Click on screenshot to zoom
Danger level 7
Type: Adware
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel

TrumpHead Ransomware

Cyber attackers are building a new file-encrypting threat, and it is called TrumpHead Ransomware. The name is random, and it has nothing to do with Trump or politics in general. This is not surprising at all, considering that the infection was built using the Hidden-Tear code that is publicly available. Other threats created using the same code have names that are just as random, including BSS Ransomware, SnowPicnic Ransomware, or ShutUpAndDance Ransomware. Just like most threats from this family, the one discussed in this report does not appear to be finished yet. When will it be finished? The truth is we do not know if it will be finished at all, but our research team has analyzed the infection’s code, and we know for a fact that it has the ability to encrypt files. If you need to remove TrumpHead Ransomware from your operating system now, you will find information that will help you. If you need help securing your operating system against this potentially dangerous threat, you will find useful information as well.

According to our malware experts, TrumpHead Ransomware appears to be almost complete. It can communicate with a C&C server ( using the TOR network, and it can check the IP address via The infection can even download a BMP file (“[download date].bmp”) to change the Desktop wallpaper. Of course, that is not the worst it can do. If the threat successfully connects to a remote server and obtains an encryption key, it can encrypt various personal files. Our researchers list these files as the main targets of TrumpHead Ransomware: .asp, .aspx, .csv, .dat, .doc, .docx, .gif, .html, .img, .jpg, .jpeg, .mdb, .mp3, .odt, .pdf, .php, .png, .ppt, .pptx, .psd, .sln, .sql, .txt, .xls, .xlsx, .xml, and .zip. Every file that is the target should be encrypted using an algorithm that cannot be decoded manually. As we mentioned already, at the time of research, the infection was not complete, and it was not encrypting files at all, but that does not mean that this is how the threat will remain.

If the threat is executed and can encrypt files successfully, it also should be able to delete shadow volume copies and create a copy in the %TEMP% directory. This copy is supposed to remove itself after encryption. This is also when the Desktop wallpaper would change and a file name “READ_THIS.txt” would be created. The message in this file is meant to inform the victims of TrumpHead Ransomware that they need to transfer 0.8 Bitcoin (at the time of analysis, this was around 2,900 US Dollars) to the cyber criminals’ Bitcoin wallet. According to our research team, one of the many available wallets can be used, and you can see the full list below. The message also instructs to pay the ransom in 48 hours and contact to ask questions. To ensure that the victim acts fast, the message also includes this warning: “Be sure NOT to rename or delete your files, shutdown your computer or contact the law, otherwise it's gone forever!” Do not believe any of this, and do not pay the ransom because your files will not be decrypted. Instead, focus on deleting TrumpHead Ransomware.

The list of Bitcoin wallets linked to TrumpHead Ransomware:

You might be able to delete TrumpHead Ransomware manually if you know where the executable of this threat is. Afterward, check for the copy, and remove the files created by the infection. Although the process seems pretty straightforward, identifying the launcher can be tough. This is why we strongly recommend considering the option of using an anti-malware program. It can automatically find and remove TrumpHead Ransomware, as well as other threats that might exist. Furthermore, it can strengthen your operating system’s security. Finally, it can defend you against all kinds of malicious threats in the future, and that is one of the most important things. Of course, you might be more concerned with your personal files at this moment. If they are not backed up outside your computer, you cannot recover them. From now on, make sure you back up important files to protect them at all times.

TrumpHead Ransomware Removal

  1. Find the [unknown name].exe file that launched the threat and Delete it.
  2. Delete the ransom note file called READ_THIS.txt (this file might have copies everywhere).
  3. Launch Explorer (tap Win+E keys) and enter %TEMP% into the field at the top.
  4. Delete the copy of [unknown name].exe file if it did not delete itself already.
  5. Enter %USERPROFILE%\Pictures\Backgrounds\ into the field at the top.
  6. Delete the [download date].bmp file.
  7. Exit Explorer and then Empty Recycle Bin.
  8. Install and run a trustworthy malware scanner to check for malware remains (delete if they exist).
  9. Restore the preferred Desktop wallpaper.
Download Spyware Removal Tool to Remove* TrumpHead Ransomware
  • Quick & tested solution for TrumpHead Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.