Home / Spyware Help / DeathNote Ransomware Removal Guide

DeathNote Ransomware Removal Guide

by 0 Comments

Do you know what DeathNote Ransomware is?

DeathNote Ransomware might come from the hacker fans of Japanese manga series called Death Note. However, as scary as the title could sound the malicious application itself is not so dangerous compared to other ransomware programs. Our researchers’ tested sample did not encrypt any files, but placed them in an archive protected by a password. Luckily, we were able to extract the password from the malware’s code. Therefore, if you encountered it, there is a chance our provided password will work, and you may not have to risk your savings to get your data back. Of course, paying the ransom does not guarantee the user will get his data back, since the cyber criminals behind DeathNote Ransomware might not keep up with their promises. This is why instead of taking any rash decisions we would advise you to read this article and consider your options. Also, users who need a removal guide should know they can find one at the end of the main text.

The malware could come with infected attachments delivered via Spam emails. Consequently, without realizing it, the user may open this installer and accidentally allow DeathNote Ransomware settle in on his computer. This is why our computer security specialists always stress how it is important to be cautious with emails from unknown sources. If the user cannot resist opening the suspicious attachment, he should at least check it with a reputable antimalware tool and only then try to open it. Otherwise, the threat might infect the system right away, especially if there is no removal tool installed that could stop it.

Once the malicious application enters the system it should create various data, for example, in the %APPDATA% directory, it may place folders called “batches” and “hitler.” Inside of these locations the user should find lots of malicious executables or other types of files. Afterward, DeathNote Ransomware should locate targeted data and place it into a password protected archive. For instance, if the user keeps his data in disks called E and D, the infection should create archives named Death_N0te_encryted_files_of_local_disk_D and Death_N0te_encryted_files_of_local_disk_E. Our computer security specialists confirm that the files inside of them are not encrypted, and the user should be able to access them by inserting a correct password. The password we found in the malware’s code is “pkantnibas722;” we do not know if it will work for every user, but it might be worth trying if you have no better options.DeathNote Ransomware Removal GuideDeathNote Ransomware screenshot
Scroll down for full removal instructions

Furthermore, the other way to get your files back is just to use your backup copies provided you have any. As for paying the ransom, we do not consider it as an option since there are no guarantees DeathNote Ransomware’s creators will give the needed password and so there is a possibility the user could lose his money in vain. We do not know how much is the ransom, but users should not forget the cyber criminals might keep asking for more. This is why we advise you to ignore the provided ransom note and eliminate the malicious application at once. To erase DeathNote Ransomware manually, you could follow the removal guide available below. Nonetheless, if it appears to be too complicated for you, we would recommend installing a reputable antimalware tool instead.

Erase DeathNote Ransomware

  1. Press Ctrl+Alt+Delete.
  2. Go to the Task Manager.
  3. Find a suspicious process related to the malware.
  4. Select this process and press the End Task button.
  5. Exit Task Manager
  6. Press Windows Key+E.
  7. Check the listed folders separately:
    %TEMP%
    %USERPROFILE%\desktop
    %USERPROFILE%\downloads
  8. Search for a malicious file that got the system infected.
  9. Right-click the threat’s installer and press Delete.
  10. Navigate to %APPDATA%
  11. Find folders called “batches” and “hitler”; inside of them you should find files like deathnote.bat, WIFI-CONNECT.bat bg.mp3, cmdc.exe, death.lnk, mp3play.exe, note.vbs, and so on.
  12. Right-click the mentioned folders (“batches” and “hitler”) and press Delete.
  13. Then go to these directories:
    %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    %ALLUSERSPROFILE%\ApplicationData\Microsoft\Windows\StartMenu\Programs\Startup
  14. Search for the following files in the directories listed above:
    deathnote.lnk
    WIFI.lnk
    WINDEFEND.lnk
  15. Right-click such files and click Delete.
  16. Leave File Explorer.
  17. Empty Recycle Bin.
  18. Restart the computer.

In non-techie terms:

DeathNote Ransomware might claim it encrypted your files and demand you pay for their recovery, but in reality, it only places data in a password protected archive. Thus, if you encountered this malware we would recommend trying the password (pkantnibas722) our computer security specialists were able to extract from the threat’s code. What we would not advise is paying the ransom since there are no guarantees the malicious application's creators will give you the correct password. In the worst case scenario, seeing the user is willing to pay could even encourage them to try to extort for even more money. If risking your savings is not something you would do, we urge you to find another way get the archived data back and erase this infection from the computer as fast as possible. To learn how to eliminate it manually one could take a look at the removal guide available above. In case it looks too complicated, the user could install a reputable antimalware tool and use it to get rid of the threat instead.