Click on screenshot to zoom
Danger level 7
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Slow internet connection
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel Ransomware Ransomware is a malicious program that uses the RSA-2048 cryptosystem to lock all documents, photos, and other personal files. What’s more, the malware also targets third-party programs, so the only working software left on the system should be the one that belongs to Microsoft or the Windows operating system. As you realize, this malicious application does a lot of damage, and it might not allow you to work with the computer normally. For those who already infected their systems, we would advise erasing the threat as soon as possible. You could either use the removal instructions below or get a trustworthy antimalware tool. Afterward, users could reinstall affected software and recover encrypted data if there are any copies of it on other computers, removable media devices, etc. Ransomware’s creators might spread it with malicious email attachments. Such files could be easily confused with invoices or other documents as they may have their extensions and logos. Despite that the attachments may look harmless, they could initiate malware’s installation after their launch. Sadly, the user himself might realize what actually happened only after the infection encrypts all targeted data.

This malicious application installs on the system after it creates random executable files in the %ALLUSERSPROFILE%, %APPDATA%, %USERPROFILE%, and a couple of other directories. Plus, Ransomware could also make a few Windows Registry entries. For example, when the infection locks selected data on the system, it replaces default Desktop picture while altering keys in the HKCU\Control Panel\Desktop and HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers paths.

Each of the encrypted files should have an additional extension, and it should be unique for each computer. For example, your files could be marked with a similar extension to this one .id-C1236831.{}.xtbl. The unique part that should be different is the ID number. As soon as the malicious program finishes encrypting data, a ransom note called how to decrypt your files.jpg could appear as the user’s Desktop wallpaper. The note instructs not to waste any time and contact the malware’s creators as soon as possible.

Furthermore, the threat might also drop a text document called Decryption instructions.txt. The text inside it might say that “All of your files are encrypted, to decrypt them write me to email: In case of no answer in 24 hours, write to” We did not try to contact this email address ourselves, but based on other similar cases we know what they might ask you to do.

Since Ransomware is an infection created to extort money from its victims, we are almost entirely sure that its developers should ask users to pay a particular ransom. Usually, victims are asked to pay the ransom according to the provided instructions. For example, they might explain how to get Bitcoins and transfer them to the malware creators’ account. Also, in some cases, there is a time limit in which the user has to transfer the money.

In exchange, they may promise to deliver decryption tools. It is important to realize that despite what the infection’s developers promise they might act differently once the money you send reaches their account. For instance, they might not bother to send you the decryptor. Thus, even if you pay the ransom, you may not necessarily get the means to unlock your data. Plus, by doing so, you could also risk losing your savings. That is why we advise users not to take any chances with Ransomware and get rid of it.

Users who would like to erase the threat manually on their own should have a look at the deletion instructions below. Even though some files that must be eliminated are with random titles, still it should be easier to locate them while knowing their locations. However, it would be advisable to scan the system with a trustworthy antimalware too. Just to make sure that you removed the threat successfully and to see if there are no other malicious applications on the computer. In fact, you could simply use an antimalware tool from the start and eliminate the infection with it. Use the scanning tool to locate Ransomware’s data on the system and click the deletion button after the scan to get rid of it.

Erase Ransomware

  1. Open the Explorer (press Win+E) and find all of the listed directories one by one:
    %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
  2. Locate executable file with a random title in each of the locations given above.
  3. Then right-click such executable files separately and press Delete.
  4. Close the Explorer.
  5. Open the Registry Editor window while using the RUN.
  6. Launch the RUN by pressing Win+R. Type regedit in the given box and click OK.
  7. Find this location HKCU\Control Panel\Desktop and search for a value name called Wallpaper.
  8. Right-click the Wallpaper, press Modify and instead of “How to decrypt your files.jpg” type a title another image.
  9. Find the following location HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers and search for a value name called BackgroundHistoryPath0.
  10. Right-click the BackgroundHistoryPath0, select Modify and replace “How to decrypt your files.jpg” with a picture you like.
  11. Find the given path HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and find value names that have random titles.
  12. Mark these value names separately, right-click them and erase them while pressing Delete.
  13. Close the Explorer.
  14. Empty the Recycle bin by right-clicking it.
Download Spyware Removal Tool to Remove* Ransomware
  • Quick & tested solution for Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.