Scorpio Ransomware Removal Guide

Do you know what Scorpio Ransomware is?

New malware Scorpio Ransomware has been detected in June, 2017 by specialists working in the cybersecurity field. It shares the same goal with ransomware infections developed some time ago – it also seeks to obtain money from users of compromised machines. To get money from them, it first scans the entire system to find out where users’ files are located. Then, it encrypts them all without mercy. Research has revealed that this ransomware infection uses a strong AES (Advanced Encryption Standard) cipher to lock files, so their decryption is impossible without the private key. Cyber criminals should have it stored on a secret server. They keep it in a secret place so that users would purchase the decryption key from them. The price of the decryption tool is unknown, but it will not be cheap, we are sure, so you should not even think about sending cyber criminals money. Of course, you can send them 3 files for a free decryption – they promise to decrypt them to prove that the decryption key is in their hands. No matter you receive those files decrypted or not, delete Scorpio Ransomware from your system fully because it will continue working on your PC even after the system restart. If you do not disable it, it might soon encrypt your new files again.

Scorpio Ransomware enters computers illegally with the intention of getting money from users, so the first activity it performs after finding where pictures, documents, media files, and even users’ favorite applications are located is their encryption. Those files it encrypts receive a new extension .[Help-Mails@Ya.Ru].Scorpio and, additionally, its name gets encoded using the BASE64 encoding scheme, so they turn into something like this: D6aypnDh2UFJlOCTmv56TkmOxkElr8JLIUzAYk.[Help-Mails@Ya.Ru].Scorpio. You should also be able to find a ransom note IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.txt in every folder containing encrypted files too once they are all locked. This ransom note first makes it clear why so many personal files can no longer be opened: “your important documents, databases, documents, network folders are encrypted for your PC security problems.” If users read the entire ransom note left for them, they find out that they first have to contact cyber criminals by sending an email with a unique ID to an email address Help-Mails@Ya.Ru. Then, they will be provided with further information about the payment. In most cases, cyber criminals tell users to send them money in Bitcoins so that they would not be caught. If you are reading this article from the beginning, you must already know that we are strictly against payments to cyber criminals. The reason a ransom should not be sent to cyber criminals is the fact that they might not give the key to users after receiving their money. You might not get it even if you have received 3 files decrypted for free.Scorpio Ransomware Removal GuideScorpio Ransomware screenshot
Scroll down for full removal instructions

Research done by our advanced specialists has shown that Scorpio Ransomware is another ransomware-type infection traveling in spam emails. It is spread inside these emails as an attachment, but it is impossible to say in advance that the attachment is malicious, which explains why so many users allow Scorpio Ransomware to enter their PCs and do not know anything about that. When this infection successfully enters the system, it places a file database.exe, a copy of itself, in %APPDATA%. Then, it creates a point of execution (PoE) so that it could continue working on victims’ PCs even if they reboot their computers. Last but not least, a command vssadmin Delete Shadows /All /Quiet in CMD is carried out to delete Shadow copies of files and make it impossible to decrypt files without the special decryption key. Because of this, specialists usually refer to it as sophisticated malware. Unfortunately, cannot promise that you could delete it easily too.

Before you go to remove Scorpio Ransomware, get acquainted with our removal guide and keep it near you during the removal procedure. You must remove this infection fully because leaving a single active component on the system might lead to the ransomware revival and the encryption of new files.

How to remove Scorpio Ransomware

  1. Open the Windows Explorer (press Win+E).
  2. Go to %APPDATA%.
  3. Delete database.exe if it has not removed itself.
  4. Close Explorer and press Win+R, type regedit.exe, and click OK.
  5. Move to HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce.
  6. Check existing Values and delete (right-click on it and select Delete) the one pointing to database.exe (it could have already removed itself too).
  7. Remove ransom notes IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT from affected folders.
  8. Empty the Trash bin.

In non-techie terms:

Cyber criminals behind Scorpio Ransomware clearly know what they want from users, so they have set this infection to lock users’ files right after the successful entrance. It not only encrypts files no matter where they are located (only three directories are left untouched: %PROGRAMFILES%, %PROGRAMFILES(x86)%, and %WINDIR%), but also drops a ransom note in different directories on the system. As expected, users are told that the only way to get a decryptor is to purchase it from cyber criminals. Needless to say, sending money to malware developers in order to get it is a huge mistake.