Click on screenshot to zoom
Danger level 7
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • Annoying Pop-up's
  • System crashes
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel Ransomware Ransomware arrives on the computer as an attachment from a spam email. Once it is inside the system, it finds personal files, i.e. those that users value the most, e.g. music files, pictures, presentations, documents, theses, etc. and encrypts them all using the RSA-2048 encryption method. To decrypt files encrypted with this algorithm one needs to have the private key. Of course, this key is known for cyber criminals who have developed Ransomware only. This infection changes the Desktop wallpaper and creates the Decryption instructions.txt file. Unlike other ransomware infections, it does not include much information about the decryption process in its ransom note. You will see a single sentence on Desktop: “To get the key write to”. Cyber criminals will offer you to buy that private key to decrypt files if you contact them. It is up to you whether or not to pay a certain amount of money to them, but if you ask our opinion, you should not transfer your money to anyone because nobody knows whether the decryptor really exists. Even it is available, you have no guarantees that it will be sent to you after you make a payment. Last but not least, Ransomware will not leave your PC alone, which means that it might strike again and encrypt your new files even if you pay the money cyber criminals require.

Many users write an email to cyber criminals when they notice that all their personal files and even applications are locked with the strong key; however, only few people decide to pay money after they find out that a decryptor is an expensive tool. Of course, people are ready to pay the ransom to get their important files back, but the majority of them decide to leave them encrypted because nobody knows whether these files will be really unlocked. We suggest that you do not spend your money on the decryptor too. Instead, you need to delete Ransomware from your system right now and then try alternative methods to recover files, for example, even though Ransomware is created on the CrySIS Ransomware engine (it is impossible to decrypt files it has locked at the time of writing), you should still download free tools from the web and try to use them to recover, at least, several important personal files. If any of the tools you find on the web are ineffective, you should still leave those encrypted files on your computer after the deletion of Ransomware. Specialists might crack the key in the future, and you could unlock your files.

According to specialists at, Ransomware is created on the basis of the same source code as other ransomware infections prevalent these days, e.g. Ransomware and Ransomware. Therefore, cyber criminals, without a doubt, use the same method to distribute it, i.e. they spread Ransomware as an attachment in spam emails. Users open it and do not expect to cause harm to their computers because it looks completely harmless. Our specialists have noticed that this attachment is often even made to look like an ordinary document, e.g. a .pdf file. If the sender is unknown, do not open an email by any means. Of course, you need to be careful with those emails that have been put into the spam mail folder but are sent by the people you know too. Actually, every user should have a trustworthy antimalware scanner installed on their computers. It will warn you about your attempt to download malware. Also, it will fix all security loopholes and will always stand in the way of malware.

If a ransomware infection containing an email address still manages to enter your PC, it will not only create a file on Desktop, change the wallpaper, and encrypt your personal files, but will also make other modifications on the infected computer. For example, our researchers have immediately found out that this infection places its executable file on the computer. It could be found in any of these directories:

  • %ALLUSERSPROFILE%\Start Menu\Programs\Startup\
  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
  • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
  • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
  • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
  • %WINDIR%\Syswow64\
  • %WINDIR%\System32\

This is, of course, not the only thing it does. Research has revealed that this Ransomware also makes several modifications in the system registry. To remove this ransomware manually, you will have to undo those changes. We hope that it will not be hard to learn how to do that by using the manual removal guide made by specialists working at

You should get rid of Ransomware if you wish to protect your future files and your PC from other malicious applications this ransomware might help to crawl into your PC. To be honest, the easiest and quickest way to eliminate this infection is to scan the computer with a reputable scanner, e.g. SpyHunter. If you consider yourself a more experienced user, you can also get rid of it in a manual way. We suggest referring to the manual below if you need some guidance.

Delete Ransomware

  1. Launch RUN (Win+R).
  2. Type regedit.exe in the box and click OK or tap Enter.
  3. Move to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  4. Delete the Value that has Data %WINDIR%\Syswow64\*.exe or %WINDIR%\System32\*.exe (*-random name).
  5. Open HKCU\Control Panel\Desktop.
  6. Right-click on the Wallpaper Value and select Delete.
  7. Move to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers.
  8. Locate the Value BackgroundHistoryPath0, right-click on it, and remove it.
  9. Find the executable file ({randomname}.exe) of the ransomware (it might have the word Payload in its name) in directories listed in this report.
  10. Delete it.
  11. Empty the Recycle bin and reboot your computer.
Download Spyware Removal Tool to Remove* Ransomware
  • Quick & tested solution for Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.