- Slow Computer
- System crashes
- Connects to the internet without permission
- Installs itself without permissions
- Can't be uninstalled via Control Panel
CryptoMeister Ransomware is a new ransomware that targets French speaking users specifically. All of the text in this ransomware in The French language but, nevertheless, you can get it wherever you reside. This program can encrypt your files and, thus, prevent you from accessing their contents. It demands money that you must pay in Bitcoins. However, you may not want to comply as you cannot trust cyber criminals to keep their word and decrypt your files. Therefore, you should remove this ransomware and recover as many of your encrypted files from backup, provided you have any. In this short description, we will talk about how this program is distributed, how it works and discuss its possible removal methods.
As mentioned, this program is set to target French speaking people. Therefore, we assume that this program can be distributed via infected French websites that were infected with security exploits. If that is the case, then your computer can become infected as a result of visiting an infected website and interacting with Java or Flash-based content. Unless your computer has an anti-malware program, you will not notice the infection taking place. It is also likely that this ransomware can be distributed on pirated software and game distributing sites popular in France or the French-speaking regions in Canada and elsewhere where French is a widely spoken language. Lastly, it is also possible for CryptoMeister Ransomware to be distributed via email spam as most ransomware is distributed using this method. The ransomware can be included as an attached file to the email or even as a link.
The first thing this ransomware does when it infects your computer is that it kills explorer.exe and displays its ransom note that is rendered as a dialog box. Note that the ransom note is in French only. Then, it downloads Tor browser at %APPDATA%\rnsm_tor. The Tor browser connects to a tor network sites at wcn3a2igdpgxxlsg.onion and jop76omwbjfttasu.onion. However, both of these sites are now dead.
Unlike most ransomware, CryptoMeister Ransomware does not start encrypting files immediately as it starts encrypting them about 10 minutes after the encryption. Therefore, this ransomware presents a unique window of opportunity to get rid of it before it can encrypt any of your files. Once the 10 minutes have passed, it will spring into action and encrypt many of your files. As if that was not enough, it will also delete a file every 10 minutes to compel you to pay the ransom as soon as possible not to lose too many files.
Our research as revealed that CryptoMeister Ransomware is dropped in %APPDATA% and its main executable is named “rnsm.exe.” The ransomware also adds a registry key to start with Windows automatically. You can find the sub key at KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and its registry value name is “rnsm.” While this program kills “explorer.exe,” you can run it manually. However, you must first close this ransomware’s ransom note by pressing ALT+F4, but you can also kill it from Task manager. Press CTRL+ALT+DEL select Task Manager, go to Processes. Then, locate “rnsm.exe,” right-click it and click End Process. Then, click File in the actions bar and select Run. Type explorer.exe and hit enter. Now you can go to the location of this ransomware and delete it.
In closing, CryptoMeister Ransomware is one dangerous computer infection, but the good news is that you can remove this program before it can do anything to your PC, but you have to be quick about it. Please see our comprehensive manual removal guide below. If you experience problems, then we recommend using SpyHunter, an antimalware program that will erase all traces of this ransomware.
Delete CryptoMeister Ransomware manually