Ransomware Removal Guide

Do you know what Ransomware is? Ransomware is yet another ransomware that has recently been published by its secretive developer. This developer is also responsible for releasing Ransomware, Ransomware, and many other ransomware-type programs. You must remove this application once you notice its presence, but it is too late to save your files because this ransomware encrypts them upon infecting your PC. Decrypting the files for free is currently impossible but paying the ransom to get the decryptor from the developers is also not an option because its cost is too high.

Like its many predecessors, Ransomware is also based on the CrySIS ransomware engine, which means that its encryption is very strong, but more on that later. If you do not have an antimalware program on your PC, then you should be careful when opening emails received from unknown people of seemingly legitimate businesses and government agencies. The emails contain double attachments that do not look like an executable at first, but when opened will drop this ransomware's executable in one of seven locations on your computer. Our security experts at have found that these locations include directories such as %WINDIR%\Syswow64, %WINDIR%\System32, and five other locations.

Once on your computer, the executable will launch automatically, connect to its command and control server (C&C) and begin encrypting your files. This particular ransomware uses the RSA cryptosystem with a 2048 key size, so its encryption is quite strong. To date, security researchers have yet to create a decryption program for the unique encryption method used by this particular application. While encrypting, it will append the encrypted files with the .XTBL file extension. It will also add a unique ID number and the email address to the name of the encrypted Ransomware Removal Ransomware screenshot
Scroll down for full removal instructions

We would like to point out that Ransomware is set to encrypt almost all file formats you can think of. For example, it can encrypt file formats, such as .txt, .doc, .docx, .xls, .xlsx, .xml .ppt, .pptx, .pdf, .php, .odt .jpg, .png, .csv, .sql, .mdb, .hwp, .asp, .aspx, and .html. We would also like to add that it will encrypt files in almost all of the directories on your PC, but skip some of them which include %Windows%, %System32%, %Temp%, %AppData%, and a few others. Once the encryption process is complete, this ransomware will drop several non-malicious files on your PC. Once of these files is named How to decrypt your files.jpg and it is set as the desktop wallpaper. The text in the image says that your files have been encrypted, and you need to contact the provided email address. The second file is called How to decrypt your files.txt. It is a text file that reads “DECRYPT FILES EMAIL”

None of these files mane any mention of paying a ransom. However, our security experts have found that when you contact the developer via the provided email, you will be asked to pay money, a ransom for the decryption program for decrypting your files. You will be asked to pay the ransom in Bitcoins, and it can range from 2 BTC (1241.41 USD) to 4 BTC (2482.82 USD.) Obviously, the sum of money you may be asked to pay is high, and it may not be worth the money.

You can refuse to pay the ransom and delete Ransomware instead. The choice is entirely up to you but consider the possibility of not getting the decryption software once you have paid. To remove this ransomware we invite you to use our manual removal guide, but since the main executable is named randomly, you may have a hard time finding it. So, alternatively, you can use SpyHunter, an anti-malware program that will make light work of Ransomware and provide protection for your computer.

Delete this ransomware manually

  1. Simultaneously press Windows+E keys.
  2. In the File Explorer’s address box, enter the following paths.
    • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
    • %WINDIR%\Syswow64
    • %WINDIR%\System32
  3. Locate this ransowmare’s executable and delete it.
  4. Go to C:\Users\[user name]
  5. Find and delete how to decrypt your files.jpg
  6. Delete How to decrypt your files.txt
  7. Empty the Recycle Bin.

Delete the registry string

  1. Simultaneously press Windows+R keys.
  2. Enter regedit in the box and click OK.
  3. Go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  4. Find the randomly named string and delete it.

In non-techie terms: Ransomware is a malicious application dedicated to encrypting your files with an advanced encryption system and demand that you pay money to get your files back. This ransomware is part of a money extortion scheme and there is no telling whether its developer will give you to decryptor once you have paid. Regardless, you should delete this program as soon as possible.