Malevich Ransomware Removal guide

Do you know what Malevich Ransomware is?

Evidently, Malevich Ransomware is a highly malicious application dedicated to secretly infecting your computer and encrypting all of your precious files. We suggest that you remove it because it will demand that you pay a ransom for the decryptor needed to decrypt them. Based on our experience with its clones, we doubt that you will get the decryption tool after you have paid, and, indeed, this ransomware is part of a large family of ransomware that includes GruzinRussian@aol.com Ransomware, Makdonalds@india.com Ransomware, and dozens of other programs.

Malevich Ransomware plays its part in one of the largest extortion campaigns to date. This and dozens of other nearly identical ransomware comes from a secretive developer or even a group of developers that we think are based in Russia because some of them make reference to Russian names and some have their ransom notes in Russian and English. One notable similarity between all of the programs that belong to this family is that they are all based on the CrySIS ransomware engine and use the RSA cryptosystem with a 2048 bit long key to encrypt the files.Malevich Ransomware Removal guideMalevich Ransomware screenshot
Scroll down for full removal instructions

Our security experts have found that, currently, Malevich Ransomware’s encryption is not decryptable which is bad news for users whose valuable files have been encrypted by it. However, we want to stress that paying the ransom is not an option because you run the risk of paying a large sum of money and not getting what you have paid for. Even though this ransowmare’s ransom note does not state the amount of money to be paid, our researchers say that its developers may ask up to 4 BTC, an approximate 2,300 USD. It goes without saying, 2,300 USD is a substantial sum of money that may not be worth the files that have been encrypted.

As far as the encryption is concerned, Malevich Ransomware will encrypt all of your files in almost all locations with the exception of %AppData%, %System32%, %Windows%, and %Temp% as these locations contain core Windows files and if they were encrypted, then you would not be able to use your computer. While encrypting the files, it will append them with the .xtbl. However, the full added extension looks similar to .id-B4500911.decryptformoney@india.com.xtbl. The ID at the beginning is randomized, and the email address is included for you to take notice because you have to use it to contact the developers.

Once the encryption is complete, Malevich Ransomware will create a file named Decrypt instruction.txt that reads “All of your files are encrypted, to decrypt them write me to email: decryptformoney@india.com.” Apparently, when you contact the criminals via this email address, they will provide you with further instructions on how to pay the ransom. They may also ask you to send them two encrypted files so that they could decrypt them and send them back to you as proof that their decryption tool works.

Furthermore, it creates an image file in C:\Users\{user name} called Decryption instructions.jpg that is set as the desktop wallpaper. The wallpaper consists of the name “Malevich” in white on a black background. As far as the main executable is concerned, it can be dropped in a total of seven locations. In most cases, the randomly named executable is dropped in %WINDIR%\Syswow64 or %WINDIR%\System32, but it can be placed in other locations as well (refer to the removal guide for the full list.) Lastly, this ransomware is set to make changes at the Windows Registry level and add several registry strings. One of them is created at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, and it is configured to run this ransomware's executable on system boot up. If you want to eradicate this infection, then you have to delete all of these files.

In closing, Malevich Ransomware is one malicious application that you can do without. We urge you not to pay the ransom because you might not get the decryption tool. You should not trust the criminals to keep their word, so the only solution is to remove Malevich Ransomware. You can delete its files using the instructions provided below or make use of our recommended anti-malware tool called SpyHunter which is more that capable of dealing with this particular infection.

How to remove this malware

  1. Press Windows+E keys to open File Explorer.
  2. In the address box, enter the following locations and locate the malicious executable.
    • %WINDIR%\Syswow64
    • %WINDIR%\System32
    • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
  3. Find and right-click the executable and click Delete.
  4. Them, enter C:\Users\{user name} in the address box.
  5. Find and delete How to decrypt your files.jpg
  6. Delete How to decrypt your files.txt from the desktop.
  7. Empty the Recycle Bin.

Delete the registry keys

  1. Press Windows+R keys.
  2. Enter regedit in the box and click OK.
  3. Go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  4. Find the randomly named string with Value data of %WINDIR%\Syswow64\name.exe
  5. Right-click it ad click delete.
  6. Go to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers
  7. Find the string BackgroundHistoryPath0 and delete it.
  8. Go to HKCU\Control Panel\Desktop
  9. Find the string Wallpaper, right-click it and click Modify.
  10. Erase C:\Users\user\How to decrypt your files.jpg in the Value data line.

In non-techie terms:

Malevich Ransomware is a type of malware whose objective is to encrypt your valuable files and offer to purchase the decryption tool needed to decrypt them. However, the decryptor does not come cheap and given how unreliable its developers are unreliable, you might not receive it. Therefore, we encourage you to remove this ransomware. Even though you will not be able to get your files back, you will still be able to use your computer and upload new files to it.