1 of 2
Danger level 9
Type: Trojans
Common infection symptoms:
  • Can't be uninstalled via Control Panel
  • Installs itself without permissions
  • Changes background
  • Connects to the internet without permission

Malevich Ransomware

We want to inform you about Malevich Ransomware, a malicious application that can secretly infect your computer and encrypt your files and then demand that you purchase the decryption software to decrypt them. However, you should not allow cyber criminals to bully you, so we suggest removing this ransomware instead. We have obtained and tested a sample of it and, in this article, we will cover things such as its distribution methods, origins, functionality, and removal.

Malevich Ransomware comes from an established ransomware family that is based on the Crysis engine. Even though this particular ransomware is the newest addition to the fleet of ransomware of this particular family, we are positive that more clones will appear shortly, and you can read all about them on our website. Apart from Malevich Ransomware, there are many clones that are currently still on the loose. We have recently analyzed and tested ransomware known as Sitaram108 Ransomware, GruzinRussian@aol.com Ransomware, and Opencode@india.com Ransomware. All of these malicious applications are nearly identical, yet have some minor differences that can give the impression that they are unrelated. Now, these applications are not legitimate, so it would be foolish to think that their developers would digitally sign them. Nevertheless, we suspect that their developer is based in Russia due to the fact that the ransom notes of previously released ransomware are in both Russian and English.

Now, in regards to Malevich Ransomware’s distribution channels, we want to clarify that we do not have found any concrete information about its distribution yet. However, based on our encounters with its clones, we believe that it may have a payload-carrying executable that places the main executable (.exe) file on your computer in one of the several possible directories. The payload file is most likely sent in email spam as an attachment. Opening the attached file that may look like a PDF or RAR file can, hypothetically, trigger a malicious script and silently inject this ransomware's executable.

Our analysis has shown that its executable is named randomly, but it usually has the word “payload” in it. According to our research, the payload file can place Malevich Ransomware’s main executable in locations such as %ALLUSERSPROFILE%\Start Menu\Programs\Startup, %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup, and a few others. In short, the executable is set to be hidden from plain sight. However, a good anti-malware program will be able to detect it.

Once on your computer, it will start automatically, connect to the Internet and begin the encryption. This ransomware is set to use the RSA-2048 encryption key to encrypt the files and send the private decryption key to the Command and Control (C&C) server controlled by its owners. Once the encryption of most of the files on your computer is complete, it will create two files: one named Decryption instructions.jpg which is set as the desktop wallpaper and the other called Decrypt instruction.txt that is dropped on the desktop. Decrypt instruction.txt contains the email address to which you have to write to get further instructions on how to pay the unspecified amount of money. You can separate the encrypted files from the unencrypted ones by looking at the name of the file. An encrypted file will have the .id-B4500913.decryptformoney@india.com.xtbl file extension, and the icons of the encrypted files are replaced with a generic white file icon. Unfortunately, this ransomware can encrypt more than a hundred file formats and it targets file types such as .doc, .mp3, .zip, .rar, .zip, .tif, .jpg, .dxf, .dxg, .eps, .htm, .html, .ibank, .iso, and so on. Basically, will encrypt all file types likely to feature valuable information.

That is all of the information currently available about this malicious program, but its intention is clear — it is set to encrypt your files and demand money in order for you to get them back. However, there are no guarantees when dealing with cyber crooks, so you ought to consider deleting Malevich Ransomware using an antimalware tool such as SpyHunter or the manual removal guide located below.

How to delete this malicious program

  1. Simultaneously press Windows+E keys on the keyboard.
  2. In the address box of the resulting File Explorer window, enter these paths.
    • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
    • %WINDIR%\Syswow64
    • %WINDIR%\System32
  3. Identify Malevich Ransomware's executable and delete it.
  4. Enter C:\Users\{your user name}
  5. Find Decryption instructions.jpg and delete it.
  6. Go to the desktop and delete Decrypt instruction.txt
  7. Simultaneously press Windows+R keys on the keyboard.
  8. In the dialog box, enter regedit and click OK.
  9. Go to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers
  10. Find and delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers
  11. Then, go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete the string that has one of the aforementioned file paths (%WINDIR%\Syswow64\random.exe)
  12. Navigate to HKCU\Control Panel\Desktop
  13. Find the Wallpaper string and right-click it and click Modify.
  14. Erase C:\Users\user\Decryption instructions.jpg in the Value data line.
  15. Empty the Recycle Bin.
Download Spyware Removal Tool to Remove* Malevich Ransomware
  • Quick & tested solution for Malevich Ransomware removal.
  • 100% Free Scan for Windows
disclaimer
Disclaimer

Post comment — WE NEED YOUR OPINION!

Comment:
Name:
Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.