Omerta Ransomware Removal Guide

Do you know what Omerta Ransomware is?

Omerta Ransomware joins the ranks of malicious file-encrypting malware. This particular threat, according to our malware researchers and analysts, favors spam emails when it comes to distribution. The infection’s executable is concealed as a harmless file and attached to an email with a misleading message. If the target is fooled into opening the attachment, the ransomware is executed right away. Needless to say, if the threat is unleashed, it starts corrupting files immediately. At this moment, we do not know if any specific files are targeted, but, without a doubt, this malware should corrupt personal files, such as photos. After execution, Omerta Ransomware removes itself; however, that does not mean that you can forget about this threat because you still need to delete malicious leftover components.

The dangerous Omerta Ransomware might not have been created by the malicious parties who stand behind Kwaaklocked Ransomware, Scarab-Leen Ransomware, or Sequre Ransomware (and maybe they were, who knows), but they all share the same goal. These threats encrypt your personal data not because they want to annoy you, but because they need something to make you pay the ransom. The ransom is introduced to users only after all files are encrypted. Once that happens, the names are changed, and the “.[XAVAX@PM.ME].omerta” extension is attached at the end. A corrupted personal file might look something like this: “mrKJbd.g;hlp%SBJ}KGJ-CAjT+[Uu&^sc.Bfiee#.[XAVAX@PM.ME].omerta.” At the time of research, it was NOT possible to decrypt files manually, and legitimate, free file decryptors capable of dealing with this malware did not exist as well. Note that you cannot recover files by removing the added extension.Omerta Ransomware Removal GuideOmerta Ransomware screenshot
Scroll down for full removal instructions

The ransom note that is created by Omerta Ransomware is created in every directory that contains corrupted files. The file that carries the note is called “READ THIS IF YOU WANT TO GET ALL YOUR FILES BACK.TXT.” To ensure that the message gets to you, the infection creates a point of execution in the Windows Registry (in HKCU\Software\Microsoft\Windows\CurrentVersion\Run). Because of this, the note is automatically opened every time Windows start. Omerta Ransomware also drops a BMP file to the %USERPROFILE% directory, and this file replaces the wallpaper image to inform the victim that they need to email XAVAX@PM.ME. TXT and BMP files and the RUN entry are the three components that the infection leaves behind after it deletes itself. Needless to say, they must be removed. Of course, before you come to this conclusion, you might take a serious look at the ransom note that is represented via the TXT file.

Omerta Ransomware suggests that files were encrypted “due to a security problem.” That is not a lie, as, of course, you would not be facing the encryptor if your system was protected properly. The message orders to send a “personal identifier” to XAVAX@PM.ME (the same email address that is represented via the BMP file), so that cyber criminals could send you details regarding the payment of the ransom. The sum might be unique in every case. The ransom note informs that the victims can have 3 files decrypted for free, and while this should prove that decryption is possible, we warn you to be careful. If cyber criminals decrypt a few files, they do it only so that you would pay a ransom. No one can tell whether or not you would have ALL files decrypted after the payment.

You have to delete Omerta Ransomware regardless of the outcome you face. It seems that decrypting files at the moment is not possible, but maybe you have backups, and you can access copies after you remove the infection? Hopefully, that is the case. When it comes to removal, you already know that the threat eliminates itself, but a few components are left behind. The guide below shows how to get rid of these components. Let’s talk security for a second. Clearly, you lack reliable protection, and so we suggest installing anti-malware software without hesitation. One of the best features of this software is that it can erase malware automatically.

Remove Omerta Ransomware leftovers

  1. Delete all copies of the file named READ THIS IF YOU WANT TO GET ALL YOUR FILES BACK.TXT.
  2. Tap Win+R to launch Explorer and then enter %USERPROFILE% into the bar at the top.
  3. Delete the {random name}.bmp file that is represented as your Desktop wallpaper.
  4. Tap Win+R to launch RUN and then enter regedit.exe into the dialog box to launch Registry Editor.
  5. Navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
  6. Delete the {random name} value that is linked to the ransom note file in step 1.
  7. Empty Recycle Bin and then quickly perform a full system scan to check if all leftovers were erased.

In non-techie terms:

If you are one of those unlucky Windows users who let Omerta Ransomware into their operating systems, you must be racking your brain about how to recover files and how to remove the malicious infection. While it might be too late for you to do anything to recover files, it is never too late to clear your system and establish reliable, full-time protection. The instructions you can see above show how to delete Omerta Ransomware leftovers (it erases itself after successful execution). Of course, it might be best to install anti-malware software because it can produce reliable protection and because it can automatically erase existing malware.