Strawhat Ransomware Removal Guide

Do you know what Strawhat Ransomware is?

Strawhat Ransomware is a new crypto-threat that might infiltrate your computer illegally one day. Although it has been programmed to encrypt users’ personal files upon the successful entrance, you will not necessarily find your files encrypted. Its original version locks files only in C:\test, so if you do not have such a folder with files in this directory, you will not find a single file encrypted. Since it does not encrypt files located in other directories and does not work on Windows 7, our experienced specialists are 99% sure that this infection is still in development. Of course, it might be updated soon, so you should remove the ransomware infection from your computer right away so that it could not get updates and bring problems to you. Luckily, it is not one of those threats that make modifications in the system registry or block system utilities, so you will remove it quite easily. Unfortunately, we cannot promise that it will still be easy to delete it when cyber criminals finish developing it and start actively spreading it to get money from users.

No doubt cyber criminals are developing Strawhat Ransomware so that they could obtain money from users easier because this infection already encrypts files. As mentioned in the first paragraph, it encrypts files located in the test folder only, but this might change soon. Research has shown that this infection encrypts .txt, .pdf, .docx, .xls, .doc, .mpeg, .xlsm, .mp4, .raw, .ppt, .cfg, .gif, .pat, .cat, .xml, .inf, .mdb, .dot, and a bunch of other files, so we are sure you will find all the most valuable files encrypted after the Strawhat Ransomware entrance when cyber criminals finish it and set it to encrypt files in other directories too. What else has been observed is that this threat drops YOUR_FILES_ARE_ENCRYPTED.txt and YOUR_FILES_ARE_ENCRYPTED.html on compromised machines. The .txt file is a ransom note. It tells users why their files have been locked (“The files on your computer have been encrypted with an military grade encryption algorithm”). Also, users find out that their files can be unlocked only with a special decryption program. Of course, cyber criminals do not give decryption tools to users for free (“You have to pay for decryption in Bitcoins”). Most likely, you do not need the decryption tool because your files are fine, i.e., they have not been encrypted; however, we cannot guarantee that this ransomware infection will not be updated. Frankly speaking, we do not recommend paying money to cyber criminals even if you have found your files encrypted because you do not know whether your could unlock them after paying money.Strawhat Ransomware Removal GuideStrawhat Ransomware screenshot
Scroll down for full removal instructions

Strawhat Ransomware is not distributed actively yet because it is still in development, but this might change soon, so we want to tell you more about the distribution of ransomware infections. This knowledge should help you to prevent such serious infections from entering your computer again. Researchers say that crypto-malware is often distributed via spam emails, so users should stay away from them all no matter than some of them contain attachments that look like harmless documents. Also, users might download these threats from corrupted pages, specialists say, so you should download applications only from those pages you know are 100% trustworthy. Of course, it is not always a piece of cake to prevent malware from entering the system, so there must be a reputable security tool installed on all users’ computers too.

You should remove the ransomware infection from your computer even if it has not encrypted any of your files because it might get updates and cause you serious problems. You should be able to erase this infection from your computer manually because it is not one of those threats that lock the screen or create several new registry keys in the system registry. Of course, if it turns out that the manual removal method is not for you, download a reputable antimalware scanner and use it to erase this infection from your computer.

How to delete Strawhat Ransomware

  1. Press Ctrl+Shift+Esc on your computer.
  2. Open the Processes tab.
  3. Locate the svchost process and kill it.
  4. Close Task Manager.
  5. Open Explorer and check the following directories: %USERPROFILE%\Desktop, %USERPROFILE%\Downloads, and %TEMP%.
  6. Delete suspicious files.
  7. Delete ransom notes YOUR_FILES_ARE_ENCRYPTED.txt and YOUR_FILES_ARE_ENCRYPTED.html dropped by the ransomware infection.
  8. Empty Recycle bin.

In non-techie terms:

Strawhat Ransomware belongs to the category of one of the nastiest malicious applications – ransomware. Luckily, it is still in development and does not encrypt files. Of course, it does not mean that it will act the same in the future. The chances are high that it will be updated one day, so you should delete this ransomware infection from your computer fully even if it has not encrypted any of your files yet because it might strike again one day and ruin them all mercilessly.