Serpico Ransomware Removal Guide

Do you know what Serpico Ransomware is?

Serpico Ransomware might be a new version of a malicious program called DetoxCrypto Ransomware. Currently, the malware is written only in the Serbo-Croatian language, although it does not mean that the infection could not be distributed in unrelated regions. According to our researchers, the software might be spread with fake PDF documents that travel through Spam emails. If you accidentally infected your computer while launching such file, we can help you get rid of the malware. It is not an easy task, so if you are determined to eliminate the threat manually, it would be better to follow the removal guide placed below the article. Otherwise, users can get a reliable antimalware tool and let it deal with Serpico Ransomware. Also, we recommend reading the article for those who want to learn more about the malicious program and its encryption method.

As it was mentioned, the malware could be spread through fake PDF documents attached to emails. Such files are originally executable ones, but cyber criminals disguise them to look harmless. For instance, users might receive attachments that may have the icon of a PDF document. For example, the file could look like this one Document.pdf.exe.

When you launch the infected file, Serpico Ransomware should drop its main data in a new hidden folder titled as Serpico. It should be located in the %USERPROFILE% directory. The folder contains five files: bg.jpg, key.pkm, Serpico.exe, sound.wav, total.pkm. The JPEG image is used to change user’s default Desktop wallpaper. This picture contains a message from the cyber criminals, and it is also played through the user’s speakers when the malware launches sound.wav file. If you translate the message into English language, it says that your data is locked and to restore it you have to contact the infection’s creators via email.Serpico Ransomware Removal GuideSerpico Ransomware screenshot
Scroll down for full removal instructions

Furthermore, the note mentions another malicious application called CryptoLocker, although these two programs are not even related. It could be done intentionally to confuse the user. Since, you may not understand the language, the only parts of the text you could understand would be and CryptoLocker. In that case, you might search the Internet how to remove a different malware. Needless to say, that the removal instructions for CryptoLocker Ransomware would not delete this particular threat. Moreover, Serpico Ransomware’s creators ask the users to pay 50 euros for the decryption tools. The sum is not that huge compared to other similar malware, and yet we advise against making the payment. You can transfer the money, but no one can guarantee that the decryptor will arrive as promised. Thus, even if the sum does not look significant, consider the possibility you might lose it in addition to the encrypted data.

Serpico Ransomware uses AES encryption algorithm to encipher user’s personal data. It should target data that has the following extensions: .mdf, .sql, .cs, .php, .xls, .doc, .xlsx, .docx, .zip, .rar, .7z, .tar.bz2, .tar, .cab, .iso, .dat, .mdb, .db, .sqlite, .csv, .s3db, .sqlitedb, .dbf, .myd, .ibd, .ibz, .xlt, .ppt, .pptx, and so on. The unusual part is that the encrypted files might not have additional extensions, so it should look like nothing happened to them. The note says that if you delete the malware, you might be unable to restore your data. This could be true, but only if you are planning to purchase a decryptor from the cyber criminals. Volunteer IT specialists create decryptors for various threats too, and in such cases, the tool would work after the malicious program’s removal. We do not know if someone will make one for this infection, but it could be worth to look into it.

If you choose to ignore the cyber criminals and erase the malware we can offer a removal guide placed below the text. The process might be complicated so make sure that you follow all steps correctly. For users who cannot manage to delete Serpico Ransomware manually, we can suggest using a trustworthy antimalware tool. With its scanning feature, it should be easy to locate the infection’s malicious data. Once the tool finishes scanning the system, you can click on the deletion button and the threat will be taken care of.

Enable Show hidden files, folders, and drives

Windows 8 & 10

  1. Open the Explorer, select the View tab and click on Options.
  2. Select Change folder and search options, then click on View tab again.
  3. Select Show hidden files, folders and drives and press OK.

Windows 7 & Vista

  1. Go to Start, launch Control Panel, then choose Appearance and Personalization.
  2. Select Folder Options and click the View tab.
  3. Click Show hidden files, folders and drives and select OK.

Windows XP

  1. Navigate to Start, open Control Panel and pick Appearance and Themes.
  2. Choose Folder options, select the View tab and mark Show hidden files and folders.
  3. Click OK.

Remove Serpico Ransomware from system

  1. Open the Task Manager (Ctrl+Alt+Delete).
  2. Search for a process titled either as MotoxUnlocker.exe or Serpico.exe.
  3. Select the process and click the End Task button.
  4. Close the Task Manager and open Explorer (Windows Key+E).
  5. Navigate to %USERPROFILE%\Desktop
  6. Find a file called MotoxUnlock.exe, right-click it and select Delete.
  7. Go to %USERPROFILE% and locate the hidden folder called Serpico.
  8. Right-click the folder and press Delete.
  9. Find and erase the malicious file that you launched before the system got infected.
  10. Empty the Recycle bin.

In non-techie terms:

Serpico Ransomware is a troublesome infection that places its malicious data on the system and encrypts user’s personal data. It can lock various documents, pictures, photographs, videos, and other private files. If you have any copies of such data on remote cloud storages or removable media devices, it can be easily recovered, although it would be safer to erase the infection first. You can eliminate it with the removal guide available above or with a security tool.