Restore@protonmail.ch Ransomware

Restore@protonmail.ch Ransomware was first seen on 14th of September, 2016 and it is designed to encrypt a total of 1,296 file types, so you have to remove it as soon as possible. However, if it managed to enter your computer, then it is already too late because it is set to encrypt the files immediately and, currently, there is no way to decrypt them for free. Nevertheless, this ransomware’s developer offers the victims purchase a decryption key that should cost a pretty penny. We do not know how much money its developer wants because the sum is not stated anywhere in its ransom note. To find out more about this highly dangerous program, read this file article.

This newly released ransomware is still on the loose, so it is important to prevent it from entering your PC altogether. Needless to say, an anti-malware application is a must because there is no way of stopping it without one. We have received information claiming that this ransomware is disseminated via email spam. These emails are most likely sent from a dedicated server and are probably disguised as invoices or receipts from legitimate companies such as Ebay, Amazon or something of this sort. We have found that the emails feature a zipped file that contains an executable named stub.exe and if you run it, then it will drop a copy to %APPDATA%.

Once on your computer, Restore@protonmail.ch Ransomware will lock its screen by rendering a fake Windows update screen that says “Configuring critical Windows Updates.” This is not done without a reason, however, because the purpose of this fake update screen is to divert your attention while this ransomware encrypts your most cherished files. As mentioned in the introduction, this ransomware can encrypt 1,296 file formats and our research has revealed that it will encrypt files in APPDATA, ProgramData, ProgramFiles, WINDOWS, APPDATA, Appdata, Application Data, intel, nvidia, Program Files, Program Files x86, Windows, RECYCLER, Recycle.Bin, Recycler, TEMP, Temp, Microsoft, and RECYCLE.BIN. As you can see, this ransomware is configured to target the most important locations but it will skip certain file types that include .sys, .dll, .exe, .ico, .link, .locked, .purge, .frozen, .tmp, .temp, dll, ini, manifest, .com, .prx, .bin, .am, .dlm, and .ngr files. The reasoning for skipping these files is unknown, but, regardless, by encrypting all other file types this program does enough damage.

Once the encryption is complete, this ransomware will drop a file named READ_ME!.hta. This file serves as the ransom note and by changing the file extension from .hta to.html you can open it with your web browser. The note says that “Your files are encrypted using the same methods banks and military use.” Indeed, it appears that this ransomware uses a sophisticated encryption method. We think that it might use RSA-2048, but more tests are necessary to confirm this assertion. Furthermore, Restore@protonmail.ch Ransomware will replace the desktop wallpaper with a white noise image that says that you have to contact the developer via email and if you get no answer within 2 hours, then you are asked to use Bitmsg messaging program. Also, the ransom note states that the decryption key for decrypting your files will be deleted after a week. So the cyber criminal wants to put pressure on you and compel you to purchase the decryption key. However, the private key does not seem to be in the code of this ransomware. Therefore, we think that there might be no decryption key and there is no way to get your files back.

Therefore, we suggest that, instead of paying the ransom, you delete this malicious application using the manual removal guide below. Alternatively, you can use an antimalware program and we recommend using SpyHunter because our tests have shown that it is fully capable of detecting and eradicating Restore@protonmail.ch Ransomware without any difficulties. A free decryption tool might appear in the future, but if the rumors are true and it does not store the private key, then there is no way to decrypt any encrypted files.

How to delete Restore@protonmail.ch Ransomware

1. Simultaneously press Windows+E keys.
2. Enter %APPDATA% in the address line and hit Enter.
3. Find stub.exe, right-click it and click Delete.
4. Find and delete all copies of READ_ME!.hta
5. Empty the Recycle Bin.