Asus Ransomware Removal Guide

Do you know what Asus Ransomware is?

If you think that Asus Ransomware only affects Asus owners, you are very wrong. The name of this malware is in no way representative of the target, and it was chosen for the sole purpose of convenience. Our researchers have analyzed a bunch of infections from the Crysis/Dharma Ransomware family (the same code is used to create them all), and most of them have very short and memorable names. Some of them include Wiki Ransomware, Uta Ransomware, Save Ransomware, or Wal Ransomware. These names are not given to the infections by their creators, but they have a part in this. That is because they create extensions that are added to the corrupted files to mark them. In our case, the extension is “.id-{unique code}.[DataBack@qbmail.biz].asus.” As you can see, the actual extension is longer, but it is easier to name the infection after the last part. The extension is added as a marker, and so it is not necessary to delete it. On the other hand, removing Asus Ransomware is a must.

We cannot say who created Asus Ransomware or the clone infections. It is possible that several different attackers can be linked to them. It is also possible that every single infection has a unique creator. In any case, the same malware code is employed for development, and it is likely that the same distribution methods are employed as well. Our researchers believe that spam emails or unsecured RDP systems could be used in most cases. So, if you are careless with the emails you open, or you keep your remote access enabled, you are the prime target. In the end, Asus Ransomware is supposed to stay hidden, and so even if you are vigilant, you might be tricked into letting this malware in. If that happens, files are encrypted, and the discussed extension is added to their names. At this point, you might not notice anything wrong, or you might not understand what has happened. However, as soon as all intended personal files are encrypted, the infection launches a window entitled “DataBack@qbmail.biz.”Asus Ransomware Removal GuideAsus Ransomware screenshot
Scroll down for full removal instructions

The window launched by Asus Ransomware carries a message that we identify as the “ransom note.” The message informs that files were encrypted and that you need to email DataBack@qbmail.biz or BTCdecoding@foxmail.com within 24 hours to get more information about how to pay money in return for a “decryption tool” that, supposedly, would free your personal files. Asus Ransomware also creates a file named “FILES ENCRYPTED.txt” to reinforce this message. We do not recommend following these demands because even sending a simple message could lead to problems. For example, the attackers could send malicious files instead of a decryptor. Of course, if you agreed to pay the ransom, it is unlikely that you would receive money. Unfortunately, even if your money goes to waste, you will not get it back. Despite this, some victims might choose to take the risk because a free decryptor does not exist at this time, and losing personal files can be too devastating. Even so, we do not recommend paying the ransom.

Whether or not you can delete Asus Ransomware manually depends on whether or not you can find the infection’s executable. If you can find and delete it, the remaining components will be easy to eliminate. If you cannot find the executable, you want to install a tool that will scan your system and erase malware automatically. A reliable anti-malware tool is exactly the tool you need. The best part is that once it is done serving you as an elimination tool, it will continue offering Windows security services. You definitely need such services if you want to evade malware in the future. Unfortunately, in some cases, even full protection is not enough, and that is why you need to have files backed up. If copies exist outside the infected computer, you will always be able to replace the corrupted files.

Remove Asus Ransomware

  1. Remove an [unknown name] file that helped launch the infection.
  2. Go to the Desktop, and Remove the file named FILES ENCRYPTED.txt.
  3. Delete a malicious [unknown name].exe file and a file named Info.hta. To find these files, tap Win+E keys at the same time to launch Explorer and enter the following paths into the field at the top:
    • %APPDATA%
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
    • %WINDIR%\System32\
  4. Tap Win+R keys to launch RUN and then enter regedit into the dialog box.
  5. In Registry Editor, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  6. Delete keys linked to the files mentioned in step 3:
  7. Exit Registry Editor and Explorer and then Empty Recycle Bin.
  8. Scan your system using a trusted malware scanner to check for leftovers.

In non-techie terms:

When the malicious Asus Ransomware attacks, it is silent. However, this malware is not meant to stay silent forever. As soon as files are encrypted, it immediately drops a .txt file and launches an .hta file to inform the victims about what has happened and what is expected to happen next. As you might have figured out already, the attackers want you to pay money for a decryptor that is supposed to decrypt files. Well, you cannot know whether or not your files would be decrypted if you fulfilled the attackers’ demands because they are the ones that promise you to give the tool, and, as you must know, cyber attackers cannot be trusted. Unfortunately, it does not look like you can recover your files by deleting Asus Ransomware or following the cybercriminals’ demands. However, if backups exist, you can replace the corrupted files easily. Of course, you should delete the infection first.