castor-troy-restore@protonmail.com Ransomware

It looks like DCRTR Ransomware has now a new version that is called castor-troy-restore@protonmail.com Ransomware. What victims should know about it is the malicious application does not erase itself after encrypting files. Unfortunately, it creates a copy of its launcher and a couple of Registry Entries to make the system launch it automatically after a restart. It means leaving the malware unattended might endanger files you could receive or create on the infected computer. Therefore, our researchers advise not to leave it unattended. The threat’s ransom note may threaten not to remove castor-troy-restore@protonmail.com Ransomware and demand to pay a ransom, but if you do not want to risk your savings, we would advise not to pay any attention to it. To learn more about this malicious application, you should keep reading this article and to eliminate it manually you could follow the instructions placed at the end of the text.

If you wonder how castor-troy-restore@protonmail.com Ransomware enters the system, you should know there are a couple of possible distribution channels. For instance, it could be spread with malicious installation files offered on untrustworthy file-sharing web pages or with doubtful email attachments sent by unknown senders. Since researchers still do not know for sure, we would recommend being extra cautious with the mentioned content. If you need to obtain a software installer, it would be best to do so from a legitimate web page. As for email attachments, you should be extra cautious with each file that comes unexpectedly. In other words, users who care about their system’s safety should investigate the sender's email address to see if anything gives away it could be forged. Plus, to make sure the received material does not have harmful components you could scan it with a reliable antimalware tool.

In case you made a mistake, and castor-troy-restore@protonmail.com Ransomware was able to settle in, you should see additional .[castor-troy-restore@protonmail.com].java extension at the end of your files’ titles, for example, picture.jpg.[castor-troy-restore@protonmail.com].java. It is placed to mark enciphered files so it would be easier to see the damage done to user’s data. Also, more experienced users, who investigate affected files more close should find a token called Marvel inside of each enciphered file. Before starting the encryption process, the malicious application is supposed to create a copy of itself (an executable file) also called Marvel in the %APPDATA% directory. To be able to launch itself automatically with the operating system, castor-troy-restore@protonmail.com Ransomware might create Registry entries named similarly (e.g., MarvelHost) in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run directories.

After the encryption process, the malicious application should create one more file called ReadMe_Decryptor.txt. The copies of it should appear on every directory containing files encrypted by castor-troy-restore@protonmail.com Ransomware (data with .[castor-troy-restore@protonmail.com].java extension). It is a ransom note, and as the title lets you guess, it contains instructions on how to pay a ransom. To tell the truth, the message does not explain how to make a payment as it only asks to write an email to hackers. Also, it mentions the price will depend on how fast the victim contacts them. Even though the note may claim you can decrypt a few files free of charge as a guarantee, keep it in mind there cannot be any guarantees as in most cases the hackers ask for payment first. Thus, who is to tell if they will deliver the decryption tools they mention in the ransom note.

If you do not think the malware’s creators can be trusted and do not wish to fund them, we advise you to eliminate castor-troy-restore@protonmail.com Ransomware at once. Encrypted files can be restored afterward if you have any backup copies. To remove the threat manually, you should follow the instructions we placed a bit below this text. The other way to make sure the malicious application leaves your system is scanning it with a reliable antimalware tool. Just wait till the results with detections show up and then press the provided deletion button to get rid of them all.

Remove castor-troy-restore@protonmail.com Ransomware

1. Tap Ctrl+Alt+Delete.
2. Launch Task Manager.
3. Look for the infection’s process.
4. Select the malicious process and press End Task.
5. Leave the Task Manager.
6. Click Win+E.
7. Find these locations:
   %TEMP%
   %USERPROFILE%\desktop
   %USERPROFILE%\downloads
8. Look for the malware’s installer, then right-click it and press Delete.
9. Search for this path: %APPDATA%
10. Find a file named Marvel.exe.
11. Right-click the executable file and press Delete.
12. Then locate documents called ReadMe_Decryptor.txt.
13. Right-click them and press Delete.
14. Exit File Explorer.
15. Press Win+R.
16. Insert Regedit and press Enter.
17. Navigate to these two paths:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
18. Search for value names called MarvelHost.
19. Right-click the malware’s value names and press Delete.
20. Close Registry Editor.
21. Empty Recycle bin.
22. Restart the system.