X1881 Ransomware

A new version of CryptoMix Ransomware has already been around for 3 weeks. It has been given the name X1881 Ransomware because it appends the extension .x1881 to those files it encrypts. Yes, it does not differ much from its predecessor – it also ruins users’ personal files after infiltrating their computers successfully. Most likely, your files have been encrypted too if you are reading this article. The first thing we want to say for those unfortunate users who discover their files locked is that they should not pay money to cyber criminals because there are no guarantees that they will decrypt those encrypted files for them. X1881 Ransomware is not one of those ransomware infections that tell users immediately that they have to pay a ransom to get their files back; however, we are sure that they will be told that they have to transfer some money in exchange for decrypted files if they contact cyber criminals behind this ransomware infection. It might seem to be a hopeless situation, but, believe it or not, there is a way to restore the encrypted data for free. You must have a backup of these encrypted files to be able to do that.

X1881 Ransomware is considered a nasty infection even though it is not as sophisticated as some other ransomware infections. Like other ransomware-type infections, it locks users’ files immediately once it shows up on their computers. You will not need to go to check all your pictures, documents, music, videos, and other files one by one to find out which of them have been ruined by X1881 Ransomware because all affected files get a new extension .x1881 appended to them. Also, you will find a new .txt file _HELP_INSTRUCTION.TXT on your Desktop. This file tells users why they can no longer open their files: “Attention! All Your data was encrypted.” Also, users are told to write an email with a unique ID to x1881@tuta.io, x1883@yandex.com, x1881@protonmail.com, or x1884@yandex.com to get further information. We suspect that you will be told that you need to pay a ransom in exchange for the tool that can decrypt files. If it turns out to be true, do not make a payment to cyber criminals no matter how badly you need to restore your data because the chances are high that you will be left both without your files and money.

It is hard not to notice the appearance of X1881 Ransomware on the system even though it usually enters users’ computers illegally because it encrypts users’ personal files right away, drops a ransom note, and creates two values in the Run registry key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run). These values have random names, but it is still possible to recognize them because the first Value points to the malicious .exe file, whereas the other one points to C:\ProgramData\{random symbols}. If you can locate them there, there is no doubt that X1881 Ransomware is the one responsible for encrypting your personal data. Even though these files cannot be decrypted by removing X1881 Ransomware, you must delete it from your system fully as soon as possible because, if you do nothing, it will stay active in the background and might lock your new files.

Ransomware infections are usually spread via spam emails, so the chances are high that you have opened a malicious attachment from a spam email too if your files have already been encrypted. If you do not do anything to ensure your system’s maximum protection soon, another crypto-threat might illegally enter your system again and cause even more problems, so we suggest taking action today. It should be enough to install a reputable security tool to make sure that similar threats cannot enter the system, security specialists say.

It will not be very easy to delete X1881 Ransomware because it places its entries in the system registry and, on top of that, you will have to find and remove the malicious file launched yourself if you decide to erase this malicious application manually. If you are not a very experienced user, you should use an automated malware remover to clean your system. It will not remove the .x1881 extension from those encrypted files, i.e., it will not unlock them, but, at least, it will eliminate all malicious components from your computer thus disabling active malware.

Delete X1881 Ransomware

1. Press Win+R, type regedit.exe next to Open, and click OK.
2. Go to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
3. Delete two values representing X1881 Ransomware from HKCU\Software\Microsoft\Windows\CurrentVersion\Run (one should point to the malicious executable file, whereas the other one should point to C:\ProgramData\{random symbols}.
4. Close Registry Editor.
5. Press Win+E to open Explorer.
6. Remove recently downloaded files from the following directories: %USERPROFILE%\Desktop, %USERPROFILE%\Downloads, %TEMP%, and %ALLUSERSPROFILE%.
7. Empty Recycle bin.