Resurrection Ransomware

A new HiddenTear-based ransomware infection Resurrection Ransomware has been recently detected by specialists working at pcthreat.com. It does not differ from older ransomware infections much because it has also been developed to encrypt users’ files and extract money from them. Of course, if you encounter the version of Resurrection Ransomware that does not work properly, you will, most probably, find your all files intact. In any event, you cannot keep Resurrection Ransomware inside your system because it might help other malicious applications to enter your PC easier and, on top of that, it might encrypt your new files with a strong encryption algorithm AES (Advanced Encryption Standard) again. Unfortunately, it is extremely difficult to unlock files encrypted by ransomware infections, so we cannot promise that you could get them back if you have already encountered Resurrection Ransomware. Fortunately, it will not be that hard to remove this infection from your computer. It is not one of those computer infections which create new registry keys in the system registry, drop a bunch of files in different directories, or block system utilities. Therefore, we are sure you will manage to remove it after reading this article till the end.

Once Resurrection Ransomware is launched on users’ computers, it tries to contact its C&C (Command & Control) server. If it establishes communication with it successfully and gets the key from it, the encryption of users’ personal files starts. Of course, before locking them, this infection finds where they are located. Resurrection Ransomware locks all kinds of files it finds on users’ computers, including pictures, videos, music, etc. They all get a new extension .resurrection – it is appended next to the file name. After the encryption of files, this infection drops a ransom note in an .html format (README.html). It can be found on Desktop and in two directories: %HOMEDRIVE% and %USERPROFILE%. It has an audio source (http://topalbums.biz/file/8999896.mp3), so do not be surprised if you hear a sound when you open the ransom note. It is not the only new file you will find on your computer after the entrance of the ransomware infection. You could also locate a Recovery.key file on Desktop. While Recovery.key contains a “key:” line and a unique victim’s ID, README.html tells users what has happened to their files (“Hi, this is not your lucky day because this is not a joke, all your files has been encrypted with Resurrection Ransomware”) and tells users that they can only get their files back by sending 1.77 Bitcoin (~4650 USD at today’s price) to cyber criminals. After making a payment, victims have to send an email to resurrection777@protonmail.com and wait for the decryption key to reach them. Frankly speaking, specialists at pcthreat.com do not think that you will get this key. Cyber criminals only seek to extract money from you, so they might send you nothing after getting what they want, i.e. money. Therefore, we do not recommend sending money to cyber criminals. You should go to remove Resurrection Ransomware instead and then try to get your files back in a different way, e.g. recover the encrypted data from a backup.

Since Resurrection Ransomware is not one of these ransomware infections spread actively, we do not have much to say about its distribution either. Although it is not the easiest thing to talk about its dissemination, specialists at pcthreat.com suspect that it is also mainly spread via spam emails. It is a common way to distribute ransomware infections – they travel in these emails as attachments. To be frank, it is not the only way crypto-threats are promoted. Cyber criminals might put them on file-sharing websites as well. Therefore, you must be careful at all times. It is recommended to install a reputable security application too.

Perform two removal steps to erase Resurrection Ransomware fully from your computer. You first need to kill its process and then delete all files it has created on your PC, including its launcher. If you have never done that before, let our instructions (find them below this article) to help you. In case you find the manual method too complicated, delete Resurrection Ransomware automatically instead. You will only need to have an automatic malware remover. Unfortunately, even an automated scanner will not be able to unlock your files if they have all been already encrypted due to the entrance of Resurrection Ransomware.

How to remove Resurrection Ransomware

1. Tap Ctrl+Alt+Del.
2. Launch the Task Manager.
3. Click on the Processes tab and locate the process of the ransomware infection.
4. Kill it (right-click on the process and select End Process).
5. Close the Task Manager.
6. Tap Win+E to open the Windows Explorer.
7. Visit three directories: %USERPROFILE%, %USERPROFILE%\Desktop, and %HOMEDRIVE%.
8. Delete README.html from them.
9. Remove Recovery.key from Desktop.
10. Find and erase the malicious file launched recently.
11. Clear the Trash bin.