Ransomware Removal Guide

Do you know what Ransomware is?

Our malware analysts have recently tested a sample file of ransomware called Ransomware. They found they this application is similar to several other programs that have been causing trouble a few months back. Therefore, if your computer becomes infected with it, then you must remove it as soon as possible. Research has shown that this program uses the AES algorithm to encrypt files and if it manages to encrypt your files, then there is little chance that you will get them back unless you try to pay the ransom.

Our cyber security specialists have concluded that this ransomware is currently being distributed trough malicious emails. These emails are said to feature an attached file that is a Trojan. This file is configured to download Ransomware’s main executable on your computer. Now, the emails are said to be disguised as invoices, but our researchers say that the developers can use other deceptive means to present this attached file as a legitimate document. Furthermore, our security experts believe that the distribution methods may not be limited to email spam. They say that it is entirely possible that this malicious application is being distributed on infected websites that exploit vulnerabilities in your web browser to get your computer infected.

If Ransomware manages to get on your computer, then be warned that its randomly named executable file can be dropped in several folders. Research has shown that it can be dropped in five location such as %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup, %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup, and several others. Once on your computer, it will scan it for files to encrypt, and our tests have shown that it will encrypt nearly all available file types, so all of your documents, pictures, videos and other files will be encrypted. This ransomware uses the AES-256 encryption algorithm to encrypt your Ransomware Removal Ransomware screenshot
Scroll down for full removal instructions

Our researchers say that, while encrypting your files, Ransomware will append them with the *.{} file extension. Once the encryption process is complete, it will generate an image file named decryption instructions.jpg and set it as your computer’s desktop wallpaper. The image file features text that reads “To decrypt your files write to” The image also depicts a shield that says Guardware on it. Now, you need to contact the cyber criminals to know how much you have to pay and how to do it.

We argue against paying the ransom because there is no guarantee that you will receive the decryption tool/key from the cyber criminals. Changes are that they will get your money and will not send you the key and you will be unable to get your files back. Indeed, you cannot trust cyber criminals to keep their word because all they care about is making as much money as quickly as possible.

Our cyber security experts say that, currently, there is no free third-party tool that could decrypt your files. Moreover, there is no way of telling whether one will be developed at all. The fact that you might not get the decryption tool/key once even though you have paid is another possibility. Therefore, we recommend that you delete Ransomware using the removal guide located at the bottom of this article. However, if you experience any issues while locating or deleting this ransomware, we suggest using an anti-malware program called SpyHunter which will make light work of this ransomware.

How to remove this ransomware

  1. Hold down Win+E keys.
  2. Enter each of the following file paths in the File explorer’s address box and hit Enter.
    • %WINDIR%\Syswow64
    • %WINDIR%\System32
    • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
  3. Locate the malicious executable, right-click it and click Delete.
  4. Empty the Recycle Bin

How to delete the registry strings

  1. Hold down Win+R keys.
  2. Enter regedit in the dialog box and click OK.
  3. Navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  4. Locate two registry strings that have Value data of %WINDIR%\Syswow64\[malware].exe and %WINDIR%\System32\[malware].exe
  5. Right-click each of them and click Delete.

In non-techie terms: Ransomware is a malicious piece of programming that can compromise your computer’s security and encrypt your personal files. Its ransom note features an email address that can get you into contact with the developers of this program. Of course, they want you to pay money for the decryption tool/key but there is no guarantee that you will get it. Therefore, we recommend that you remove it.