Ransomware Removal Guide

Do you know what Ransomware is?

In this article, we will discuss Ransomware, an application dedicated to encrypting your valuable files and demanding that you pay a ransom to get them back. The problem is that you might not get your files back after you have paid. In any case, you should not comply with the cyber criminal’s demands. Therefore, we advise that you remove it as soon as possible. What this application is set to do is illegal, but it is unlikely that its developer will be held accountable for all of the money he/she has extorted because this program was not made in the US, but for the whole of the world.

Our security analysts are almost certain that Ransomware has created by someone based in Russia because it is a clone of Ransomware, Malevich Ransomware, Ransomware, Petya Ransomware, and several others that often give reference to culture-specific items referring to Russia. Nevertheless, some other releases, such as Saraswati Ransomware make reference to India, but some of them have the ransom note both in Russian and English.

Regardless of where or who made this ransomware the fact of the matter is that it is distributed globally. Unlike some ransomware, it works in all regions and countries. Our malware analysts have determined that it is disseminated using email spam that is sent to random email addresses. We do not know how the developer obtains them, but we think that they may come from fake surveys presented by adware-type software. In any case, the emails contain attachments that, when opened, drop this ransomware’s main executable to one of seven possible locations on your Ransomware Removal Ransomware screenshot
Scroll down for full removal instructions

Research has shown that, in most cases, this ransomware’s randomly named executable is set to be placed in either %WINDIR%\Syswow64 or %WINDIR%\System32. However, the executable might also be dropped in %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup and a few other locations. Moreover, this ransomware creates a registry string at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to run the main executable on each system startup. Once the executable and its registry string are in place, the executable will run automatically and start scanning your computer for files to encrypt. Now, this program is not picky when it comes to file formats so it will encrypt everything from images to audios, to executables, so that you would not be able to access your personal files or run any programs.

It is set to append the encrypted files with the .id-B4500913.{}.xtbl file extension that consists of a unique ID number and email address that you are expected to message to get further instructions on what to do next. Ransomware uses the RSA-2048 encryption key which is quite strong, and there is no way to decrypt the key of this particular ransomware. Once the encryption is finished, it this malware will change the wallpaper with an image named how to decrypt your files.jpg that is placed in C:\Users\{your user name} and drop a file named Decryption instructions.txt on the desktop that reads “All of your files are encrypted, to decrypt them write me to email: In case of no answer in 24 hours, write to” There is no telling how much money the cyber criminal might want you to pay, but unless you have vital files, we urge you not to risk paying the ransom because he/she might not send you the decryption tool.

Given, that you might not get the decryptor once you have paid, we recommend that you do not pay it and remove Ransomware. There are two ways you can get rid of it. You can use the guide below, but given that its main executable is named randomly, you may not be able to identify it. For this reason, we suggest using an antimalware program such as SpyHunter to delete Ransomware for you.

How to delete Ransomware

  1. Press Windows+E keys.
  2. In the resulting File Explorer’s address bar, enter the following file paths.
    • %WINDIR%\Syswow64
    • %WINDIR%\System32
    • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
  3. Find the executable and delete it.
  4. Then, go to C:\Users\{user name}
  5. Find how to decrypt your files.jpg and delete it.
  6. Also delete Decryption instructions.txt from the desktop.
  7. Close the window and empty the Recycle Bin
  8. Press Windows+R keys.
  9. In the Registry Editor, navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  10. Find the randomly named string with the value data of (e.g. %WINDIR%\Syswow64) and delete it.
  11. Then, go to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers
  12. Find and delete BackgroundHistoryPath0

In non-techie terms: Ransomware is a typical ransomware-type malware whose objective is to encrypt your valuable files and offer you to buy a decryption tool. It is set to encrypt all of the files on your PC, so you may be compelled to purchase it, but the cost of the decryptor may be not be worth your files. In any case, you should not comply with the demands of the cyber criminal and remove this infection.