RansomPlus Ransomware

A new malicious application RansomPlus Ransomware targeting users’ personal files is in the wild. It was first detected on the 28th of January, 2017, and it seems that it will be active for some time. All ransomware infections share the same similarity – their main goal is to obtain money from users, so it is not surprising that they strike the moment they successfully enter computers. More specifically, they encrypt all users’ files once they infiltrate computers. RansomPlus Ransomware is no exception too. It searches for valuable files on the computer and then locks them all by appending a new filename extension .encrypted. Strong encryption algorithms (most probably, AES-256 and RSA-2048) are used to encrypt those files, so it might be impossible to unlock them without the private key which cyber criminals should have and share with users after receiving their money. Of course, users do not always receive a decryption tool when they make a payment, so think twice before you send the required money. Read the remaining article to find out what can be done to unlock files without the private key stored on the server belonging to cyber criminals.

Researchers working at pcthreat.com have started their research from checking the code of the malicious ransomware file. They have found a line c:\users\sergej\documents\visual studio 2015\projects\cl\release\ransomplus.pdb there telling much information about this ransomware infection. Evidently, RansomPlus Ransomware was developed by Sergej using Visual Studio 2015, and the project was named ransomplus. As a consequence, specialists call this threat RansomPlus Ransomware. This computer infection does not differ much from older file-encrypting threats even though it is new. First, it checks %ALLUSERSPROFILE%, %ALLUSERSPROFILE%\Application Data, %USERSPROFILE%\Documents, %USERSPROFILE%\Music, %USERSPROFILE%\Pictures, %USERSPROFILE%\Videos, %LOCALAPPDATA%, %USERPROFILE%\Local Settings\Application Data, and folders having from 4 to 6 characters located in %HOMEDRIE% to find the most valuable users’ data. Once it finds .txt, .json, .html, .css, .jpg, .cat, .cdf-ms, .log, .lnk, .dat, and other files there, it encrypts them all and then drops a ransom note YOUR_FILES_ARE_ENCRYPTED!!!.txt in directories with locked files. This ransom note immediately explains users what cyber criminals want from them. It is clearly stated there that 0.25 Bitcoin (~ 240 USD) has to be transferred to the Bitcoin address 36QLSBTuBvK5rKD6PsM9tTFaacrjHCSNGd. Once the money is on its way, the transaction ID has to be sent to andresaha82@gmail.com. Users should then receive an email with the decryption key from cyber criminals. Unfortunately, there are really no guarantees that the decryption tool will reach you because there might be no motivation to send it to you left for cyber criminals after receiving your money.

We do not promise that you could decrypt your all files, but you should definitely try out free data recovery tools that can be downloaded from the web. Of course, not all of them are reliable, e.g. some of them might install malware alongside, so carefully install free tools and download them only from legitimate-looking websites. If none of the tools you try work for you, you should know that it is possible to recover the encrypted data from a backup. It is only possible to do that if copies of files are located outside the computer. In case such a backup of the most important files does not exist, you should still do not delete those encrypted files because you might be able to unlock them one day. Keep in mind that it does not mean that RansomPlus Ransomware can stay installed on your PC.

Ransomware infections can cause much harm, as you have probably already understood, so users should have a security application installed on their computers if they connect to the Internet every day. Researchers have found that file-encrypting threats often come as attachments in spam emails, but they might also be waiting for users on bad web pages. Generally speaking, malicious applications are very sneaky, so users need to be very cautious all the time when surfing the web.

There are two removal steps to fully erase RansomPlus Ransomware from the computer. First, users have to find and remove a malicious file they have downloaded themselves. Second, ransom notes from affected directories need to be erased. If it happens that you cannot find the malicious file, let an automatic malware remover, e.g. SpyHunter help you. It is the easiest ransomware removal method, but users should not expect that an automatic tool will unlock encrypted files for them too.

Delete RansomPlus Ransomware

1. Open the Windows Explorer.
2. Check %TEMP%, %USERPROFILE%\Desktop, and %USERPROFILE%\Downloads to locate the malicious file of the ransomware infection.
3. Delete it.
4. Remove the ransom note YOUR_FILES_ARE_ENCRYPTED!!!.txt from all directories it is placed in.
5. Empty the Recycle bin.