Click on screenshot to zoom
Danger level 7
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Normal system programs crash immediatelly
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel Ransomware Ransomware is a malicious application which illegally slithers onto computers and then encrypts files by adding a new filename extension .[].master to all encrypted files. It is a version of Master Ransomware, and it does not differ much from the previous version of this ransomware infection – it only appends a new extension to those files it encrypts. Since this infection changes an email address daily, we are sure we will write about versions using other emails in the future. No matter which version of this nasty infection you encounter, you must remove it from your computer as soon as possible and, of course, do not send the money required. Ransomware is one of those computer infections which enter systems so that it could extract money from users, so this infection will surely not miss an opportunity to ask for a ransom after locking your personal files successfully. Do not give cyber criminals your money because they will not stop developing new versions of this infection. Additionally, you cannot be so sure that you will get your files decrypted after making a payment to cyber crooks. Ransomware is a part of the Btcware Ransomware family, so it acts just like its predecessors and, consequently, it does not have any unique features. After the successful infiltration, it finds users’ pictures, documents, and media files. Then, it locks all those files by appending a new extension. When all files are locked and can no longer be opened by users, it creates a ransom note !#_RESTORE_FILES_#!.inf on Desktop. This file tries to convince users that they have found their files locked due to a security problem. Also, they find out that they can restore them only by writing an email to and paying for the decryption of files in Bitcoin. It seems that users will find out the price of the decryption of files only when they write an email to cyber criminals: “The price depends on how fast you write to us.” If you are not going to pay a ransom, do not even bother writing an email. Instead, focus on the deletion of this infection from your computer. Although developers of this infection promise to unlock 3 files for free to show that they are capable of unlocking the encrypted data, it does not mean that they will unlock your files after receiving your money. Also, we are sure that they will not remove Ransomware from your computer. It does not mean that you cannot get your files back if you decide not to pay cyber criminals money. You can easily recover those files for free from a backup.

Research carried out by specialists at has managed to reveal that Ransomware not only encrypts files, but also executes two commands after the successful entrance. First, it deletes shadow copies using this command: cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet. Then, it disables the startup repair by issuing the following two commands: cmd.exe /c bcdedit.exe /set {default} recoveryenabled No and cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures. As can be seen, it is quite a sophisticated malicious application.

It is not very easy to talk about the distribution of Ransomware because it is a newly-developed ransomware infection and, consequently, its infection rate is still small. Of course, it does not mean that our researchers have not even tried to find more about it. After carrying out research, our specialists are 99% sure that this infection is mainly spread through unsecured RDP connections. This is the major distribution strategy; however, this threat might be spread differently too. For instance, it might be disseminated via spam emails. Cyber criminals are developing ransomware infections every day, so you should go to install a security application on your computer today. It will not allow any new threat to slither onto your system ever again.

You can delete Ransomware either manually or automatically from your computer. If you adopt the first removal method, you will need to kill processes linked to the ransomware infection, delete suspicious files, and undo changes made in the system registry manually yourself, so follow our step-by-step guide in order not to miss a single component of the ransomware infection. In case you choose the automatic method over the manual one, you will only need to scan your computer with a trustworthy malware remover once.

Delete Ransomware

  1. Press Ctrl+Shift+Esc simultaneously on your keyboard to launch Task Manager.
  2. Open the Processes tab.
  3. Kill all suspicious processes which might be associated with the ransomware infection active on your system.
  4. Open the Windows Explorer (tap Win+E).
  5. Open %APPDATA% and delete !#_RESTORE_FILES_#!.inf.
  6. Remove suspicious files from %TEMP%, %USERPROFILE%\Downloads, and %USERPROFILE%\Desktop directories.
  7. Close the Windows Explorer and tap Win+R.
  8. Enter regedit.exe and click OK.
  9. Move to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
  10. Right-click on the Value DECRYPTINFO and select Delete.
  11. Close Registry Editor.
  12. Clear the Recycle bin.
Download Spyware Removal Tool to Remove* Ransomware
  • Quick & tested solution for Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.