Donald Trampo Ransomware

We have recently analyzed a new computer infection called Donald Trampo Ransomware that was designed to encrypt many of your personal files and then demand that buy their decryption key to decrypt them. We do not recommend that you attempt to pay the ransom as you might not get the decryption key. While you cannot get your files back for free, you can remove this malicious application manually by following the guide below this article. Still, if you want to find out more about it to determine whether your PC has been infected by Donald Trampo Ransomware, we invite you to read this whole article.

Apparently, Donald Trampo Ransomware’s developers have employed email spam to distribute it around the web. The developers most likely have set up an email server that sends email spam to random users automatically in an effort to catch people of gourd and get their computer’s infected with this ransomware. The emails can be disguised as business related correspondence, invoices, tax return forms, and so on. It is said that the emails have an attached executable file of this ransomware. However, the file can be disguised as a PDF file by adding a fake file extension name prior to the “.exe” file extension.

Testing has shown that when you open the attached file, the ransomware creates a copy of itself in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup. The executable file features a CLSID-based name that is random, and you can identify the executable easily. The sample we have tested produced a file named {F39SN97D-K73M-YLR9-1I59-YW9R799VKF}.exe. Apparently, this file is created to prevent you from dying this ransomware encrypting your files. If you shut down your PC mid-encryption, then the dropped executable will continue it on the next system start up. However, booting up your PC in Safe Mode might do the trick as the ransomware will not be able to launch, and then you will be able to delete it.

Now let us discuss how Donald Trampo Ransomware works. Our research has revealed that this program was configured to encrypt files in %USERPROFILE% and its subfolders. The malicious file is heavily obfuscated and, therefore, we do not know what kind of encryption method this program uses yet. While encrypting your files, this ransomware will append them with a .SN-1350860109483654-webmafia@asia.com_donald@trampo.info file extension. The first part (.SN-1350860109483654) is unique to each user as it seems that it is an ID number. The second part includes two email addresses for contacting the developers. Once the encryption process is complete, this ransomware will drop an image file at %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup. The file can be named after the executable file (e.g. {F39SN97D-K73M-YLR9-1I59-YW9R799VKF}.bmp). Then the ransomware should delete itself, but that might always be the case. The image file is opened automatically, and it says that your files have been encrypted you can receive “Help in recovery” be messaging webmafia@asia.com or donald@trampo.info. Of course, the “help” will not come cheap and while the ransom is not specified, your files may not be worth the money asked.

Therefore, we recommend that you remove Donald Trampo Ransomware from your PC using the removal guide provided below or get an anti-malware program such as SpyHunter that will delete this ransomware for you. Again, paying the ransom may not be an option as your files may not be worth the large sum of money asked for the decryption tool/key.

How to delete Donald Trampo Ransomware manually

1. Delete the downloaded ransomware file from the Downloads folder.
2. Then, press Windows+E keys.
3. Type APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup in the address box of File Explorer and press Enter.
4. Delete the executable with the CLSID-based name (e.g. {F39SN97D-K73M-YLR9-1I59-YW9R799VKF}.exe)
5. Then, delete the ransom note with the CLSID-based name (e.g. F39SN97D-K73M-YLR9-1I59-YW9R799VKF}.bmp)