Wyvern Ransomware Removal Guide

Do you know what Wyvern Ransomware is?

Specialists have recently come across a new ransomware infection – Wyvern Ransomware. According to them, it must be a new version of Globe Ransomware. Because of this, it was not hard for them to find out how this infection acts. Without a doubt, Wyvern Ransomware does not differ from similar threats classified as ransomware. Its main goal is to obtain money from users, so it encrypts users’ files after the successful entrance and then demands a ransom. The exact amount of money it wants from users is unknown, they are only told that it depends on how fast they contact cyber criminals. We know that you need those pictures, documents, videos, music, and other affected files back badly, but we cannot allow you to send money to them. Paying them money still does not guarantee that you could decrypt your files because they might not give you the decryption tool after receiving your money. Also, nobody knows whether they really have such a tool in their hands, so if were you, we would hurry to delete the ransomware infection from the system instead. You cannot keep it active because it is only a question of time when it locks more files on your system.

Wyvern Ransomware is a harmful infection for sure because its successful entrance always results in the loss of personal files. It encrypts files immediately after the successful entrance so that it could then demand money from users. You do not need to be an expert to understand which of the files have been affected – they all get a new extension. For example, mydocument.doc becomes mydocument.doc.[decryptorx@cock.li]-id-{user ID}.wyvern. It is the major symptom signaling about the entrance of the ransomware infection, but it is definitely not the only one showing that there is the ransomware infection active on the system. If Wyvern Ransomware has already affected your PC, you will also find a file HELP.hta containing a ransom note on your computer. This ransom note explains that files can no longer be opened “due to a security problem.” Also, it tells users what they can do to get them back. First, they need to write an email to decryptorx@cock.li. Second, they need to send money in Bitcoins after receiving payment instructions from cyber criminals by email. You should not send money to cyber criminals because it is unclear whether you could decrypt your files after making a payment to them. Unfortunately, the only free way to get files back is to restore them all from a backup. If you have never backed up your personal files, you could not do that. In such a case, you cannot do anything else about that except for waiting until a free decryptor is released.Wyvern Ransomware Removal GuideWyvern Ransomware screenshot
Scroll down for full removal instructions

Although Wyvern Ransomware is a typical ransomware infection, it slightly differs from similar threats. It has been observed that it also deletes the so-called Shadow Volume Copies right after the successful entrance. It does that so that these encrypted files could not be easily fixed. Also, it disables the Automatic Startup Repair by issuing the command cmd.exe /c bcdedit.exe /set {default} recoveryenabled No. Last but not least, it disables Startup Repair. Finally, it forces the computer to restart right after the successful entrance.

No doubt Wyvern Ransomware has entered your system illegally, but the chances are high that you have helped it to show up on your system. For example, you could have opened a malicious attachment from a spam email. Not much is known about the entrance of this threat because it is still not very prevalent, but we are sure for one thing – you must delete it from your computer as soon as possible. Use our step-by-step manual removal instructions if you have never deleted a ransomware infection before. Then, scan your system with an antimalware tool to check if there are no traces of malware left.

How to delete Wyvern Ransomware

  1. Press Ctrl+Shift+Esc.
  2. Open the Processes tab.
  3. Check all the processes and kill those suspicious ones.
  4. Close Task Manager.
  5. Press Win+R.
  6. Type regedit.exe and click OK.
  7. Go to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  8. Locate DECRYPTINFO, right-click it, and select Delete.
  9. Close Registry Editor.
  10. Delete all suspicious files from %USERPROFILE%\Desktop, %USERPROFILE%\Downloads, and %TEMP%.
  11. Delete the ransom note HELP.hta.
  12. Empty Recycle bin.

In non-techie terms:

Wyvern Ransomware is a harmful malicious application whose one and only purpose is to obtain money from users, so we are sure it will encrypt your personal files too if it ever shows up on your computer. Never pay money to ransomware developers because the chances are high that they will only take your money but do not give you the promised decryption tool. They will not return the money received from you in such a case either. What we recommend for you instead is disabling the ransomware infection so that it could not lock any new files.