Ransomware Removal Guide

Do you know what Ransomware is? Ransomware is named after an email address that is represented via a ransom note supporting the malware. The ransom note is very laconic, as it simply reads: “help mail PATAGONIA92@TUTANOTA.COM.” The creator of the malicious infection hopes that the victim of the devious file-encryptor would get the message, which is that they need to email the address. What is the purpose of that? If you email them, you establish a communication, and they can then send you instructions on how to make a payment. The developer of the ransomware demands a ransom for a decryption tool/key that could, allegedly, free your personal files. Unfortunately, things are more complicated than that. If you pay the ransom, you are unlikely to get anything in return, which is why we emphasize the removal of Ransomware. We do not know if you can recover your personal data, but we know that you can and must delete the ransomware.

This is not the first time we have encountered Ransomware, and that is because we encountered it in a different form, as RotorCrypt Ransomware. The new version of the infection does not create a unique extension for the files it encrypts. Also, the ransom note it creates is not a regular text file, and you actually need to open it with Notepad. You can also choose to rename the file and add “.txt” to its original name (“HELP”) to turn it into a TXT file. The ransom note file is created in every folder where you can find encrypted files, and that is done so that you would not miss the message. Besides the suspicious “HELP” file, Ransomware also creates a copy (an .exe file with a name that consists of 8 random characters) of its own launcher in any folder in the %LOCALAPPDATA% directory. A point of execution is created for this file in the Windows Registry (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) too. Without a doubt, you want to delete all of these components before your personal files are encrypted.

When Ransomware encrypts your personal files using the RSA algorithm, they become unreadable, and no program can solve the issue for you. Doesn’t a legitimate decryptor exist? At the moment, it does not, and we cannot guarantee that malware experts will create or find one. That means that the original files are lost. That is not a huge problem if backups exist. If they do, the corrupted copies can be removed. Then, after you delete Ransomware, you can transfer your personal files back onto the computer if you need to. If you are not sure if your files are backed up, we strongly recommend checking your backups using a malware-free system. Also, note that if you remove corrupted files and then transfer healthy copies onto your PC before you eliminate the threat, the newly introduced copies will be corrupted as well.

You should need no convincing that getting rid of Ransomware is important, but we understand that the removal process can be intimidating, and you might hesitate to initiate it. You certainly should not do that because you want to eliminate all components controlled by cyber criminals as soon as possible. You have the option to delete Ransomware manually using the guide below, or you can install anti-malware software that will erase the infection automatically. This option is perfect not only for less experienced users but everyone who wants to strengthen their virtual security because anti-malware software, of course, is designed to protect you first and foremost.

Remove Ransomware

  1. Find and Delete the malicious {random}.exe launcher of the ransomware.
  2. Simultaneously tap Win+E keys to launch Windows Explorer.
  3. Enter %LOCALAPPDATA% into the field at the top to access the directory.
  4. Check all folders for the malicious {random 8 characters}.exe copy file and Delete it.
  5. Simultaneously tap Win+R to launch RUN.
  6. Enter regedit.exe and click OK to launch Registry Editor.
  7. Move to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  8. Delete the {random 8 characters} value that points to the malicious copy file (ref. step 4).
  9. Delete all copies of the HELP file.
  10. Empty Recycle Bin and then immediately install a malware scanner to check for leftovers. If threats are found, erase them as soon as possible.

In non-techie terms:

You need to stay away from suspicious software installers and spam emails to ensure that the malicious Ransomware cannot slither into your operating system. If this threat attacks, it can successfully encrypt all personal files found on the targeted computer. Once files are encrypted, there is nothing anyone can do to help you recover them. What about paying the ransom for a decryptor? We cannot even guarantee that it exists, and it is highly unlikely that cyber criminals would care to provide it to you once you paid the ransom. So, if you do not want to risk wasting your money, forget about paying the ransom. When it comes to the removal of Ransomware, it is strongly recommended that victims install anti-malware software because besides automatically erasing malicious threats, it can ensure full-time protection in the future. Virtual protection is something you must think about even if you successfully erase the threat using the guide above.