TrueCrypter Ransomware

TrueCrypter Ransomware is a very fresh new comer on the web since it launched a few weeks ago, in late April, 2016. This ransomware infection can mean a major blow to your computer if it manages to sneak onto your system as it can encrypt lots of different file extensions so you can say goodbye to your pictures, videos, and document files; unless, of course, you have a backup of your files on a Flash drive or any other removable drives. We have discovered that this Trojan could be a mere test run, and, as such, it is possible to actually decrypt your files if you are lucky enough to find the Command and Control (C&C/C2) servers up and running. Unfortunately, these servers seem to have been down for a while now, which would make it impossible for you to get the private key even if you pay the relatively low ransom fee. We recommend that you remove TrueCrypter Ransomware the moment you realize it is on your computer. This will not recover your files, you should keep that in mind. The best way to protect your files from ransomware attacks or other malicious programs is to save them onto a removable drive. But let us tell you in more detail what we have found while testing this ransomware.

First of all, in order to be able to avoid similar attacks you should know how TrueCrypter Ransomware can show up on your computer. We have noticed that this infection uses a Trojan to be distributed by. This means that first of all, you need to infect your system with a Trojan that will drop this ransomware after you initiate it. How can this happen? Well, it is just enough to open a spam e-mail and click on its attachment. This attached file will drop an executable malicious file onto your system. It is also possible that there is a corrupt link embedded in the body of the mail and that initiates the drop. All in all, you should be extra careful when checking your mails in your inbox. These spam mails can easily mislead you into believing that it is an important message with a “must-see” file attached. These malware infections have to make you believe that they are important to run because otherwise most of the ransomware attacks would fail. However, strangely enough, we have found that this ransomware actually uses a padlock icon for its executable file, which is rather suspicious in fact.

Another way for Trojans to infiltrate your system is through corrupt image and video links that are promoted through social networking websites, such as Facebook. It is possible that you will find a mostly pornography-related image or video link on your wall that seems to be sent by someone you know. This can also happen through the messenger and you may think that a friend dropped you a link to check out. However, clicking on these malicious links would simply activate this Trojan that would drop this ransomware onto your system. Before clicking on any unusual or suspicious content on these popular websites, you should make sure that it was meant for you. But, the truth is, if TrueCrypter Ransomware has found a way to your operating system, it does not even matter anymore how it has got there. What really matters is that you delete TrueCrypter Ransomware as soon as possible.

Once this ransomware starts up, it detects the targeted image, video, document, and program files and encrypts them with a built-in Windows algorithm called AES-256. All the encrypted files get an .enc extension, so your files will look like this: “image.jpg.enc.” When the encryption is finished, which could be within a minute, the private key gets encrypted with RSA-2048 algorithm, which is impossible to decrypt. This is the key that the criminals want to sell you for a certain amount of money. In this case, these crooks demand 0.2 BTC or around $91 at current rate. You can settle this amount via Bitcoin or Amazon Gift Card.

You are informed about the encryption by a scary red background image on your desktop. This ransom note tells you to use the installed TrueCrypter.exe file to pay the fee and get the code. We believe that this version was only a test run before the big storm because by simply clicking on the Pay button you could actually decrypt all your files and TrueCrypter Ransomware even delete itself afterwards. The only problem is, as it is a major issue with any other ransomware really, that if the C&C servers are down, this infection cannot communicate with them. Therefore, you cannot get the private key to decrypt your files even if you actually pay. This is one of the reasons why we do not normally advise you to pay the ransom fee. Another reason is that criminals rarely keep their promises. If you want to restore order on your computer, we think that it is only possible if you remove TrueCrypter Ransomware right now.

There are actually two solutions for you if you are ready to get your hands “dirty” and want to manually delete TrueCrypter Ransomware. First, you can simply run this software and click on the Pay button. If you are lucky and the C&C servers are available, you may be able to decrypt your files and get rid of this infection at the same time as it will delete itself just like that. Another option is to restart your computer in Safe Mode because you cannot use the Task Manager to kill this process as some major system processes are blocked by this ransomware. Then, simply locate the malicious files and folders and remove them all. Please follow our instructions below if you choose to do this yourself. Of course, you always have a choice to use an automated method, such as an anti-malware application that can identify and eliminate all known malware infections.

Restart your PC in Safe Mode

Windows 8, Windows 8.1, and Windows 10

1. Press the Windows key to change to the Metro UI screen.
2. Click the Power button.
3. Press the Shift key and at the same time click Restart.
4. In the Troubleshooting menu, click Advanced options.
5. Move to Startup Settings and click Restart
6. Restart in Safe Mode by tapping the F4 key.

Windows XP, Windows Vista, and Windows 7

1. Restart the computer and start tapping F8 immediately after BIOS loads.
2. In the boot menu select Safe Mode (use arrow keys and tap Enter afterwards).

Remove TrueCrypter Ransomware from Windows

1. Press Win+E.
2. Locate and remove the malicious file that is the infection source.
3. Locate and delete %APPDATA%\Microsoft\TrueCrypter folder.
4. Empty your Recycle Bin.
5. Restart your computer.