Parisher Ransomware

Parisher Ransomware is an extremely dangerous ransomware program that is hard to remove. The infection leaves security researchers baffled because it differs from most of the previously discovered and discussed ransomware applications. Nevertheless, it is still possible to remove Parisher Ransomware from the affected system, and this is exactly what you are supposed to do. In this description, we will discuss how this infection spreads around, and what you should do to terminate it. If you find manual removal too complicated, you can always invest in a security application that will delete this infection for you automatically. After all, locating and deleting all the malicious files could be genuinely challenging.

We know that this infection is a new variant for the Mobef Ransomware. Mobef Ransomware was first discovered last May, and it is the ransomware-as-a-service type of infection. It means that the main malicious engine can be sold to anyone who wants to try out being a cyber criminal. What’s more, the engine can be customized and developed according to its owner’s whims. This feature was retained by Parisher Ransomware, too. There is a very good chance that there might be several different versions of this infection out in the wild, and our researchers believe it could evolve further.

Normally, we know what kind of encryption algorithm a ransomware program uses, but our research shows that the program’s algorithm is unknown. It cannot be determined. What is obvious is that Parisher Ransomware has a strong encryption, and there is no public tool that would be decrypting this infection at the moment. The code used by the infection is heavily obfuscated, and the infection targets only document file extensions like .pdf, .txt, .xml, .docx, and so on. So, while the program will not encrypt all of your files, you can pretty much be sure that it will affect most of the document files you use on a daily basis.

Unlike most of the ransomware infections, this program does not employ spam email campaigns or exploit kits to spread around. Instead, Parisher Ransomware gets distributed via remote desktop connection programs. It exploits the Windows Remote Desktop Protocol through the Microsoft Remote Desktop Connection software. There have also been cases when users were infected via TeamViewer, which is also a remote desktop connection application. This would imply that the people behind this infection have someone acquired your credentials to slither into your system, or they have infected you with public (open) sessions. Also, our research team notes that Parisher Ransomware is very likely to evolve in the future, so its distribution methods might change, too.

When the program encrypts your files, it does not add any extension to the affected documents. Instead, you will see a new window on your desktop that will say your files have been encrypted. The message will also have your ID, designed specifically to your computer, and note to send an email to parisher@protonmail.com for further instructions. During our tests, we have contacted these criminals via the given emails, and we received an email which said we had to pay 5BTC to retrieve our files.

It is common for ransomware programs to use bitcoins (BTC) for the ransom currency, but the payment is borderline ridiculous: Parisher Ransomware expects you to pay more than $3000USD for the decryption key. What’s more, there is a chance that the criminals would not issue one even if you were to transfer the payment immediately. Thus, it is for the best to ignore these ransom notes, as you would only lose your money if you succumb to these demands.

Instead, you should remove Parisher Ransomware from your system and then look for ways to restore your files. The best way to do that is to transfer healthy copies of your files from a system backup. Perhaps you have an external HDD or some cloud storage where you keep most of your important files. This is the time you can make use of that storage.

Once you have deleted Parisher Ransomware from the system, transfer the files back. Also, do not forget to get yourself a reliable antispyware tool that would safeguard your system from similar infections in the future. Do not leave everything to sheer luck.

How to Remove Parisher Ransomware

1. Right-click the taskbar and select Task Manager.
2. Open the Processes tab and find the malicious ransomware file.
3. Check the file’s location.
4. Go to that directory and remove the file.
5. Remove HELLO.0MG and LOKMANN.KEY933 from every subfolder in the %USERPROFILE% directory.
6. Press Win+R and type %WINDIR%. Click OK.
7. Remove the ransomware log file. Its name is the six digits from your ransom note ID.
8. Scan your PC with a security application of your choice.