castor-troy-restore@protonmail.com Ransomware Removal Guide

Do you know what castor-troy-restore@protonmail.com Ransomware is?

If your operating system was invaded by castor-troy-restore@protonmail.com Ransomware, you should find personal files encrypted and the “.[castor-troy-restore@protonmail.com].java” extension attached to their original names. Needless to say, this extension cannot be missed, but even if you do not know what it means, you will see that you cannot open your files. That is an indication that someone or something messed with the data of the files. Speaking of data, our researchers have found that the infection adds “Marvel” token inside the file. At this point, it is unclear what the purpose of this token is. Anyway, once files are encrypted, there is nothing you can do to decrypt them. Hopefully, you have copies of your files backed up online or on external drives. That is the only chance you’ve got. All in all, whether or not you can restore your files, you have to remove castor-troy-restore@protonmail.com Ransomware. This infection is dangerous, and the sooner you delete it, the better.

Do not open spam emails. Do not download software from unreliable websites. Do not click on strange and suspicious links or ads. You must be familiar with these warnings, but are you really careful? Every security backdoor is exploited by cyber criminals, and so you need to make sure that you do not open any. If castor-troy-restore@protonmail.com Ransomware slithers in using one of these unguarded backdoors, it attacks immediately. First, it creates a copy of itself in the %APPDATA% directory. The name of the copy should be marvel.exe. Two points of execution are created in the Windows Registry to support the file, in HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run::MarvelHost and then in HKCU\Software\Microsoft\Windows\CurrentVersion\Run::MarvelHost. So, if you remove the launcher of the infection, it can still run because of the copy and points of execution. Then the infection encrypts files and adds the ridiculous extension to them to help you navigate. After this, the infection deletes shadow volume copies, disables Windows recovery features, stops some services, and terminates certain processes.castor-troy-restore@protonmail.com Ransomware Removal Guidecastor-troy-restore@protonmail.com Ransomware screenshot
Scroll down for full removal instructions

Commands used by the infection:
cmd.exe /c bcdedit /set {default} recoveryenabled No
cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
cmd.exe /c vssadmin delete shadows /all /quiet
cmd.exe /c wmic shadowcopy delete
cmd.exe /c wbadmin delete catalog –quiet

Services that are stopped by the infection:
sc.exe sc stop wscsvc
sc.exe sc stop WinDefend
sc.exe sc stop wuauserv
sc.exe sc stop BITS
sc.exe sc stop ERSvc
sc.exe sc stop WerSvc

Processes that are terminated by the infection:
taskkill /f /im MSExchange*
taskkill /f /im Microsoft.Exchange.*
taskkill /f /im sqlserver.exe
taskkill /f /im sqlwriter.exe

The malicious castor-troy-restore@protonmail.com Ransomware is a variant of DCRTR Ransomware, and it is known that this infection encrypts everything except for system files in the %WINDIR% directory, as well as certain Microsoft apps (e.g., Internet Explorer). After all of that, ReadMe_Decryptor.txt is created. A copy of this file is created in every folder that is affected by the infection. According to the message in the file, the victim must email castor-troy-restore@protonmail.com to decrypt files. The message reveals that decryption services are not free, but the exact sum of the ransom is unknown. Without a doubt, you should not pay for the decryption of your files because it is very unlikely that the creator of the infection has any intention to help you with decryption. After all, all they want is your money. This is why the only thing we recommend focusing on is the removal of castor-troy-restore@protonmail.com Ransomware.

You need to delete castor-troy-restore@protonmail.com Ransomware as soon as possible, but this threat creates a real mess on your operating system. Luckily, all services and processes will be restored once you remove the infection and restart the computer. First, you need to eliminate the threat, and you need to choose your method. Will you remove castor-troy-restore@protonmail.com Ransomware manually (you can follow the instructions below, but only if you can identify the launcher file)? Will you employ anti-malware software? It can automatically delete the infection, which is very helpful, but it is most important that this software can solve the biggest problem you have – weak security of your Windows operating system. You cannot protect your system yourself, but the right software can.

Remove castor-troy-restore@protonmail.com Ransomware

  1. Delete the malicious launcher (.exe file with random name).
  2. Open Explorer (tap Win+E keys) and enter %APPDATA% into the field at the top.
  3. Delete the copy of the launcher (should be named Marvel.exe).
  4. Open RUN (tap Win+R keys) and enter regedit.exe to open Registry Editor.
  5. Move to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
  6. Delete the key named MarvelHost.
  7. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run.
  8. Delete the key named MarvelHost.
  9. Delete all copies of the ReadMe_Decryptor.txt file.
  10. Empty Recycle Bin and then restart the computer.
  11. Immediately install a legitimate malware scanner and perform a full system scan to make sure that you did not leave any leftovers behind.

In non-techie terms:

Unguarded operating systems can be attacked by castor-troy-restore@protonmail.com Ransomware. This infection is very malicious because it is capable of encrypting everything in its way, excluding system files and some Windows components. Although your operating system will not stop functioning if the infection invades, it certainly can corrupt your personal documents, photos, and other sensitive files. What can you do to recover them after encryption? Unfortunately, nothing. Once files are encrypted, that is it. If you are prepared, your files are backed up, and you can access them even if the files on your computer were hit. Note that your system’s backup might be affected because of the infection’s ability to delete shadow volume copies. Hopefully, your files are safe, but, whatever the case might be, you must waste no time to delete castor-troy-restore@protonmail.com Ransomware. While you might be able to do it manually, we strongly advise employing anti-malware software because once it automatically erases the ransomware, it will also strengthen your system’s protection to ensure malware cannot invade again.