Click on screenshot to zoom
Danger level 7
Type: Browser Hijackers
Common infection symptoms:
  • Hijacks homepage
  • Changes default search engine Ransomware

If your PC gets infected with Ransomware, you should immediately think about its removal because it is a really nasty infection. The first symptom showing that this threat has successfully entered the computer is the inability to access the majority of files stored on the computer. Specifically speaking, files located in such directories as %USERPROFILE%\Desktop, %USERPROFILE%\Downloads, %HOMEDRIVE%\$Recycle.Bin, and %HOMEDRIVE%\{1-6} (a folder name consists of 1-6 characters) are found and encrypted by the ransomware infection. Ransomware encrypts files, just like other malicious applications that are placed into the category of ransomware, in order to obtain money from users. In fact, unlike a bunch of other similar threats, it does not tell users that they will have to pay a ransom to get a decryption tool. Users are only told that they have to contact the author to “receive all necessary instructions.” Do not pay a single cent to cyber criminals since the chances that the decryptor will be sent to you are not very high. Ransomware does not immediately start encrypting users’ files. As has been found by researchers working at, this infection collects all the relevant information about a victim’s computer first, for example, OS, Service Pack, drivers, architecture, and other details. The collected information is then stored in .mth files created on Desktop. Only then the encryption process starts. As has been mentioned in the first paragraph, this ransomware infection locks a bunch of different files stored on the computer. They will all receive the new filename extension .MATRIX, so it will definitely not be a problem for you to find them. Once the encryption process is finished, Ransomware drops a ransom note matrix-readme.rtf (it might have numbers at the beginning too, e.g. 31217-matrix-readme.rtf) in different places these encrypted files are located. Since there are two versions of ransom notes (one in Russian and the other one in English), specialists say that this threat might be of a Russian origin. No matter which ransom note users read, they get the same information: an email with the provided ID has to be sent to (or, if the answer is not received within 24 hours) to get instructions on how to decrypt files. Even though it is not written in the ransom note, researchers are sure that the author of this infection will demand a ransom. Its size might vary, but the decryption tool will definitely not be cheap. Also, there are no guarantees that it will be sent to you after you make a payment, so you should definitely weigh all the pros and cons before transferring the required money. If a decision not to pay money is made, you can go to recover your files from a backup you keep on an external storage device. Unfortunately, a third-party data recovery tool will, most probably, not help you because Ransomware creates a script that removes the so-called Shadow Copies of files. Yes, this threat is a dangerous one.

Even though Ransomware is said to be a Russian ransomware infection, it targets all users no matter where they live. To be frank, the possibility to get infected with this threat is not very small since it is distributed through spam emails. Research carried out by experienced specialists recently has shown that the malicious file comes as an email attachment in most cases, and users open it without fear because it looks harmless. This is, undoubtedly, the most common ransomware distribution method; however, it does not mean that these threats cannot be spread somehow differently too. Therefore, the installation of a security application is a must. Do not forget to enable it and update periodically to be safe 24/7.

It is not a piece of cake to delete Ransomware from the computer because it drops several files on the infected computer. We understand that these files might not be very easy to detect and erase, so we asked our specialists to prepare the manual removal guide for you. You can find it below this article. Of course, it is not the only method to erase this ransomware infection. You can automatically delete this threat from the system too. Use the SpyHunter antimalware suite – it will remove other threats, e.g. adware, browser hijackers, and potentially unwanted programs performing activities on your PC without your consent as well. Keep in mind that it, unfortunately, cannot unlock files for you.

Delete Ransomware manually

  1. Press Win+E simultaneously to launch the Windows Explorer.
  2. Type %APPDATA%\Microsoft in the URL line at the top to open this directory.
  3. Locate .cmd and .vbs scripts belonging to the ransomware infection.
  4. Delete them both.
  5. Delete ransom notes from directories containing encrypted files.
  6. Locate and then delete the executable file launched.
  7. Empty the Recycle bin.
Download Spyware Removal Tool to Remove* Ransomware
  • Quick & tested solution for Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.