Ransomware Removal Guide

Do you know what Ransomware is? Ransomware is an infection belonging to the Btcware Ransomware family. It has been detected by our specialists recently, so it should not be distributed actively at the time of writing. Of course, it is only a question of time when this changes. If this computer infection ever slithers onto your computer and locks your personal files, you should not go to send money for their decryption because these files might still not be unlocked for you. Instead, you will just hand in your money to cyber criminals. Frankly speaking, they only develop ransomware infections because they wish to extract money from users. Do not give them a cent because they will not stop creating and releasing malicious applications. What we expect the victims of ransomware infections to do is to get rid of the malicious application they encounter as soon as possible. Ransomware is a new version of Master Ransomware. We call it new because it changes encrypted files’ extensions to .[].master. If you see your pictures, documents, text files, and other files having this new extension, it means that they have already been all encrypted by this computer infection. It is not the only symptom showing the presence of this ransomware-type infection on your computer. After its entrance, you will also find a new file created on your Desktop - !#_RESTORE_FILES_#!.inf. It is automatically opened after the ransomware infection finishes encrypting files. This file is a ransom note – it first tells users why they cannot access their files, and then they are told to write an email to and pay a ransom in Bitcoin (a cryptocurrency). The size of the ransom is not stated in advance, users will only be told how much to pay for the decryption of files if they contact cyber criminals: “The price depends on how fast you write to us.” Although cyber criminals promise to unlock files for you, and they are even willing to unlock 3 files for free to show that they can do that, do not send them money because you might be left without anything. There are many cases when users pay money to cyber criminals, but do not get their files unlocked in return. Unfortunately, only one free alternative file recovery method exists – users can recover files from a backup. Of course, they can recover their files only if they have copies of their data on an external Ransomware Removal Ransomware screenshot
Scroll down for full removal instructions

The encryption of users’ files is only one activity Ransomware performs on users’ computers. Research has also shown that it also performs three commands on users’ computers. First, it uses the command cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet to delete the so-called Shadow Copies of files. That is, it makes it impossible to recover files without paying money. Second, it disables the Startup repair by issuing these two commands: cmd.exe /c bcdedit.exe /set {default} recoveryenabled No and cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures. Last but not least, the ransomware infection creates the Value in the system registry. Specifically speaking, it creates the Value DECRYPTINFO in the Run registry key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run). Because of this, it might be slightly harder to uninstall this infection.

The sooner you erase Ransomware from your computer, the better; however, we must talk about its distribution before this. According to our experienced specialists, this threat is mainly spread via unsecured RDP connections, but other distribution methods might be adopted by cyber criminals as well. For instance, it might be spread inside spam emails too. Additionally, it is very likely that it is available on some kind of third-party page containing free software too. Other ransomware infections might be distributed the same, so we hope that it will easier for you to prevent them from entering your PC after finding more about the main ransomware distribution strategies. If you do not think that you can protect your PC, acquire security software and enable it on your computer.

Our experienced specialists have prepared the manual removal guide for those less experienced users to help them delete Ransomware from their PCs fully. If you still find the manual method extremely challenging, delete the ransomware infection from your computer automatically. Only one scan and all active threats will be deleted permanently from your computer.

Delete Ransomware

  1. Press Ctrl+Shift+Esc and click Processes.
  2. Kill (right-click on the process and select End Process/End task) processes of
  3. Open the Windows Explorer (tap Win+E).
  4. Type %APPDATA% in the address bar and press Enter.
  5. Delete !#_RESTORE_FILES_#!.inf.
  6. Remove all suspicious files from %TEMP%, %USERPROFILE%\Downloads, and %USERPROFILE%\Desktop.
  7. Close the Windows Explorer.
  8. Tap Win+R, enter regedit.exe, and click OK.
  9. Move to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
  10. Right-click on the DECRYPTINFO Value and select Delete.
  11. Empty Recycle bin and reboot your PC.

In non-techie terms:

Undesirable applications which work in the background on users’ computers exist too, so we cannot guarantee that your PC is clean after you have deleted Ransomware manually. Theoretically, other malicious applications might be working on your PC without your knowledge as well – they could have entered together with the ransomware infection. Since they might be located anywhere, we believe it would be easier to detect and erase them using an automated tool.