Click on screenshot to zoom
Danger level 9
Type: Trojans
Common infection symptoms:
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel Ransomware Ransomware appears to be a new version of a malicious application called Stampado Ransomware. This time the malware’s creators might be distributing it with malicious installers of legitimate programs, for example, antimalware applications. Therefore, users have to be extra cautious while downloading software if they do not want to get their systems infected. The consequences of allowing Ransomware settle on the system could be rather severe as the application could encrypt most valuable data to you. The threat’s creators may say they can restore the damage they made for a particular price, bus as you realize trusting these cyber criminals might be not the best idea. If you continue reading the article, we will explain to you more about the malware and other possible decryption options. If you decide to eliminate the threat, we encourage you to use the instructions located below.

Our researchers were testing a sample of Ransomware that was distributed with a legitimate application. To be more precise, it was an installer of a well-known antivirus program known as AVG. It might seem surprising, but the setup file installed not only the security tool but also the ransomware. Most likely, installers bundled with the malware are distributed through malicious web pages, unreliable file-sharing sites, suspicious pop-up ads, etc. To avoid receiving infected software installers, we would advise you to be more careful with your clicks and always download setup files from legitimate web pages.

When users launch the infected installer, Ransomware should place its data in the %UserProfile%\AppData\Roaming directory. What’s more, it was noticed that in some cases, the malicious program might create a randomly titled file in the Temporary Files folder. Afterward, it should create a key called Windows Update in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run location. The software’s creators picked such a title, not without reason. It is supposed to confuse users who want to remove the threat so that they could not identify Registry entries created by the infection.

The next step is to find Ransomware’s targeted data, then encrypt it and make it unusable. The infection targets user’s personal files like photographs, pictures, videos, documents, and so on. Also, the data affected by this malware could have replaced titles; plus you can recognize it by a specific extension called .locked. Soon after your files become enciphered, the malicious application should open a separate window containing a message or in other words, a ransom note. It explains what happened to the personal data that was on the computer and demands users to contact the malware’s creators if they want to purchase a decryption key. To scare users into paying the ransom, the malicious application gives a time limit too and threatens to erase one file each 6 hours the payment is not made.

However, there is a chance you can get decryption tools without paying a ransom since the software is based on the older version of already existing infection, the decryptor created for Stampado Ransomware might work on files encrypted by Ransomware too. Such decryptor could be available for free on the Internet as volunteer IT specialists should have created it. We believe it is worth to look for such a tool because probably you have nothing to lose and paying the ransom could be risky.

The malware’s creators might not bother to help you restore files they locked themselves, but still take your money. If risking your savings does not look like a good option, we advise you to look for the decryption tools we just mentioned or restore affected data from copies, provided you created any before the computer was infected. Lastly, if you decide not to pay the ransom, our researchers recommend removing the malicious application so it could not do any further damage. To get rid of it manually, users could follow the manual instructions located below, while less experienced users could use a reliable antimalware tool. No matter which option you choose, it would be a good idea to keep a fully updated security tool on the computer as it may help you stay away from threats like Ransomware in the future.

Remove Ransomware

  1. Press Win+E.
  2. Locate this path: %UserProfile%\AppData\Roaming
  3. Look for a file called scvhost.exe, right-click it and press Delete.
  4. Go to the Temporary files directory.
  5. Check if there is a malicious file with a random name, right-click it and select Delete.
  6. Find the infected installer you downloaded and launched yourself (e.g. Downloads, Desktop).
  7. Right-click the malicious installer and press Delete.
  8. Close the Explorer.
  9. Press Win+R.
  10. Type Regedit and select OK.
  11. Look for a particular path: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  12. Find a key titled as Windows Update, right-click it and select Delete.
  13. Close the Registry Editor.
  14. Empty your Recycle bin.
Download Spyware Removal Tool to Remove* Ransomware
  • Quick & tested solution for Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.