Aleta Ransomware Removal Guide

Do you know what Aleta Ransomware is?

A new ransomware infection named Aleta Ransomware was discovered by our experienced specialists not long ago. It is one of these nasty infections which enter PCs having only one goal – to lock users’ files. These infections lock them not to make fun of computer users. They all want one from them – their money. Cyber criminals behind Aleta Ransomware will also tell you to send them a certain amount of money when this threat finishes encrypting files. They are even ready to unlock 3 files for free to prove users that they have a decryption key which can easily unlock files. We can only suspect how badly you need to unlock certain files, but we are not going to change our opinion – paying the ransom to cyber criminals is not smart at all. Users are not allowed to pay them money because this might not help at all to remove the .[darkwaiderr@cock.li].aleta extension from files, i.e. decrypt them. Do not be so sure that they will give you the promised key even if they have really decrypted 3 files whose total size is less than 1 MB for you. What the victims of Aleta Ransomware need to do is to delete this infection from their PCs no matter that they need their files back. After its removal, they could restore their files from a backup for free. Since Aleta Ransomware deletes Shadow copies of files by issuing the command cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet, there is no other way to get them back at the time of writing.

We are sure you will soon find out about the entrance of Aleta Ransomware because your files in all directories, except for those having “program files”, “nvidia”, “intel”, “appdata”, “windows”, “programdata”, and other words in their names, will be locked. Research has shown that this threat targets .exe, .png, .lnk, .zip, dll, .bmp, .msi, .bat, and other files with popular extensions, so we are sure that it primarily targets those files which users consider to be the most valuable. Once files are locked, a picture 1.bmp is dropped in %APPDATA% and then it is set as Desktop background. Then, a ransom note !#_READ_ME_#!.inf is placed in different directories, even the Startup location. Because of this, this file is automatically opened to users when, for example, they reboot their PCs. The ransom note provides more information about the decryption of files. Users are told to contact cyber criminals by email darkwaiderr@cock.li first. Then, they will have to purchase Bitcoins and send a certain amount of money (“the price depends on how fast you write to us”) to cyber criminals behind Aleta Ransomware. You should not send them a cent because you have no guarantees that you could decrypt your files after making a payment. You do not even need the special key if you make copies of your files periodically because you could restore them easily. Since Shadow copies of those encrypted files have already been deleted by Aleta Ransomware, there is not much you can do if you have never bAleta Ransomware Removal GuideAleta Ransomware screenshot
Scroll down for full removal instructions
acked up your files – praying for a free decryptor to be released soon is all what is left for you.

There is no doubt that Aleta Ransomware has entered your PC without permission. Unfortunately, you might be the one who have helped it to show up on your computer. You could have helped it to enter your system by opening a malicious attachment from a spam email or clicking on a fake Download button on a P2P page. Hundreds of ransomware infections are spread using deceptive methods of distribution these days, so you cannot do anything if you do not want to discover a new crypto-threat on your system once again soon.

The removal guide prepared by our experienced specialists should make it easier to delete Aleta Ransomware fully. Unfortunately, neither our instructions nor an antimalware tool you can use to erase this infection automatically will not help you to unlock those files which already have the extension .[darkwaiderr@cock.li].aleta appended to them.

Delete Aleta Ransomware manually

  1. Press Ctrl+Shift+Esc and click Processes.
  2. Check the list of processes and kill those you find suspicious.
  3. Press Win+R and type regedit.exe in the command line.
  4. Click OK or press Enter.
  5. Locate the Value Wallpaper in HKCU\Control Panel\Desktop, double-click it, and clear the Value data field.
  6. Click OK.
  7. Open HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aleta and remove this registry key.
  8. Close Registry Editor and open Explorer (tap Win+E).
  9. Delete !#_READ_ME_#!.inf from the following directories:
  • %ALLUSERSPROFILE%\Start Menu
  • %APPDATA%\Microsoft\Windows\Start Menu
  • %USERPROFILE%\Microsoft\Windows\Start Menu
  • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu
  • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu
  1. Delete all suspicious files from %USERPROFILE%\Desktop, %USERPROFILE%\Downloads, and %TEMP% directories.
  2. Empty the Trash bin.

In non-techie terms:

Aleta Ransomware is extremely dangerous malware which might enter illegally your PC and encrypt your files. The majority of users who discover this infection on their PCs do not have a security application enabled on their systems and, on top of that, they act quite carelessly on the web, e.g. download all kinds of applications from suspicious third-party pages they know nothing about. We are sure you would not want to encounter a new crypto-threat in the future, so we recommend always keeping a reputable security application enabled on the system.