Ransomware Removal Guide

Do you know what Ransomware is?

If Ransomware has invaded your operating system, your personal documents must be encrypted and a ransom note urging to pay a ransom must be displayed. At the time of research, this infection is still in development, and so we do not know yet whether or not this threat will be spread widely. All in all, it certainly has the potential to invade unguarded operating systems and encrypt the files found on them. If this infection is actively distributed, it could hide behind spam emails or even software bundles, and so you have to reinforce your system’s protection to ensure that one careless move would not lead to the infiltration of this malware. If it is successfully executed, it can demand a ransom in return of a decryption key. Please continue reading to learn all about the malicious processes associated with this infection. We also discuss the removal of Ransomware.

The name of the suspicious Ransomware comes from an email address that is represented via the ransom note. This note is most likely to be shown using the .exe file that is responsible for the entire infection. According to the message, all kinds of personal files were encrypted by the infection, and you need a special key to decrypt them. It is suggested that you need to transfer a ransom of $100 to the presented Bitcoin Address and then send transaction details to the email address, When researching this infection, our team noticed that the ransomware displayed a random eight character code right before starting the encryption process. If you have noticed it as well, this is the password that you need to enter to decrypt your files, and it is hidden in the “pass” value in the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion key. It is possible that the password will not be provided to the victims of the Ransomware in the future; however, at the time of research, it was possible to obtain this password for Ransomware Removal Ransomware screenshot
Scroll down for full removal instructions

If you are unable to retrieve the decryption password – which might happen if this flaw is fixed by the time Ransomware is fully released – your only option might be paying the ransom. The files encrypted by this infection can be identified by the “.enc” extension attached to their names, and you need to look at these files very carefully. If you find that the files encrypted by the ransomware have backups, you do not need to worry about them. If backups do not exist, you will probably need to consider the ransom. Needless to say, it is extremely risky to interact with cyber criminals under any circumstances, and so you should think very carefully about your next move. Note that if you pay the ransom, it is possible that it will do not good for you.

The instructions below show how to retrieve the password and apply it to decrypt your files. Whether or not this works, you need to make sure that you delete Ransomware as well, and the added steps should help you with that. Of course, you do not need to proceed manually. Instead, you can install an anti-malware tool, and this is the option we recommend because anti-malware software can fully clean your operating system and ensure that it is guarded in the future. If the malicious ransomware has invaded your computer, it is only because it was not protected appropriately.

How to Retrieve the Password Step 1:

Windows XP/Windows 7/Windows Vista

  1. Restart the computer.
  2. Wait for BIOS to load and then start tapping F8.
  3. Using arrow keys select Safe Mode and then tap Enter.
  4. When the PC reboots, move to Step 2.

Windows 8/ Windows 8.1

  1. Open the Charm bar in Metro UI.
  2. Click the Settings tab and then click Power.
  3. Hold down the Shift key and click Restart.
  4. Go to Troubleshoot and click Advanced options.
  5. Go to Startup Settings and then click Restart.
  6. Select F4 to reboot in Safe Mode.
  7. When the PC reboots, move to Step 2.

Windows 10

  1. Click the Windows logo on the Taskbar and click Power.
  2. Simultaneously press the Shift key and click Restart.
  3. Open the Troubleshoot menu.
  4. Go to Advanced options and then Startup Settings.
  5. Click the Restart button and then select F4 for Safe Mode.
  6. When the PC reboots, move to Step 2.

How to Retrieve the Password Step 2:

N.B. This might not work if the ransomware is updated.

  1. Launch RUN by tapping Win+R keys.
  2. Enter regedit.exe and click OK to launch Registry Editor.
  3. Go to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion.
  4. Double-click the value called pass.
  5. Record or memorize the password (should be 8 characters).
  6. Reboot the PC in normal mode.
  7. When the ransom note pops up, enter the code into the PASSWORD box.

Remove Ransomware

  1. Launch RUN by tapping Win+R keys.
  2. Enter regedit.exe to access Registry Editor.
  3. Move to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  4. Right-click and Delete the {random name} value representing the {random name}.exe file.
  5. Launch Explorer by tapping Win+E keys.
  6. Enter %HOMEDRIVE%\Logs\System\Windows\DefaultApplications into the bar at the top.
  7. Right-click and Delete the {random name}.exe file associated with the value mentioned above.

In non-techie terms:

You have to delete Ransomware from your operating system immediately, but, first, you should try retrieving the password as shown in the guide above. If you find the password, you might be able to decrypt your files and evade loss. If this does not work for you – and it might not if cyber criminals find this error and fix it – you might have to consider paying the ransom that is requested in return of a decryption key. Keep in mind that the creators of ransomware are unpredictable, and it is very possible that they will give you nothing even if you pay the ransom. Whatever the outcome may be, do not forget to remove the ransomware, implement reliable security software, and back up your personal files to prevent losing them.