Ransomware Removal Guide

Do you know what Ransomware is? Ransomware is a Russian malicious application, better known as crypto malware. The entrance of this infection means that all the most valuable files, including documents and pictures, are encrypted, and it is impossible to access any of them. All malicious applications that fall into the category of ransomware seek to extort money from users. Ransomware is no exception even though you will not be asked to transfer money immediately. Do not send money to cyber criminals no matter how badly you need to access your files because you might lose your money too. To be honest, users who decide to make a payment often lose their money because cyber criminals tend not to send the decryption tool to users after receiving money. Therefore, users should delete Ransomware the second they realize that it is inside their computers and only then try to recover files using alternative methods.

Unlike other ransomware infections, e.g. Cockblocker Ransomware and Ransomware (you can find their descriptions on this website), Ransomware collects information about the computer before starting to encrypt users’ files. It has been noticed that it is interested in the technical information, e.g. the type of OS, Service Pack, architecture (32-bit or 64-bit), etc. All the details it records are put into files having the .mth extension (they are usually left on Desktop). When the ransomware infection finds out everything that it needs to know, it then starts encrypting users’ files. It has been found that it locks files located in %USERPROFILE%\Desktop, %USERPROFILE%\Downloads, %HOMEDRIVE%\$Recycle.Bin, and %HOMEDRIVE%\{1-6 characters} (a folder might have from 1 to 6 random characters). All these encrypted files receive a new filename extension .matrix, so it will be very easy for you to find out which of your files have been locked. To inform you about the encryption of files, Ransomware drops a ransom note in every folder containing encrypted files too. This ransom note does not tell users much about the decryption of files. Users are only told to write an email with a unique ID to If you do so, you should “receive all necessary instructions”, as it is stated in the ransom note left by the ransomware infection. In the opinion of our researchers, there is no point in contacting cyber criminals if you are not going to pay money to them because there is no doubt that you will be asked to transfer a certain amount of money in order to get your files decrypted. Do not do that because it might be very true that you do not get anything after sending money to cyber Ransomware Removal Ransomware screenshot
Scroll down for full removal instructions

You need to know that you might not be able to unlock your files if you do not pay money to cyber criminals. It is because it drops scripts in %APPDATA%\Microsoft and then uses one of them to delete Shadow Copies of files so that a user could not use a third-party data recovery tool. Even though a third-party tool will, probably, be unhelpful, you can recover data from a backup (only if you have made it before the entrance of the ransomware infection and do not keep it on the computer). If you do not have your files backed up but do not want to pay a ransom too, you should wait until specialists develop a free decryption tool. This might take some time since Ransomware is a serious computer infection.

It is important to delete Ransomware from the system as soon as possible, but it is even more important to prevent ransomware infections from entering the computer. Specialists have found that they are often spread as attachments in spam emails, so, first of all, you should stay away from the spam mail folder. Secondly, security specialists highly recommend installing a security application. Ransomware does not lock the screen or block system utilities. Also, it does not make modifications in the system registry. Even though it is not a very sophisticated malicious application, it might still be quite hard to erase it because it drops several files on the computer. It should be easier for you to find and eliminate them by following our step-by-step instructions. Find them below.

Remove Ransomware

  1. Open the Windows Explorer (tap the Windows key and E simultaneously).
  2. Type %APPDATA%\Microsoft at the top to open it.
  3. Locate two scripts having .cmd and .vbs extensions. Delete them.
  4. Delete the malicious file you have opened before finding all files encrypted.
  5. Remove ransom notes (e.g. matrix-readme.rtf or 31217-matrix-readme.rtf) from directories containing encrypted files.
  6. Clear the Recycle bin.

In non-techie terms:

Other computer infections might still be hiding on your system even though Ransomware is gone. They might be performing activities behind your back, and it is known that they enter computers secretly in most cases, so it is not surprising that so many users do not know about their presence. Since it is a challenging task to detect those threats, we recommend scanning the computer with an automatic scanner. Of course, you do not need to do that again if Ransomware was deleted with a reputable scanner, e.g. SpyHunter. In this case, it must have erased all other infections too.