Ender Ransomware Removal Guide

Do you know what Ender Ransomware is?

If you encountered a threat known as Ender Ransomware, you might be happy to hear the malicious application may not encrypt any data. According to our researchers, it only locks users screen and blocks Windows Shell. It means while the malware might not do any harm to the files located on the infected device it could stop the user from working on his computer. Fortunately, our researchers know how to take back the control of the computer and get rid of Ender Ransomware manually. If you use the removal guide located below the text, you can learn how to achieve these things yourself, but before sliding below, we recommend reading the rest of the report to get to know this threat better.

Ender Ransomware appears to be written in .Net framework language. Another thing we noticed while testing it in our internal lab is that it may work differently on separate Windows versions. For example, the sample we had worked well on Windows 7 but showed errors on Windows 10. Moreover, we managed to obtain other samples of it or to be more precise of its newer versions since the mentioned samples displayed different ransom notes. Thus, from what we have discovered it seems like Ender Ransomware is not yet finished and it makes us wonder if the malicious application is even being distributed. However, if it is there are a few possible ways it could reach its victims. First of all, the infection might be spread via Spam emails. After all, Spam emails are probably one of the most popular ways to distribute threats like ransomware. Besides suspicious email attachments, the malicious application could travel with infected software installers, harmful pop-up ads, etc.

In any case, after the user unknowingly opens the malware’s launcher the threat should go to HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon, where it might find a value name called Shell. To block the Windows Shell Ender Ransomware could change the mentioned value name’s data from explorer.exe to C:\EnderRansom.exe. Afterward, the infection might lock users screen by displaying a full-screen pop-up window saying “Your PC was locked by Ender!” The earlier version of this malicious application does not ask for any ransom to be paid but threatens the user his computer will be locked forever if he does not get a valid “encryption key” in time. As for the later malware’s version, it may ask to pay 1 BTC in exchange for an unlock code.Ender Ransomware Removal GuideEnder Ransomware screenshot
Scroll down for full removal instructions

Of course, we do not advise paying the ransom as there is just no need for it. The way Ender Ransomware is now it does not encrypt any data, and the screen can be unlocked even without the mentioned codes. Consequently, we advise users not to waste any time or their money and simply erase the infection. Truth to be told, our researchers say there are several unlock codes, and it is possible to extract them from the malicious application’s source code.

Nonetheless, we learned they do not work in some cases and so to help users unlock the screen and eliminate the malware we will show a way that should work better in the removal guide available below. Provided you find it a bit too complicated you should know you can complete only the first nine steps and then employ a reputable antimalware tool. Once it is installed, set it to scan the system, wait for the results to appear, and click the deletion button. The best part is if you keep it updated it may help you guard the system against future threats as well.

Erase Ender Ransomware

  1. Press Ctrl+Alt+Delete.
  2. Choose Task Manager and open the Processes tab.
  3. Locate a suspicious process belonging to the malware, select it and click End Task.
  4. Press Windows Key+R, type Regedit and click OK.
  5. Navigate to HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon
  6. Find a value name titled as Shell; its value data should point to C:\EnderRansom.exe or any other file related to the infection.
  7. Right-click this value name (Shell) and select Modify.
  8. Instead of C:\EnderRansom.exe type explorer.exe and click OK.
  9. Close Registry Editor.
  10. Press Windows Key+E.
  11. When File Explorer shows up navigate to the listed locations separately:
  12. Look for a recently downloaded file that could be the threat’s installer.
  13. Right-click this file and press Delete.
  14. Close the Explorer.
  15. Empty Recycle bin.
  16. Reboot the computer.

In non-techie terms:

Ender Ransomware is a rather strange ransomware application since it does not lock user’s data like other malware from the same category. Still, it may cause users trouble as the threat might lock their screens and make it impossible to work with the computer normally. The infection’s creators could also demand to pay a ransom, but we do not recommend doing so as you can unlock the screen and get rid of the malicious application without their help. Instead, you could use the removal guide located above this text and erase this infection manually. Once the screen is unlocked, and the Windows Shell is restored you can download a reputable antimalware tool too and let it finish deleting Ender Ransomware for you.