Home / Spyware Help / Wiki Ransomware Removal Guide

Wiki Ransomware Removal Guide

by 0 Comments

Do you know what Wiki Ransomware is?

Our research team warns Windows users about Wiki Ransomware, a malicious file-encrypting threat that targets photos, videos, documents, and other types of personal files that, in most cases, cannot be replaced unless copies exist. Depending on how the user saves these copies, they could be, potentially, affected by the dangerous infection as well. So, for example, if you simply have copies of your files placed in a different folder, it is most likely that they will be corrupted. On the other hand, if backup copies exist online or on external drives, they should be fine as long as you do not expose them to the ransomware. That means that you should not connect external drives until you have Wiki Ransomware deleted. Without a doubt, the removal of this malware is the most important part of our analysis, and if you are interested in learning how to eliminate it, you should continue reading.

It is a must to mention Crysis/Dharma Ransomware when talking about Wiki Ransomware. Why? That is because this threat was created using the Crysis/Dharma malware code. It is not the only infection that has followed suit. Others include Uta Ransomware, Save Ransomware, MGS Ransomware, and Wal Ransomware. Depending on who is controlling this malware, the distribution could be personalized, but it is most likely to propagate via emails or remote access systems. It is easy to open a malicious email message if you are dealing with email every day. To make matters worse, the message delivering the infection’s launcher could be highly misleading. When it comes to remote access systems, if they are not disabled and up-to-date, cybercriminals can find a way to exploit them for malware execution. Once in, Wiki Ransomware encrypts files immediately, and you are unlikely to notice when that happens. Although all encrypted files are given the “.id-{unique ID code}.[bitlocker@foxmail.com].wiki” extension, you are likely to notice “FILES ENCRYPTED.txt” and “Info.hta” files first.Wiki Ransomware Removal GuideWiki Ransomware screenshot
Scroll down for full removal instructions

“FILES ENCRYPTED.txt” is created on the Desktop, and it states that files were locked and that the victim needs to email bitlocker@foxmail.com. “Info.hta” is created in two different locations (%APPDATA% and %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ to open on Windows startup), and it delivers a more detailed note. According to it, the victim of Wiki Ransomware has to pay money to have their files decrypted, and that is why this malware is known as ransomware. The size of the ransom is not specified, and the method of payment lacks information as well, which might motivate victims to email the attackers. That is a risky move. If you send a message from your personal email account, it could be exposed to new scams. On top of that, if you follow the demands and pay the ransom, your money is likely to go to waste anyway, and so there is no reason to send the message in the first place.

Have you thought about the protection of your operating system? Clearly, it is lacking because Wiki Ransomware managed to get in. Since there are thousands of ransomware threats and then thousands of other types of infections, discussing protection is very important. We suggest utilizing anti-malware software because it can remove Wiki Ransomware and also reinstate full security at the same time. If that is not an option you are interested in, you will have to perform manual removal. Although we cannot know where the launcher has landed on your system, we can show you how to eliminate the remaining components. After this, hopefully, you can use backups to replace the corrupted files.

Delete Wiki Ransomware

  1. Delete the file named FILES ENCRYPTED.txt from the Desktop.
  2. Delete recently downloaded files, or if you can identify the launcher – Delete it.
  3. Access %APPDATA% (tap Win+E to open Explorer and use the field at the top to access the directory).
  4. Delete the file named Info.hta
  5. Access %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\.
  6. Delete the file named Info.hta and an .exe file with a random name.
  7. Empty Recycle Bin to complete removal.
  8. Install and run a trusted malware scanner to check for leftovers.

In non-techie terms:

Wiki Ransomware is a dangerous infection, and you want to delete it from your operating system fast. Unfortunately, your files will not be automatically restored after the removal, and since no trustworthy file recovery solutions worked at the time of research, we hope that you have backups saved. First, remove Wiki Ransomware, and then remove the corrupted files before transferring the backups in their place; if you need that. In the future, do not forget to always create a backup of every single file that you want protected because ransomware is not the only kind of malware that can try to tamper with your personal files. Of course, your chances of facing new threats are slim if you employ reliable security software, but remember that it is always better to be safe than sorry.