Ransomware Removal Guide

Do you know what Ransomware is? Ransomware, according to our malware research team, is the new variant of the infamous GusCrypter Ransomware. Although these threats have quite a few differences, the structure of the infection is the same, and so the new variant works in a predictable manner. Unfortunately, we can only predict how this malware got into your Windows operating system. Most likely, you executed it yourself by accident when you opened a corrupted spam email attachment. If a different security backdoor was used to drop the threat, you might not know how the infection slithered in, and this could make it impossible for you to remove Ransomware manually. If you are not able to delete the threat yourself, you still have other options, and we discuss them in this report.

According to our research team, the list of files that Ransomware is meant to affect has been updated from the previous variant. Now, the infection encrypts at least 116 different types of files, including DOC, PDF, and MP3. Needless to say, the threat encrypts personal files; otherwise, it would not reach its goals. When files are encrypted, you should find the “.bip” extension appended to their names. Although the threat skips %PROGRAMFILES(x86)%, %PROGRAMFILES%, and %WINDOWS% directories, it certainly can corrupt files everywhere else, and the files with the added extension will not be readable. Along with the corrupted files, you should find a ransom note file named “Information.html.” It is safe for you to open this file, but do not forget to delete every single copy when you immerse yourself into the removal process.

Although the ransom note file created by Ransomware has a new name, the text inside still delivers the same message. The message might be the same, but the contact email address is new, and, obviously, it is instead of According to the message, the victim – which you might be – has to send a personal “identificator” along with a country’s name to cyber attackers so that they could send more information about the ransom payment. The only thing we know from the ransom note is that the ransom must be paid in Bitcoins, but how it should be paid or how much should be paid is unclear. Unfortunately, that is not all of the attackers’ agenda. It was found that the infection might also try to steal information stored on browsers (including login credentials), as well as listen in on incoming connections, which is the kind of activity that we relate to backdoors. All the more reason to delete Ransomware ASAP! Ransomware Removal Ransomware screenshot
Scroll down for full removal instructions

As we mentioned already, removing the malicious ransomware manually might not be possible if the launcher file cannot be identified. If you are struggling to find the file, we suggest employing anti-malware software to delete Ransomware automatically. This is, by far, the best option available unless you have a malware expert by your side who can clean your operating system for free. But can you rely on them to protect you every single day? Of course, you cannot. A reliable anti-malware program, on the other hand, can secure your operating system and keep it malware-free for as long as you keep it installed.

Remove Ransomware

  1. Launch RUN by tapping keys Win and R on the keyboard.
  2. Type regedit.exe into the presented box and click OK to launch Registry Editor.
  3. Move to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  4. Delete the [unknown name] value whose value data appoints to Information.html.
  5. Move to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and repeat step 4.
  6. Exit Registry Editor and then Delete every single copy of the Information.html file.
  7. Launch Explorer by tapping keys Win and E on the keyboard.
  8. Enter the listed paths into the field at the top to find and Delete copies of Information.html:
    • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    • %APPDATA%\Microsoft\Windows\Start Menu\Startup
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
  9. Finally, find and Delete the malicious [unknown name].exe file that launched the threat.
  10. Empty Recycle Bin and then quickly inspect the operating system using a reliable malware scanner.

In non-techie terms:

You do not want to let the malicious Ransomware in because once that happens, your personal files are encrypted, and decrypting them manually might be impossible. The only option in that case is to trust cyber criminals and pay the ransom demanded in return for a decryptor. Of course, trusting cyber criminals is a huge gamble, and we do not recommend that. Instead, you want to delete the infection from your system and then secure it to ensure that similar threats could not attack it again. If you employ an anti-malware program to protect your operating system, you can also rely on it to automatically remove Ransomware. Unfortunately, regardless of how you erase the threat, your files will not be restored. Hopefully, backups exist; otherwise, you are screwed.