Poop Ransomware Removal Guide

Do you know what Poop Ransomware is?

When a strong mold is created, it can be used to create many copies of the same thing. Poop Ransomware might seem like a unique treat, but, in fact, it was created using the already-built Hidden Tear source code. That is why it is so similar to Facebook Ransomware, TrumpHead Ransomware, EnybenyCrypt Ransomware, and many other infections that our research team has reviewed in the past. The name of this threat, as you can see, is very charming, and so is the infection itself. Of course, we are being sarcastic here. When the threat slithers in, it encrypts files, and recovering them is not possible. You can read them only if you have a decryptor, but you are unlikely to obtain it even if you do as told by the cyber criminals behind this infection. Hopefully, you can replace the corrupted files with backup copies, but, in any case, you must not forget to remove Poop Ransomware.

Just like the launchers of other threats from the same family, the launcher of Poop Ransomware is likely to be spread using a misleading email message, or it could be dropped using unsafe RDP configurations. Once the threat is in – and you are unlikely to notice it – it creates a copy of itself. In our case, it was named “local.exe,” but it could be named something else for you. This malicious file can be found in the “%APPDATA%\Windows Folderuser” folder. The copy is important because if the victim removes the original launcher before the files can be encrypted, the job can still be done by the copy. Also, the original launcher file is set to delete itself after the files are encrypted. Poop Ransomware only encrypts files in very specific locations, which include %USERPROFILE%\Contacts, %USERPROFILE%\Desktop, %USERPROFILE%\Documents, %USERPROFILE%\Downloads, %USERPROFILE%\Links, and %USERPROFILE%\Pictures. Hopefully, you do not store any of your personal files in these folders, but if you do, they are bound to be encrypted.Poop Ransomware Removal GuidePoop Ransomware screenshot
Scroll down for full removal instructions

The malicious copy file (“local.exe”) launches a window to introduce the victims of Poop Ransomware to the demands of cyber attackers. The message represented via the window informs that the AES-256 encryption algorithm was used for the encryption and that the files can be retrieved by following certain steps. These include signing up on telegram.org, sending a message to @CyberDexter, paying the ransom to an allocated Bitcoin Wallet, sending a screenshot of the payment confirmation, and then applying a special decryption code. The ransom is likely to be different for every victim, and that might depend on the conversion rates at a particular time. In our case, the ransom was 0.122 Bitcoin, which was around 1,100 USD. That is a lot of money for a tool that is unlikely to be provided to you anyway. Naturally, we do not recommend contacting the attackers or paying the ransom. At the time of research, the attackers’ Bitcoin wallet (the address is 1K3YKBq8qGrnmJ7TKkLbTiGL59UHBYh7LF) had received 24 transactions that totaled 0.16 Bitcoin.

Ransomware is very dangerous and very destructive, and if Poop Ransomware managed to get in, it is very possible that you will not be able to recover the encrypted files. Hopefully, no important files were corrupted, or you have backup copies that you can use to replace them. It is crucial to backup all files because there are threats that are able to encrypt every single file on the infected machine. Of course, while it is important to be prepared for attacks, you want to prevent them from happening in the first place. We advise installing anti-malware software to have well-rounded protection. You can also use it have Poop Ransomware deleted automatically. If that is not your choice, go ahead and delete the infection’s copy manually.

Remove Poop Ransomware

  1. Launch Windows Explorer (tap Win+E keys).
  2. Enter %APPDATA% into the field at the top.
  3. Right-click and Delete the folder named Windows Folderuser.
  4. Empty Recycle Bin.
  5. Install and run a legitimate malware scanner to check for leftovers. Do not skip this step to make sure that the original launcher did not stay behind.

In non-techie terms:

When Poop Ransomware slithers in using RDP vulnerabilities or spam emails, it creates a copy file, encrypts files, and then removes itself. Unfortunately, once the damage is done, even if you delete Poop Ransomware components, your files will not be restored. Legitimate decryptors do not seem to exist either. That leaves you with the decryptor offered by the attackers, but you should not trust them. All they want is your money, and it would be naive to think that they would rush to help you recover your files once they got it. Instead of figuring out how to recover the files, we recommend focusing on the removal of the infection. Although you might be able to get rid of the threat manually, we strongly advise implementing anti-malware software. It will automatically erase existing malware and will secure your system to protect it against other threats.