Home / Spyware Help / Invisible Empire Ransomware Removal Guide

Invisible Empire Ransomware Removal Guide

by 0 Comments

Do you know what Invisible Empire Ransomware is?

Invisible Empire Ransomware is a newer version of the original Jigsaw Ransomware that was released a few months earlier. Since then, we discovered a clone called Payransom Ransomware and now this particular infection. We highly recommend that you remove it as soon as possible because if you do not, then it will start deleting your files after you fail to meet the deadline set to pay that ransom. Apart from deleting your files it also encrypts them using the AES encryption algorithm. Thankfully, there is a way you can decrypt your files for free which is not always the case with ransomware infections. This short description will provide you with information about Invisible Empire Ransomware’s distribution methods, functionality, removal methods, and file decryption. So, without further ado, let us begin.

The information obtained by our malware researchers suggests that this infection is distributed in the same way its predecessors were distributed. They have found that this ransomware is disseminated using email spam that is sent by a dedicated server. Its developers are neither picky when it comes to targeting a specific user base, nor they operate in a certain geographical location. This infection is distributed worldwide and is sent to random email addresses. The contents of the emails usually consist of business-related text, invoices, and government-related inquiries. In short, the email spam is disguised as legitimate and important. However, you might find it in the spam/junk section of your email box. These emails come with attached files that may be an executable disguised as a PDF file, or this same executable may be packaged in a self-extracting file archive. Such attachments drop the files of Invisible Empire Ransomware when opened and the computer becomes infected as a result.Invisible Empire Ransomware Removal GuideInvisible Empire Ransomware screenshot
Scroll down for full removal instructions

Our malware analysts say that the infection drops the malicious files in various locations. It drops a file called wrkms.exe to %APPDATA%\Wrkms, a file named systmd.exe to %LOCALAPPDATA%\Systmd (%UserProfile%\Local Settings\Application Data\Systmd on Windows XP), and an Address.txt file to %APPDATA%\System32Work. Furthermore, it creates a registry entry at HKCU\Software\Microsoft\Windows\CurrentVersion\Run which serves as the point of execution. The registry subkey is called wrkms.exe. Once all files are in place Invisible Empire Ransomware will spring into action and start encrypting files. Our malware researchers say that it can encrypt close to a hundred file formats that include .accdb, .aep, .aepx, .aet, .ai, .aif, rtf, .sdf, .ses, .sldm, .sldx, .xlm, .xls, .xlsb, .xlsm, and so on. It uses the AES encryption algorithm to encrypt the files. We do not know what key length that this particular ransomware is set to use, but the AES encryption always uses 128-bit, 192-bit or 256-bit keys, The higher the number, the stronger the encryption. Nevertheless, malware researchers have already cracked Jigsaw Ransomware’s encryption, and since Invisible Empire Ransomware is its descendant, the decryption tool works with it as well. You can get the decrypter at https://download.bleepingcomputer.com/demonslay335/JigSawDecrypter.zip. So there is a way you can decrypt your files for free, but we still want to provide you with more detailed information about how this ransomware functions.

Once the encryption process is complete, the infection will create a window that features the ransom note. The ransom note says that “Your files have been encrypted. You must pay $150 USD in Bitcoins to the address specified below.” This infection’s developers have composed a guide on how to help you pay the ransom. However, we want to point your attention to the fact that $150 USD is just the beginning. If you fail to pay the ransom within 24 hours of the infection, then the ransom will increase to $300 USD. If you fail to meet the second 24-hour deadline, then the ransom will increase to $450 USD. Also, this ransomware will delete files each hour in an effort to scare you and force you to pay without thinking. The cyber criminals want to pay the ransom in Bitcoins in order not to get caught.

Even though Invisible Empire Ransomware is a dangerous infection, there is a way you can combat and defeat it and emerge victorious only with minor losses in files. First, you must delete its files using our manual removal guide or our suggested antimalware program — SpyHunter. Then, use the decrypter at https://download.bleepingcomputer.com/demonslay335/JigSawDecrypter.zip to decrypt your files.

How to delete Invisible Empire Ransomware’s files

  1. Press Windows+E key.
  2. Type %APPDATA%\Wrkms in the address box of the window and press Enter.
  3. Find and delete wrkms.exe.
  4. Then go to %LOCALAPPDATA%\Systmd (%UserProfile%\Local Settings\Application Data\Systmd in Windows XP) and delete systmd.exe
  5. Then go to %APPDATA%\System32Work and delete Address.txt, dr, and EncryptedFileList.txt
  6. Close the window and press Windows+R keys.
  7. Type regedit and click OK.
  8. Go to HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  9. Locate wrkms.exe and delete it.

In non-techie terms:

Invisible Empire Ransomware is a serious computer infection that is set to encrypt your personal files and demand that you pay a ransom to get them back. It also deletes files if you hesitate to pay it. However, there is a way to get your files back without paying the ransom. Therefore, we invite you to remove it using our guide or the SpyHunter antimalware tool and decrypt the files using the decrypter to which we have provided a link in the article.