TowerWeb Ransomware

TowerWeb Ransomware is a malware infection that may not be as dangerous as its peers in the ransomware category. But this seems to be dependent on the sample you may be hit with. Unfortunately, this screen locker ransomware can also be a nightmare if you are not that lucky as it may delete all files it targets in certain directories every time it restarts your system. Right after you activate this threat it blocks your screen with a scary ransom note that makes you believe that all your files have been encrypted. However, we have found that no actual encryption takes place; instead, your files may be deleted. You are supposed to pay the demanded ransom fee to the authors of this attack if you want to decrypt your files, but this infection obviously does not do that and also cannot recover the deleted ones. Therefore, we do not advise you to pay up because that would be a simple waste of your money. When you see this ransom note, there is one thing we recommend that you do: Rush to remove TowerWeb Ransomware because you only have 60 seconds before your system is rebooted again and again.

We have found that this malware infection mostly spreads on the web as a malicious attachment in spam e-mails. We hope that after this experience you will become more careful clicking on e-mails in your inbox. Unfortunately, these spam mails can trick your spam filter just like they can trick you. The main feature of such e-mails is deception. They can pretend to come from well-known and legitimate companies or institutions. The other major factor is the subject, which can be anything that would draw your attention. For example, it could be about an overdue invoice, an error with a reservation (hotel, flight), problem with a credit card transfer, and so on. Most likely you would open any of these mails even if you think that “it must be a mistake,” right? However, once you download the attached file, which could be an image, a video, or a text document (.pdf or .docx), you will want to see it right away. The moment you open the file, your computer gets locked since you activate the ransomware.

The lesson here is quite clear: Do not download and open attachments from suspicious e-mails sent by unfamiliar senders. If you would like to prevent other ransomware from sneaking onto your system, you should also keep all your browsers and other programs updated. Criminals can use so-called exploit kits to spread such dangerous infections. This means that they can set up fake websites with malicious JavaScript or other codes hidden in banners or other content that require certain drivers that may have security holes if not up-to-date. In these cases it is enough for you to load such malicious pages and the code drops an infection onto your system right away without your knowledge or permission. Although we have not found TowerWeb Ransomware spreading that way, you should definitely know about this to be able to protect your operating system and your privacy more efficiently. We also hope that it is already clear that you should delete TowerWeb Ransomware the moment you notice its presence.

In fact, it does not take too long for you to realize that you downloaded something malicious because when you open the attachment, this ransomware is instantly initiated. Your desktop background gets replaced by a translucent ransom note that claims that your files have been encrypted and you have to pay $125 within 24 hours or $199 after one day if you want to have them back. This money is demanded in Bitcoins as usual. You are supposed to contact these criminals via e-mail (supportfile@yandex.com) if you need assistance or have transferred the fee. We have discovered that this ransomware does not even encrypts files but simply locks your screen. However, we have tested a sample that actually deletes all the files with the targeted extensions in the “%USERPROFILE%” and “%TEMP%” directories. When finished, this infection also empties your Recycle Bin to make sure that you cannot recover your files easily.

You do not have too much time to save your files or to delete TowerWeb Ransomware either. This ransomware restarts your computer automatically every 60 seconds. Since it creates a Run registry entry ("HKCU\Software\Microsoft\Windows\CurrentVersion\Run") with the value name of "My app" (but this may be different for other versions), this infection starts up every time Windows loads. Therefore, you cannot escape it and your screen will be locked again. This could frighten an inexperienced computer user who may decide to pay the ransom fee to get the files back and unlock the computer. However, we are here to warn you not to do that. First, you would simply support cyber criminals to commit more online crimes. Second, you would just waste your money because your files are either untouched by this infection or deleted in the worst case so no decryption key will bring them back. In the end, no matter what this malware does or does not do on your system, because you need to remove it anyway to restore your virtual security.

The first step in eliminating this ugly threat is to get away from the locked screen. You can do this actually very simply by using the Alt+Tab key combination. Then, you need to stop the system shutdown very quickly because you only have less than a minute now to do so. The next step is to kill the process TowerWeb Ransomware operates through. This should have identical name to the downloaded and launched executable file. Finally, you must delete this malicious file and the registry entry. If you need help with these steps, please follow our guide below this article. Once you have cleaned your system of this malware, you can try to use a file recovery program, such as Recuva, if you find that your files have been deleted. If you want to protect your computer from similar attacks, you should consider using a reputable anti-malware application.

Remove TowerWeb Ransomware from Windows

1. After moving away from the lock screen, press Win+R and type in “shutdown –a” (this will stop the system from the automatic shutdown process). Press the Enter key.
2. Press Ctrl+Shift+Esc to bring up the Task Manager.
3. Identify and select the malicious process (same name as the downloaded executable file).
4. Press End task and close the Task Manager.
5. Locate and bin the malicious file (it has to be where you downloaded it from the spam).
6. Press Win+R and type in regedit. Press OK.
7. Locate and delete the value name “My app” (it may be a different name in the case of other variants) from the Run registry key, "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
8. Exit the editor.
9. Empty your Recycle Bin.
10. Restart your computer.