RansomCuck Ransomware Removal Guide

Do you know what RansomCuck Ransomware is?

RansomCuck Ransomware is a nasty computer infection that does not ask permission to enter the computer. Our team of specialists has tested this threat and found that it is created on the basis of the Detox Ransomware. Therefore, it did not take long to understand what its main goal is and how it acts once it is inside the computer. At the time of research, this ransomware infection did not work properly, i.e. it did not communicate with its command and control (C&C) servers and, as a consequence, did not encrypt any files on the infected computer; however, our specialists are still sure that it has been developed to lock personal files and then demand a ransom primarily. In other words, it seeks to obtain money from users like other computer threats classified as ransomware. It does not matter it has encrypted your files or not because you need to get rid of RansomCuck Ransomware immediately if you ever encounter it (you will notice its presence quickly because it does not try to hide itself). This ransomware is a serious computer infection. Also, it blocks system files, including cmd.exe, taskmgr.exe, and regedit.exe, which means that it will be impossible to open the Registry Editor, Task Manager, and Command Prompt. Consequently, the RansomCuck Ransomware removal will be an extremely challenging task.RansomCuck Ransomware Removal GuideRansomCuck Ransomware screenshot
Scroll down for full removal instructions

Even though our researchers got hands on a version that does not work fully, it does not mean that a working version does not exist, or this ransomware will not be fixed in the future. Therefore, you need to know what to expect from RansomCuck Ransomware. First of all, our research has shown that this infection should encrypt all personal files, e.g. images, presentations, documents, text files, etc. it manages to find on the computer by adding the .encrypt extension to all of them. Once it is done with these files, it should create the RansomCuck.txt file on Desktop and open the window with the ransom note. You will see the following text (it is only an excerpt from the original message):

All files including videos, photos and documents on your computer have been encrypted by this software.

Encryption was produced using a unique key specific to your computer. The only way to obtain your files back is to decrypt them using the unique key specific to your computer.

Your unique key is stored on a TOR server which will automatically destroy itself after 2 weeks. After that, no one will be able to restore your files.

Also, you will be told that you need to pay money for the decryptor ASAP. Of course, you do not need to do that if you have encountered the version that does not do anything. To be frank, our specialists do not think that it is a good idea to send money to cyber criminals even though personal files have really been encrypted by the ransomware because, in most cases, cyber criminals do not even bother sending the decryptor after they receive the money. Instead, people should delete the ransomware infection from their computers and then use free tools to recover their files, or restore files from a backup. Of course, free tools help them rarely, but there are also no guarantees that your files will be unlocked after you pay the amount of money cyber criminals require.

Ransomware infections are dangerous threats that enter computers secretly and cause many problems. Therefore, you need to be careful in the future if you do not wish to allow another similar file-encrypting ransomware to enter your computer. There is not much an ordinary computer user can do about that, so we simply suggest installing a security tool on the computer. Also, you should stay away from the spam mail folder too because it has been revealed that various ransomware infections are often distributed through spam emails. The malicious file comes as a spam email attachment, so ransomware manages to enter the computer the second such an attachment is opened by the user.

As you already know, RansomCuck Ransomware blocks system utilities by making changes in the system registry, for example, it changes the Value data of particular Values located in HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System and HKCU\Software\Policies\Microsoft\Windows\System by rewriting 0x00000000 (0) with 0x00000001 (1), which means that you will have to download the external registry editor from the web first and then undo the changes it has made. You will, of course, find the manual removal instructions that will help you with that below this article; however, if you feel that the manual removal of this ransomware is not for you, you should acquire an automatic malware remover, e.g. SpyHunter and then perform the system scan with it.

Remove RansomCuck Ransomware manually

  1. Download the tool for editing the system registry.
  2. Enable the Task Manager by removing the Value DisableTaskMgr which you will find in HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System.
  3. Delete the DisableRegistryTools Value from HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System.
  4. Locate the DisableCMD Value in HKCU\Software\Policies\Microsoft\Windows\System and delete it too.
  5. Go to HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run.
  6. Find the RW Value and remove it.
  7. Close the registry editor and open the Task Manager (Ctrl+Shift+Esc).
  8. Open the Processes tab.
  9. Locate the process of the ransomware, right-click on it, and click End Process.
  10. Find and delete the executable file of the ransomware from your PC.
  11. Empty the Recycle bin and reboot your PC.

In non-techie terms:

If you find the manual removal method too complicated and decide to use SpyHunter instead, you should know that it will automatically fix the Registry Editor and the Task Manager for you and then delete RansomCuck Ransomware fully; however, you will still have to fix the disabled Command Prompt yourself (check the 4th step in our manual removal guide).