Sherminator Ransomware Removal Guide

Do you know what Sherminator Ransomware is?

A red notification mentioning file encryption and you.help5@protonmail.com email address on your screen might mean that your system got infected with a malicious file-encrypting threat called Sherminator Ransomware. It shows the said message after it encrypts files located on an infected device. If you want to learn how this threat might enter a system and how to protect your computer from such malware in the future, we recommend reading our report. In this text, we also discuss the malicious application’s working manner and its deletion. Also, to make it easier for its victims to get rid of it, we display a removal guide at the end of the article. It shows how to erase Sherminator Ransomware manually. The process could look complicated for less experienced users, in which case, we highly recommend employing a reputable antimalware tool.

The first thing you should know about Sherminator Ransomware is how it might enter a system and how to protect your computer from threats alike. According to our computer security specialists, the malware might get in through Spam emails and unsecured RDP (Remote Desktop Protocol) connections. Most of the malicious applications alike use these channels to infect targeted victims. Naturally, to secure your system, you should take care of unsecured RDP connections and keep away from unreliable email attachments that might come from unknown senders or Spam emails. We always advise scanning questionable data with a reputable antimalware tool first. If it appears to be malicious, your security tool should warn you and help you get rid of it.Sherminator Ransomware Removal GuideSherminator Ransomware screenshot
Scroll down for full removal instructions

In case a file carrying Sherminator Ransomware gets launched, the malware should create a copy of it in the %WINDIR% directory. It might be called svhost.exe, which is also the name of a legit file. Also, the malicious application ought to place an entry in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run location to make a system launch the malware each time it gets restarted. Then, the threat should start encrypting user’s pictures, photos, various documents, and other personal data. The malicious application might place a unique second extension generated for a particular device at the end of all encrypted files to separate them from other files. Afterward, Sherminator Ransomware should start blocking the Task Manager and drop a file called Decoder.hta. Launching it should place a red notification on top of a user’s screen.

The malware’s displayed red notification should contain a message explaining what happened to files and how to get them back. To be more accurate, the message claims they can only be restored if a user contacts the malicious application's developers via given email addresses. There is nothing said about having to pay a ransom, but we believe the cybercriminals are likely to demand it as such threats are often used for money extortion. If you have backup copies, we recommend using them to replace files that got encrypted. Of course, it is best to do so after deleting Sherminator Ransomware. You can eliminate it by following the removal guide placed below or with a reputable antimalware tool of your choice.

Erase Sherminator Ransomware

  1. Restart your computer in Safe Mode with Networking.
  2. Click Windows Key+E.
  3. Navigate to the suggested paths:
    %TEMP%
    %USERPROFILE%Desktop
    %USERPROFILE%Downloads
  4. Find a file opened when the device got infected, right-click the malicious file, and select Delete.
  5. Go to: %WINDIR%
  6. Look for a malicious .exe file that might be named svhost.exe, right-click it, and press Delete.
  7. Find this path: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
  8. Find a file called Decoder.hta, right-click it, and choose Delete.
  9. Exit File Explorer.
  10. Press Windows Key+R, type Regedit, and choose OK.
  11. Navigate to this path: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  12. Look for a value name that could be related to the malicious application, for example, Autorun.SQL.
  13. Right-click the malware’s value name and press Delete.
  14. Close the Registry Editor.
  15. Empty Recycle bin.
  16. Restart the computer.

In non-techie terms:

Sherminator Ransomware is a malicious threat that encrypts your files to prevent you from accessing them. The note that shows up after the encryption process should claim the hackers behind the malware can help you restore your data. You should be aware that if you do contact them via the given email address, they will most likely demand you to pay for decryption tools. In other words, you might be asked to pay a ransom. With the right decryption tools, you could be able to get all of your files back, but keep in mind that hackers cannot be trusted and there is always a risk you could be scammed and lose your money in vain. The best way to restore your files is to replace them with backup copies (copies of your data kept on removable media devices, cloud storage, etc.). Of course, before transferring your backup copies or creating new files, it would be safer to eliminate Sherminator Ransomware first. To erase it manually, you could complete the steps provided in the removal guide placed above. The other way to deal with the threat is to employ a reputable antimalware tool.