PokemonGo Ransomware Removal Guide

Do you know what PokemonGo Ransomware is?

As the name suggests, PokemonGo Ransomware is not the popular game Pokémon Go, but a malicious ransomware-type infection set to encrypt your files and demand money to decrypt them. Removing this malicious program is highly recommended because we would not trust its developers to deliver you the decryption program once you have paid. In any case, you should not give into paying the ransom because, by doing so, you will only finance the development of new ransomware. Many things need to be said about it, and we invite you to continue reading this description.

Our malware analysts have obtained and tested PokemonGo Ransomware’s sample and found several features that are not characteristic of typical ransomware, but let us start from the beginning. Research has shown that this program’s main executable is named PokemonGo.exe, and it has the iconic Pikachu image as its icon. Now, we think that the choice of name and icon is not accidental. The developers target users who might think that that is a PC-based game and run the executable on their accord. Our researchers have found that this ransomware copies itself to all connected external drives, flash drives and other storage devices with the help of an autorun.inf file that is created upon infection. Furthermore, it is set to make a copy of itself to each internal hard drive, so this ransomware’s developers use deceptive and openly malicious methods to distribute it.

Nevertheless, we think that its primary dissemination method is email spam. Researchers say that email spam is sent from a dedicated server and addressed to random email addresses. The emails might either feature download links to PokemonGo.exe, or they might feature the executable inside a file archive. The cyber criminals are bound to use some form of social engineering to get users to open the malicious file or link.PokemonGo Ransomware Removal GuidePokemonGo Ransomware screenshot
Scroll down for full removal instructions

Once running on your computer, PokemonGo Ransomware will scan it for file formats that include .docx, .xls, .xlsx,.csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .htm, .gif, .png, .ppt, .pptx, .odt, .jpg, .png, .txt, .rtf, .doc, .pdf, and .mht and encrypt them using a unique Advanced Encryption Standard (AES) encryption algorithm and demand that you contact the provided email address to get the instructions on how to get them back. Of course, this involves paying a ransom of an unspecified amount. While encrypting, this ransomware will append the files with the .locked extension, and indication that the files have been encrypted. Once the encryption is complete, the ransomware should change the desktop wallpaper with an image of the Pikachu on a black background with writing in Arabic. The sentence in Arabic says that your files have been encrypted and that you have to contact the provided email address to get them back. Given that the ransom note in Arabic, we think that it should be disseminated in regions that have a significant Arabic-speaking population. Nevertheless, no computer is safe and anyone can get it under the wrong circumstances.

In addition to encrypting the files on your PC and making a copy of itself on each connected removable drive, PokemonGo Ransomware will also create a backdoor administrator Windows account named Hack3r, but you will not be able to see this account because this ransomware will also create a registry entry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList with the value data "Hack3r" = 0. This registry entry will hide the presence of this account. Now, this account can be used by the cyber criminals to access your computer and perform whatever actions they want to perform.

Therefore, in case, your computer has become infected with PokemonGo Ransomware, we suggest that you act quickly and remove it before it causes more damage to your system. Our security experts have made a manual removal guide that you can use, but you can also use an antimalware tool such as SpyHunter to delete it as well. In any case, you have to take action now to be able to use your PC as normal.

Delete this ransomware’s files

  1. Delete PokemonGo.exe
  2. Hold down Windows+E keys.
  3. Type Control Panel\User Accounts and Family Safety\User Accounts\Manage Accounts in the address box.
  4. Locate user named Hack3r
  5. Right-click it and click delete it.
  6. Close the File Explorer.

Erase the registry key

  1. Hold down Windows+R keys.
  2. Type regedit in the dialog box and click OK.
  3. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
  4. Locate "Hack3r" = 0 and delete it.

In non-techie terms:

PokemonGo Ransomware is a highly malicious application that you ought to remove as soon as possible. It is set to encrypt your files and demand that you pay a ransom for the decryption tool, but the chances are that you will not get it after paying. In any case, this ransom also creates a backdoor for the cybercriminals to enter your computer and it makes copies of itself to all storage devices to spread to other machines. So be sure to delete it using the guide provided above or an antimalware program.