Aleta Ransomware

The malicious Aleta Ransomware can slither into your operating system without any warning. When it does, it is quick to encrypt files with such extensions as .bat, .bin, .bmp, .cab, .dat, .dll, .exe, .GRL, .ini, .lnk, .log, .msi, .png, .rbs, .sdb, .tmp, .vsch, .xml, and .zip. Besides encrypting these files, the infection also changes their names by adding the “.[darkwaiderr@cock.li].aleta” extension at the end. In fact, that is a good thing because that makes it easier to see which files were encrypted. Unfortunately, once the files are encrypted, there is not much that can be done, even if you had set a system restore point. The lack of options in this situation is what is meant to push you into following the demands displayed via a scary ransom note that is represented via the Desktop wallpaper. Cyber criminals, of course, want you to pay a ransom, but you have to remember that a decryption tool is unlikely to be provided to you if you do. Unfortunately, that is how cyber criminals operate. Once they get what they came for, they move on to the next victim. Overall, whatever you do, you MUST remove Aleta Ransomware.

Once Aleta Ransomware slithers in, it immediately starts the encryption of your files. According to our research, the infection evades those directories that have “$recycle.bin,” “appdata”, “intel,” “msocache,” “nvidia,” “programdata,” “program files,” “program files (x86),” and “windows” strings in their names. That is done to avoid the encryption of system files, which, of course, could lead to the failure of the entire operating system and, ultimately, make Aleta Ransomware useless. Additionally, the infection deletes Shadow Volume Copies (the command is “cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet”) to prevent you from recovering files yourself. Also, the ransomware uses “cmd.exe /c bcdedit.exe /set {default} recoveryenabled No” and “cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures” commands to disable startup repair. Unfortunately, that ensures a successful encryption, and, unless your files are backed up on external drives or online, you will not be able to recover them yourself. Once all of that is done, the infection creates a file called “1.bmp” (placed under %APPDATA%) and replaces the usual Desktop wallpaper with it.

According to the ransom note represented via the Desktop wallpaper, you need a private key and a decryption program to have the files decrypted. To get the key and the program, you are requested to email an ID to darkwaiderr@cock.li. The note informs that the ID can be found in a file named “READ_ME”, and it also threatens to delete the key if you do not email within 36 hours. The second ransom file is actually named “!#_READ_ME_#!.inf”. This file provides you with more information, but it does not reveal the sum that you need to pay in Bitcoins to get the decryptor. It is suggested that the sum depends on how fast you email the creator of Aleta Ransomware. If you contact cyber criminals, remember that they can record your email address. If you do not want your inbox flooded with spam and corrupted emails, it is best to use an address that you will not be using again. That being said, communicating with cyber crooks is not recommended, just like it is not recommended that you pay the ransom demanded from you. Ultimately, you have to decide what you will do yourself, and, regardless of the outcome, you must not forget to delete Aleta Ransomware.

As you can see, there are quite a few steps in the removal guide below. If you do not have experience removing registry entries and files, this operation might seem quite complex, but if you take it one step at a time, we are sure that you have a chance at deleting Aleta Ransomware yourself. Of course, employing anti-malware software is the better option, and we strongly recommend at least considering the installation of this software. Not only will it remove the ransomware but also keep your operating system guarded against malware in the future, and you must be interested in that, considering that a malicious ransomware has managed to slither into your PC unnoticed. Regardless of which method you choose, it is most important that you take care of the removal of the malicious infection, as well as the protection of your operating system.

Aleta Ransomware Removal

1. Launch RUN by tapping Win+R keys.
2. Enter regedit.exe to launch Registry Editor.
3. Navigate to HKCU\Control Panel\Desktop\Wallpaper.
4. Right-click and Delete the [unknown name] value representing the 1.bmp file.
5. Navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.
6. Right-click and Delete the key named .aleta.
7. Navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
8. Right-click and Delete the value named DECRYPTINFO that represents the \!#_READ_ME_#!.inf file.
9. Launch Windows Explorer by tapping keys Win+E.
10. Enter the directory into the bar at the top (see the list below) and Delete the !#_READ_ME_#!.inf file:
    • %ALLUSERSPROFILE%\Start Menu\
    • %APPDATA%\Microsoft\Windows\Start Menu\
    • %USERPROFILE%\Microsoft\Windows\Start Menu\
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\
11. Delete the [random name].exe launcher that might be found in these directories (note that the file could be placed in a different location):
    • %USERPROFILE%\Desktop
    • %USERPROFILE%\Downloads
    • %TEMP%