CtrlAlt Ransomware

CtrlAlt Ransomware could be lurking in your inbox. According to our researchers, this malicious threat could be distributed via spam email attachments that look like normal files, such as DOC or PDF. If the file is opened, the ransomware is executed silently, and then the infection starts encrypting files. This threat does not mess around, and it can encrypt nearly 200 different types of files using the AES-256 algorithm. It has been used by Qinynore Ransomware, Korean MAFIA Ransomware, Armage Ransomware, and hundreds of other malicious file-encryptors that came before. Once files are encrypted, you are stuck. It is not possible to decrypt them, unless you have the decryptor, and you don’t, do you? The decryptor is in the pocket of cyber criminals, and they will not give it to you even if you pay the ransom. Of course, we cannot guarantee this, and you are free to take any risks you want, but be warned that cyber criminals are not just. Overall, regardless of the outcome, you must remove CtrlAlt Ransomware, and that this why we have created this guide and added instructions that show how to delete the threat.

Can you spot the “.altdelete@cock.li.district” extension added to your personal files? If you can, there is no doubt that CtrlAlt Ransomware is the culprit of their encryption. It encrypts files soon after initial execution, and our researchers have found that it automatically evades all folders with certain names. These names are: All Users, AppData, ContentIE5, Default, Intel, Local Settings, Microsoft, NVIDIA, Program Data, Program Files, Program Files (x86), $Recycle.Bin, System Volume Information, Temporary Internet Files, and Windows. If your personal files are not located in these folders – and that is likely to be the case – they can be encrypted. That is not all that the infection does. It also reads the name of the computer, and it can delete shadow volume copies using this command: “cmd.exe / c vssadmin delete shadows / all / quiet & wmic shadowcopy delete & bcdedit / set{ default } bootstatuspolicy ignoreallfailures & bcdedit / set{ default } recoveryenabled no & wbadmin delete catalog – quiet.” What does this command mean? It means that the backup copies of your files stored using internal system’s backup can be destroyed. Obviously, this does not affect backups stored online or on external drives. If you have your files backed up in such a manner, you should initiate the infection’s removal right away.

The ransom message that the creator of CtrlAlt Ransomware introduces all victims to appears to be placed on the original wallpaper. It also can be found in a file named READ_IT.district. The message instructs the victim to pay a ransom in 96 hours, but there is no information about the exact sum or the method of payment. The message is meant to push victims into emailing cyber criminals, but the sample tested by our researchers did not reveal an email address. All in all, even if the address is provided, you should think twice before you contact cyber criminals. After all, you do not want them to record your address and, potentially, flood you with new spam emails in the future. As we mentioned earlier, it is unlikely that you would be provided with the decryptor even if you paid the ransom, and so if you do not want to take the risk, there is no reason to communicate with the attackers behind CtrlAlt Ransomware.

We cannot promise you that you will be able to delete CtrlAlt Ransomware from your operating system manually. The launcher’s name can be unique, and it could be dropped anywhere on your computer. Do you know where to find this file? If you do, remove it quickly. If you do not, do not go around deleting random files left and right. You could create a bigger mess. In this situation, it is much better if you install a trusted anti-malware program that can remove CtrlAlt Ransomware automatically. This program will not only clean your operating system – which is very important if other threats exist as well – but will also guarantee protection in the future. As you know, it is easy to let malware in without even realizing it, and so you need a defense mechanism that could have your back in all situations.

CtrlAlt Ransomware Removal

1. Tap Ctrl+Alt+Delete and click Start Task Manager.
2. Move to the Processes tab and look for malicious processes.
3. If you find them, right-click and select Open file location.
4. Terminate malicious processes and Delete malicious .exe files.
5. Delete the ransom note file called READ_IT.district.
6. Restore your regular wallpaper image.
7. Empty Recycle Bin.
8. Install a trusted malware scanner and run a full system scan.
9. If leftovers are deleted, remove them ASAP.