resurrection Ransomware

  1. Press Ctrl+Shift+Esc.
  2. Click on the Processes tab to open it.
  3. Kill a process representing Resurrection Ransomware (right-click on this process and select End Process from the drop-down menu).
  4. Delete the malicious file launched recently.
  5. Remove README.html from %USERPROFILE%\Desktop, %HOMEDRIVE%, and %USERPROFILE%.
  6. Delete Recovery.key from %USERPROFILE%\Desktop.
  7. Empty the Trash bin.

In non-techie terms:

Ransomware infections are harmful computer infections that want money from users. Resurrection Ransomware is one of them, so if it ever shows up on your PC, delete it without consideration no matter that your files have been encrypted and you need the decryption key. Sending money to malware developers is never a good idea because there is a very huge possibility that they will take the ransom but do not send the unlock key to users. After the removal of Resurrection Ransomware, you could recover your all files for free from a backup.