Blend Ransomware Removal Guide

Do you know what Blend Ransomware is?

Blend Ransomware is the kind of infection that we can understand without looking deep into it at all. Of course, our research team has thoroughly inspected this malware, but our prediction has been confirmed: this ransomware is just a new variant of the infamous Phobos Ransomware. Phobos variants are very similar to Crysis/Dharma Ransomware variants, and that is because they all derive from the same malware code. These infections usually spread with the help of clever spam emails (via attachments) and bundled downloaders that could introduce the malicious launchers as harmless or even attractive files. After execution, they all encrypt personal files, which means that documents, photos, and videos are made unreadable. Unfortunately, removing Blend Ransomware does not solve the problem, but this threat must be deleted as soon as possible, and we can help you with that.

Did you first discover the presence of Blend Ransomware when you found that you files are unreadable and that the “.id-*.[helips@protonmail.com].blend” extension is attached to all of them? Perhaps you discovered the infection only after it launched a window called “encrypted,” which a file named “Info.hta” is responsible for. The window delivers an intimidating message, according to which, personal files were encrypted using the RSA-1024 key, and now you need to email helips@protonmail.com if you want to recover them. It is stated in the message that the attackers have a “secret key” that they are prepared to store for seven days, after which, it should be deleted. This is the key that is supposed to make the decryption of your personal files possible. However, later on, the message suggest that you will be provided with a “decryption program.” In any case, the creator of Blend Ransomware wants you to pay money for the key/program. The demanded ransom is the only reason this malware was created at all.

Blend Ransomware also uses a file named “info.txt” to push you to email helips@protonmail.com. Some victims might think that sending a quick message is a harmless move. It is not. If you expose yourself to cybercriminals via email, they could send you ransom payment instructions, terrorize you, and also include you in other scams in the future. All in all, even if you pay the ransom – and we cannot know how big it could be – you are unlikely to get anything in return for it, and so sending emails to cybercriminals is the last thing you want to do. You should not even consider the option of paying the ransom or contacting the attackers if you have other options. Let’s say, you have backup copies of all personal files. If you do, delete Blend Ransomware and then use the copies to replace the corrupted files. What about free decryptors? At the time of research, we could not confirm the effectiveness of Dharma/Crysis decryptors, but you should definitely look into this option. Just be cautious so as not to download more malware.Blend Ransomware screenshot
Scroll down for full removal instructions

This Blend Ransomware removal guide will assist those who can find the launcher of the malicious threat. Since its location is unknown and its name could be random, unfortunately, we cannot help you uncover this file. Obviously, if you cannot find it, or if you are unable to follow the remaining steps in the removal guide below, it is best for you to install legitimate anti-malware software. The right software will automatically delete Blend Ransomware and, if they exist, all other threats. Furthermore, your system’s protection will be taken care of so that you would not need to fear the invasion of other file-encryptors in the future. Of course, you need to create backup copies of all personal files, and you also need to be cautious about spam emails, malicious downloaders, and system vulnerabilities.

Remove Blend Ransomware

1. Right-click the {random/unique name}.exe file/launcher and choose Delete.
2. Right-click and Delete the ransom note file, info.txt. If copies exist, erase them too.
3. Simultaneously tap Win+E keys to access Windows Explorer.
4. Enter these lines into the quick access field and Delete the files named Info.hta and {random name}.exe:
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %HOMEDRIVE%
   • %LOCALAPPDATA%
   • %USERPROFILE%\Desktop\
5. Simultaneously tap Win+R keys to access the Run dialog box.
6. Enter regedit into the box and click OK to access Registry Editor.
7. Move to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
8. Right-click and Delete the {unknown name} value linked to the malicious {random name}.exe file (step 4).
9. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
10. Right-click and Delete the {unknown name} value linked to the malicious {random name}.exe file (step 4).
11. Exit Registry Editor and then quickly Empty Recycle Bin.
12. Perform a complete system scan using a trusted malware scanner.

In non-techie terms:

Blend Ransomware does not have that many components, and removing it manually should not be too difficult (if the location of the launcher is known), but this threat can leave you miserable. That is because it encrypts personal files, which renders them unreadable. The purpose here is to make you pay a ransom in return for a key or a decryptor that, allegedly, would restore all files. Hopefully, you know better than to trust cybercriminals’ promises, and you know very well that you should move on with the removal of the threat. If you want to delete Blend Ransomware yourself, follow the guide below, if you need help and if you care about your system’s protection in the future, install anti-malware software. Hopefully, after you do that, you can replace the corrupted files with backups/copies of your files.