Strictor Ransomware Removal Guide

Do you know what Strictor Ransomware is?

Strictor Ransomware is a new troublesome infection that locks user’s files on a particular directory. The cyber criminals behind the malware place a black wallpaper with the image of a so-called “Guy Fawkes mask” and demands to be paid. Unfortunately, the users who paid the ransom found out that the tool which is supposed to unlock their files cannot be downloaded. Since these cyber criminals leave the password that was used to encrypt your data, we advise you to save it and wait till the decryption software appears on the Internet. In the meantime, you can remove the malicious file that launched Strictor Ransomware. For more detailed instructions check our recommended removal steps available below the article. If you want to learn more about this malware, continue reading as we will introduce you to what our researchers have discovered after testing it in the internal lab.

To begin with, the infection spreads through malicious email attachments. Probably, you could have received a suspicious file that looks like a PDF via spam. For example, the file could be named as “Bank_account_summary.” Although its icon looks exactly like a PDF file, it has an extension of the executable file (.exe). When you launch it, Strictor Ransomware creates a random password of 10 digits and uses it to encrypt your data. However, it does not choose a particular file type that should be encrypted, as most of the ransomware programs do. This malware encrypts your files that are placed in Documents directory, so other files on your computer should not be affected. According to our researchers, the ransomware uses the Advanced Encryption Standard (AES) encryption algorithm that allows the cyber criminals to encipher files with a password of 256 bytes in length and overwrite user’s files with the ciphered data. Also, the affected data will have an additional extension, e.g. mydocument.locked. As we mentioned before, you can obtain the password that is essential for your files to be decrypted. The passwords should appear in a file named as WindowsUpdate.locked that will be in the Documents directory. When you open the file, it should contain similar text to this one: “=U113QJQwz All your files are now under my rule, Pay me some Bitconis and make them yours.” Of course, the random password of 10 digits (e.g. =U113QJQwz) would be different for every user.Strictor Ransomware Removal GuideStrictor Ransomware screenshot
Scroll down for full removal instructions

Moreover, you will notice that the ransomware changed your desktop picture with its own wallpaper that contains the cyber criminal’s text, which says: “All your precious Files on your computer I have successfully encrypted!” Also, it demands you to pay 500 USD until a particular date, which could be different for each user. If you do not pay the ransom on time “the cost of decrypting files will increase two times and will be 1000 USD”. There are no payment instructions in the message, but there is a button titled “Pay,” and it redirects you to a website where actual instructions are given. Instructions are supposed to show you how to pay the ransom and obtain the decryptor, but we have not heard about any successful attempts to get this tool so far. Also, if it cannot connect to the Internet, it shows lots of annoying pop-ups with a demand to restore the Internet connection.

All things considered, you should save the password in some other location on your computer because the working decryptor might appear on the Internet. At this moment, we cannot confirm that your files will be unlocked after you transfer the ransom, but if you are willing to pay you could save the wallpaper or a link that leads to the payment instructions. Nonetheless, you should remove the malicious file that allowed Strictor Ransomware to enter your system. As we said above, this file could have a random name and it should be in the same directory you downloaded it. Also, it should look like a PDF document, but it would be with the .exe extension at the end. It should be easier to find it once you enable the Show hidden files, folders and drives option. Therefore, we will explain you all the removal process step by step in the instructions provided a little below.

Display hidden files and folders

Windows 8\Windows 10

  1. Open the Explorer, select the View tab on the top-left corner.
  2. Click Options on the top-right corner and select change folder and search options.
  3. Press the View tab and click Show hidden files, folders and drives.
  4. Click OK.

Windows 7\Windows Vista

  1. Go to Start and open Control Panel.
  2. Select Appearance and Personalization.
  3. Open Folder Options and choose the View tab.
  4. Select Show hidden files, folders and drives and click OK.

Windows XP

  1. Click on Start and open Control Panel.
  2. Select Appearance and Themes.
  3. Press Folder options and click the View tab.
  4. Mark Show hidden files and folders and click OK.

Remove Strictor Ransomware

  1. Locate malicious PDF document.
  2. Right-click it and select delete.
  3. Empty your Recycle bin.

In non-techie terms:

Strictor Ransomware is a recently created infection that locks user’s files in the Documents directory, but leaves a file containing the password that is essential if you want to decrypt your data in the future. As of now, some of the users tried to pay the ransom, but they could not obtain the tool for decryption. Therefore, we advise you to wait and delete the main malicious file of Strictor Ransomware if you want to avoid more damage from this malware or the annoying pop-ups.