Click on screenshot to zoom
Danger level 6
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Normal system programs crash immediatelly
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel Ransomware Ransomware might appear to be a somewhat problematic malicious application. Our researchers say the infection does not append any extension to its encrypted files, which means its victims could not realize what has happened for quite some time. Apparently, even the ransom note cannot be opened right away since it does not have any extension and the user has to edit its title first. If you have encountered this threat, we encourage you to keep reading our report. Further, in it, we will explain the malicious application’s working manner, tell you how to open the ransom note it provides, and most importantly guide you through the removal process. The reason we recommend eliminating Ransomware is there are no guarantees the malware’s developers can help you decrypt files or that they will be willing to do so. Not to mention to get their help you might need to pay a ransom and if the hackers decide not to bother helping you the transferred money would be lost in vain.

It seems to be Ransomware is a new version of a similar malicious application known as RotorCrypt Ransomware. Our researchers say the main difference is the newer version does not add any additional extension to the files it encrypts, while its previous version used to apply various extensions depending on the particular infection’s variant. Therefore, the victim may not realize something has happened to his data until he tries to open it. As you see the threat should encipher the files with a strong encryption algorithm, making user’s pictures, photos, archives, and other private records unrecognizable. Consequently, the system should claim such data cannot be launched. However, the encryption should start only after the malware settles in. Ransomware could be executed accidentally as the infection’s developers could spread it with Spam emails, infected software installers, fake updates, and so on. In any case, if the threat is launched the first thing it might do would be creating a copy of its installer in a random folder picked accidentally in the %LOCALAPPDATA% directory. It looks like the malicious application’s launcher copy should be an executable file named with eight random characters. Also, it is supposed to create a Registry entry in the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run location. It means the malware should be able to launch itself automatically with each system restart. Thus, it might keep encrypting already altered files, including new data the user might have created after the computer became infected.

Eventually, Ransomware should create files called HELP in each location containing encrypted data. The strangest part is these files may not have any extension, which means the victims could be unable to open them. Our researchers say to launch the ransom note the user should double-click its title and add .txt at the end, for example, HELP.txt. This way the computer could recognize it is a text document and open it with Notepad. Nevertheless, we do not think there is any point in doing so, because the message inside the described documents only says: “help mail PATAGONIA92@TUTANOTA.COM.” No doubt, the threat’s developers expect their victims will contact them, and they will be able to provide them with their demands. As usual, the hackers might want to be paid In Bitcoins.

Just like we explained at the beginning of this text, dealing with the Ransomware’s developers could be extremely risky and if you do not want to take any chances, you should get rid of the malware with no hesitation. To erase it manually might be a difficult task since the malicious application may have a few files you would have to locate and delete on your own. Still, if you wish to try you could follow the instructions available below; they will explain the process step by step. Another way to remove the ransomware once and for good is to scan the computer with a reliable antimalware tool.

Eliminate Ransomware

  1. Press Ctrl+Alt+Delete.
  2. Go to the Task Manager.
  3. Find the malware’s process.
  4. Mark this process and click End Task.
  5. Exit Task Manager.
  6. Tap Win+E.
  7. Navigate to:
  8. Check if you can see the malicious file downloaded before the computer got infected.
  9. Right-click the suspicious file and press Delete.
  10. Find this directory: %LOCALAPPDATA% \[random folder]
  11. Look for a suspicious executable file with random name.
  12. Right-click this executable file and select Delete.
  13. Search for files named HELP.
  14. Right-click these files and press Delete.
  15. Close File Explorer.
  16. Press Win+R.
  17. Type Regedit and press OK.
  18. Find this location: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  19. Look for a value name with a random title and pointing to %LOCALAPPDATA% \[random folder]
  20. Right-click this value name and press Delete.
  21. Leave Registry Editor.
  22. Empty Recycle bin.
  23. Reboot the system.
Download Spyware Removal Tool to Remove* Ransomware
  • Quick & tested solution for Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.