iRansom Ransomware

It should not be difficult to realize that iRansom Ransomware has corrupted your personal files if a strange window pops up informing you that your “files have been locked by iRansom.” No, you have not become a victim of a vicious joke. This is the real deal, and the creators behind this ransomware are not joking around. They have encrypted your personal files – at least some of them – and they want you to pay a ransom of 0.15 Bitcoins. Although the ransom note declares that you will be able to unlock your files when you pay the ransom and confirm the payment, no one can guarantee this. Needless to say, paying the ransom is something that requires some thinking. If you have no idea what to do, read this report. We discuss the infection, your options, and, of course, how to remove iRansom Ransomware.

iRansom Ransomware is a new infection, and we have analyzed it as soon as it was discovered. At the moment, it is still unclear how this infection spreads across the web, but if we had to guess, it is most likely that you will find it hiding behind a misleading spam email. Most ransomware infections, including the most recent threats, Telecrypt Ransomware and Esmeralda Ransomware, are executed when the victim opens a corrupted spam email attachment. Needless to say, this attachment might look harmless, which is why you need to be vigilant at all times. Most important, do not click suspicious links and open suspicious files delivered via spam emails. If you receive a spam email, the best thing you can do is remove it without even opening it at all. Overall, if you execute the ransomware, it has the chance to encrypt your files, and that could lead to their loss. Although the threat does not delete your files, it encrypts them in a way that it might be impossible for you to recover them.

So, which files does iRansom Ransomware attack? According to our analysis, this ransomware encrypts the files in the %USERPROFILE% directory, including all subfolders. Unfortunately, this threat might even encrypt .exe files, making certain applications inactive. The good news is that it is much easier to recover software files than personal files, which, of course, are irreplaceable. You will see which files were encrypted right away because all of them will have the “.Locked” extension. Right after the files are locked, the pop-up with the ransom note will appear. As mentioned previously, this might be the first sign for you that the ransomware has invaded. The ransom note was created to inform you that cyber criminals expect you to pay a ransom of 0.15 Bitcoins (~108 USD) to their Bitcoin address. The address used by the creator of iRansom Ransomware is 18Md4neA2kE3fkB46FDpyxLUEZvQeUjt4M. The ransom note also mentions that you only have 48 hours to make the payment, which you need to confirm by emailing at GALAXYHIREN@SIGAINT.ORG.

Considering that the ransom payment is not exceptionally big – if you take into consideration that there are ransomware infections that demand thousands of dollars – you might think that paying it is not a big deal. Well, unless you are comfortable with potentially losing this money, you should think about this step. We do not claim that your files will remain locked if you pay the fee requested by iRansom Ransomware, but you must admit that cyber criminals are truly unpredictable and that you do not know what will happen if you give in. If you had prepared for a situation like this, your personal files are backed up, and there is nothing stopping you from deleting iRansom Ransomware. If you have failed to take care of your files, research legitimate third-party decryptors and their abilities to possibly help you. At this time, a decryptor that would work does not exist, but there is hope that it could be created.

The manual removal of iRansom Ransomware is complicated only if you cannot find the malicious file that has launched it (e.g., the spam email attachment file). If you find this file, the rest of the steps in the guide below should pose no other problems. If you cannot erase the infection manually, you have the option to install an automated malware remover. This tool is truly irreplaceable if other infections exist as well. Furthermore, if you invest in a tool that will also ensure full-time protection, you will not need to fear for the invasion of malware in the future, and that is exceptionally important.

iRansom Ransomware Removal

1. Tap Ctrl+Shift+Esc keys to launch Task Manager.
2. Click the Processes tab.
3. Select the malicious process (in our case it was named iRansom.exe) and click End Process or End Task.
4. Now, right-click and Delete the malicious .exe file (its location and name are random).
5. Launch RUN by tapping Win+R keys.
6. Enter regedit.exe into the dialog box to open the Registry Editor menu.
7. Navigate to HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run.
8. Right-click and Delete the malicious value (in our case it was named iRansom).