PedCont Ransomware Removal Guide

Do you know what PedCont Ransomware is?

PedCont Ransomware is a unique infection; there is no doubt about that. Although it represents itself as a ransomware, it is not a regular file-encryptor that we usually get to analyze in our internal lab. The unique thing about this malicious threat is that if it manages to slither into your operating system, it can quickly turn your computer off and then paralyze it completely. Once your system is paralyzed, you will not be able to remove PedCont Ransomware from your system even if you reboot it into Safe Mode. According to our research team, the only solution in this situation is to reinstall Windows, and, of course, your personal files would be lost in the process. Of course, the creator of the infection offers a solution, and it might sound pretty attractive to most victims. The threat asks for a ransom of 50 USD, and that is not a tragically huge sum. The problem is that no one knows if cyber crooks would unlock your system and free your files if you paid the ransom. So, how do you recover data, and how do you delete the malicious infection? Continue reading to find out.

Although the malicious PedCont Ransomware does not encrypt files and does not act like a normal file-encrypting ransomware, our researchers suggest that this infection is likely to use the same security backdoors to slither in. These include corrupted spam emails, unsafe RDP channels, and malicious downloaders. The launcher of the malicious threat is likely to be concealed, and you might be tricked into opening it as a normal file. For example, the threat could pose as a harmless .SCR file. Once the infection is executed, it immediately, launches a window with an extensive message. According to it, you are a criminal who is seeking child pornography or other kinds of illegal content, due to which all of your personal files have been locked up. The message threatens that information about illegal activity would be sent to “authorities” if you did not follow the instructions. These instructions include paying $50 within 72 hours using Bitcoin or Litecoin systems. Three unique wallet addresses (see the list below) are offered for each of the systems, and, at the time of research, they were all empty.PedCont Ransomware Removal GuidePedCont Ransomware screenshot
Scroll down for full removal instructions

Bitcoin wallet address:

    • 3J5iYJJYWduztWbVrEzMxdrSq2yHq3J63s
    • GAdfWTBkDaX4DBGw6zwgZbgEucs2G (appears to be incomplete)
    • 3NNFC86T37qQYr2btGRnaCRM7BxhKQrL4P

Litecoin wallet addresses:

    • LMaetVuUjLCed5CFf3faBQPizApDbxaqBa
    • LhXtJ3Tu7dYxWnvRcW6oNuVi2xGZxpzTk4
    • LZ3ExpgenSQwLftRn2LmhcQtsjneNeHzkM

Can you de-paralyze your operating system by paying the ransom requested by PedCont Ransomware? It is possible that that would happen, but we cannot say how big or small this chance is. Well, what if you close the window represented by the malicious infection? Your files are not encrypted, and so you might think that you can solve the issue by closing the window. Unfortunately, that is not exactly the case. If you are fast enough, you might be able to remove PedCont Ransomware entries in taskmgr.exe, svchost.exe, regedit.exe, and explorer.exe in the Windows Registry. If you are not quick enough, the malicious ransomware will simply shut down your computer. Afterward, when your system reboots, you will face a black screen with a cursor, but you will not be able to use it or do anything else. Unfortunately, this all means that the victims of this devious threat are unlikely to be able to delete the threat in time to regain access to their personal files.

The instructions below can be intimidating to any user. However, if you are determined to unlock your system and ensure that all personal files are safe, you will need to follow them. As you can see, deleting PedCont Ransomware manually involved quite a few steps, and since you do not have all the time in the world, we suggest focusing on taskmgr.exe, svchost.exe, regedit.exe, and explorer.exe registries. If you remove the “debugger” value in these registries, you should be able to salvage your files and access to the system. Afterward, you should install anti-malware software to ensure full-time protection against PedCont Ransomware and similar malicious infections. Hopefully, this malicious threat has not invaded your operating system yet, and you still have time to take care of your virtual security. Without a doubt, employing anti-malware software is the most important step. It is also important to back up all personal files because if files are backed up, you do not need to worry even if malware manages to corrupt or block access to the original copies.

Remove PedCont Ransomware

  1. Simultaneously tap keys Win+R to launch RUN.
  2. Enter regedit.exe and click OK to launch Registry Editor.
  3. In the menu navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\.
  4. Delete the value called Debugger in all of these registries:
    • explorer.exe
    • regedit.exe
    • svchost.exe
    • taskmgr.exe
    • chrome.exe
    • cmd.exe
    • conhost.exe
    • dwm.exe
    • firefox.exe
    • iexplore.exe
    • mbam.exe
    • Microsoft.Photos.exe
    • MicrosoftEdge.exe
    • mspaint.exe
    • opera.exe
    • plugin-container.exe
    • rstrui.exe
    • rundll32.exe
    • safari.exe
    • SearchIndexer.exe
    • setup.exe
    • skype.exe
    • SystemSettings.exe
    • updater.exe
    • WinRAR.exe
  5. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ and delete the Debugger value from registries with the same names.
  6. Move to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
  7. Delete the value named SCRService.
  8. Exit Registry Editor and then launch Windows Explorer by tapping keys Win+E.
  9. Enter %WINDIR% into the bar at the top.
  10. Delete the file named ScreenSaver.scr.
  11. Empty Recycle Bin and then scan your operating system to check for leftovers.

In non-techie terms:

PedCont Ransomware is an incredibly malicious infection that is capable of paralyzing the operating system and introducing the victim to a demand to pay a ransom of 50 USD. First, the demand is made, and if the victim wastes too much time, or if they close the ransom window, the computer is shut down, and once it reboots, black screen is shown, and the user cannot do anything to regain access to the operating system. The only thing that you could do in a situation like this is to reinstall Windows, and, of course, if personal files are not backed up, this would mean a great loss. If you have not faced this malicious infection yet, you need to make sure that you install reliable anti-malware software and back up your personal files immediately. If it has invaded your system already, and you are trying to delete PedCont Ransomware, you need to do it fast because your window of opportunity is very small.