Click on screenshot to zoom
Danger level 7
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel Ransomware Ransomware is one malicious piece or programming. This program is set to encrypt all of your files and demand money to decrypt them. We urge you not to comply with the demand to pay, but remove it because there is no way of knowing whether you will get the decryption software. This program comes from the same developer as Ransomware and Ransomware and, based on our experience with these and other programs from this creator, we think that it is highly likely that you will not get the decryption tool once you have paid.

We once again have a ransomware that is based on the so-called Crysis engine that uses the RSA-2048 key. Security researchers have yet to find a vulnerability in this particular ransomware that could help break the encryption. Therefore, decrypting its unique encryption key is currently not possible. While encrypting, this ransomware generates a decryption key that is sent to the remote Command and Control Server that is operated by this malware’s creator. In order to get the decryption tool that features the decryption key, you must pay a ransom.

We do not know how much money the cyber criminal will want you to pay because the sum varies with each new release. Nevertheless, based on our experience with Ransomware’s counterparts, we believe that the ransomware could be anywhere from 2 to 4 Bitcoins that are 1,215 and 2,430 respectively. Needless to say, these are significant sums of money that may not be worth paying. After the encryption is complete, this ransomware is set to drop a file named Decryption instructions.txt that features an email address for contacting the cyber criminal that will give you instructions on how to pay the ransom. The criminal may offer you to send to encrypted files, and he will send you them back decrypted as proof that he can decrypt them. In any case, this ransomware will drop another file named how to decrypt your files.jpg that is set as the desktop wallpaper and this file also features the same email address for contacting the developer.

Truth be told, Ransomware is no different from its predecessors. In fact, it is a mere clone, so, as far as its main executable is concerned, we found that it is also named randomly or at least feature the word “payload” in the name. Ransomware has been programmed to drop the main executable in one of seven locations that include %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup and %ALLUSERSPROFILE%\Start Menu\Programs\Startup (see the removal guide for the full list.) Once this file is dropped it will generate a registry string at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to run the executable on system startup.

If you do not have a powerful antimalware application and this malicious application manages to infect your computer, then it will start encrypting your files. Testing has shown that this ransomware excludes locations needed for Microsoft Windows to run properly, but it will encrypt nearly all of the executables, so you will be unable to run any programs installed prior to the encryption, but all programs and files added post infection would not be encrypted. As you can see, this program will also encrypt not only executables but all other files as well. These files include documents, images, file archives, video and audio files, and so on, so nearly all of you most cherished personal files are set to be encrypted. You can determine whether a file was encrypted from its name that is appended with the .xtbl file extension.

So given that you cannot decrypt your files using a third-party decryption tool leaving you with the possibility of purchasing the decryptor from the cyber criminal, we recommend that you remove Ransomware from your PC using the guide provided below or an antimalware application such as SpyHunter that would wipe out all traces of this infection.

How to delete Ransomware

  1. Simultaneously press Win+E keys.
  2. In the File Explorer windows’s address bar, enter the following locations.
    • %WINDIR%\Syswow64
    • %WINDIR%\System32
    • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
  3. Locate the randomly named executable.
  4. Right-click it and click Delete.
  5. Then, enter C:\Users\{your user name} in the address box.
  6. Find and delete how to decrypt your files.jpg
  7. Delete Decryption instructions.txt from the desktop.
  8. Empty the Recycle Bin.
  9. Close the File Explorer.
  10. Simultaneously press Win+R keys.
  11. Enter regedit in the box and click OK.
  12. In the Registry Editor, go to HKCU\Control Panel\Desktop
  13. Find the Wallpaper string and click delete.
  14. Go to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers
  15. Delete BackgroundHistoryPath0
  16. Finally, go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  17. Find the randomly named string with the Value data pointing to the location of the executable and delete it.
Download Spyware Removal Tool to Remove* Ransomware
  • Quick & tested solution for Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.