Defender Ransomware

Defender Ransomware is a new malicious application released by cyber criminals. Surprisingly, it does not demand money from users after encrypting their files, so it might be still in development, or it is just a ransomware project. Even though it does not want users’ money, it still encrypts files found on victims’ machines. Specialists have observed that it locks various documents, videos, music, and other files considered valuable by users. You will not unlock those affected files by deleting the ransomware infection from your system, but it does not mean that you can keep this threat active. If you do not disable it soon, it will stay active and start working on every system startup (it creates a Value in the Run registry key so that it could do that). In the worst-case scenario, it will lock all new files you create, so you should remove Defender Ransomware mercilessly today. It is far from an ordinary program, so do not expect to find its uninstaller and erase it easily.

Once Defender Ransomware is launched, it first checks whether the computer is already infected. If not, it copies itself to %TEMP%\Cache and sets the “hidden” attribute to this folder. Then, it goes to encrypt files on victims’ computers. Specialists working at pcthreat.com have observed that this infection encrypts files in %USERPROFILE%\Desktop, %USERPROFILE%\Documents, %USERPROFILE%\Videos, and %USERPROFILE%\Music only. When all files are encrypted, i.e. get the .defender extension appended, it downloads a ransom note (Defender_Ransomware.txt) from http://www109.zippyshare.com/d/36zkFIuX/24164/Defender_Ransomware.txt and places this file in directories containing encrypted files. The file contains a “brick wall” and four separate sentences: “Your files have been encrypted by Defender Ransomware. The wall will not fall. This ransomware is not decryptable. Sorry about that.” It seems that it is impossible to purchase the decryptor from its author and unlock files with it. Free decryption software is not available either, so it might be impossible to decrypt those affected files. Defender Ransomware uses the AES encryption to lock files, so they can be unlocked only with the unique key. Even though these files cannot be unlocked, you can restore them from a backup after erasing the ransomware infection.

Specialists say that Defender Ransomware should be distributed using old distribution methods. For example, it is very likely that it is distributed via spam emails. Of course, users are not told that they are about to open a malicious attachment. In most cases, they find a harmless-looking attachment that claims to be an important document, e.g. an invoice, so they open it immediately without fear. This is the main mistake they make. Users might also download this ransomware infection from dubious websites or initiate its automatic download by clicking on malicious links they find in front of their eyes while browsing suspicious websites. No matter how Defender Ransomware infiltrates users’ computers, it acts the same in all the cases. That is, it places a copy of itself (MpCmdRun.exe) in %TEMP%\Cache and creates an entry in the Run registry key (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run). Then, it locks files it manages to find and downloads the ransom note – it is put in some folders containing encrypted files. As can be seen, Defender Ransomware is quite sophisticated so do not expect that its removal will be a piece of cake.

Defender Ransomware is neither the first nor the last ransomware infection developed by cyber criminals. There are hundreds of ransomware infections available on the market and new threats are released every day, so you cannot leave your system unprotected. It will be enough to acquire and enable security software on the system to make it impossible for harmful malicious software to enter your computer illegally.

If you ever find a bunch of encrypted files on your computer and it turns out that Defender Ransomware is the one responsible for locking them, delete the ransomware infection from your computer the first thing so that it could not encrypt more files. You will need to delete its launcher, its copy, and the Value created in the Run registry key. Below-provided manual removal instructions will help you to delete this threat from the system, but it does not mean that it is the only way to get rid of this infection. You can erase it automatically instead if you want to.

Delete Defender Ransomware manually

Show Hidden Files

Windows XP

1. Click Start and select My Computer.
2. Click Tools at the top and select Folder Options…
3. Click on the View tab.
4. Locate Hidden files and folders under Advanced Settings.
5. Select Show hidden files and folders.
6. Click OK.

Windows 7/8/8.1/10

1. Access Control Panel.
2. Type "folder" into the search box and select Show hidden files and folders.
3. Click on the View tab.
4. Under Advanced Settings, locate Hidden files and folders.
5. Select Show hidden files and folders.
6. Click OK.

Delete ransomware components

1. Press Win+R.
2. Access the Run registry key (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run).
3. Right-click on the MpCmdRun Value and select Delete.
4. Close Registry Editor.
5. Open Windows Explorer (press Win+E).
6. Open %TEMP%\Cache.
7. Locate MpCmdRun.exe and delete it.
8. Delete all suspicious recently downloaded files.
9. Remove the ransom note Defender_Ransomware.txt.
10. Empty Trash.