5btc@protonmail.com Ransomware

Our specialists came across a new variant of GusCrypter Ransomware that we call 5btc@protonmail.com Ransomware. The malware encrypts various types of files that it finds on the infected computer, although the research shows it does not target data associated with Windows or other software installed on the device. The threat could get in through systems' vulnerabilities or malicious data the user might download from the Internet. Since its purpose is to convince the victim to pay a ransom, the malware should open a ransom note with specific instructions soon after the targeted files become locked. If you want to know more about how the malicious application works and what to expect from it or better yet how to avoid it, you should read our full text. On the other hand, if you came here only to learn how to eliminate 5btc@protonmail.com Ransomware, you should use the deletion instructions available below.

Usually, threats like 5btc@protonmail.com Ransomware get in through unsecured RDP connections and infected email attachments or software setup files. In other words, the malware could be spread through various channels, and if you want to avoid it, you have to be prepared for all possible scenarios. To start with, we recommend strengthening the computer and software on it by updating outdated programs and changing weak passwords. Plus, it would be wise to keep a reliable antimalware tool installed that could warn about potential threats. Next, you should always be careful when receiving questionable email attachments. It is best to scan suspicious files before opening them if you do not want to risk infecting the device. Besides, users should look for new applications only on legitimate websites and forget all about P2P file-sharing sites that can contain lots of different malicious material.

After the malware’s installer is launched, 5btc@protonmail.com Ransomware may try to collect information about the device and the user himself. For example, the malicious application might be able to record browsing history, passwords, computer’s language, etc. Later on, it ought to start the encryption process. During it, the malware should target files that have nothing to do with Windows or any applications that settle in the %PROGRAMFILES(x86)% and %PROGRAMFILES% directories. The following extension we list are just a few of the ones that the threat can encrypt: .gdb, .ldf, .mdf, .mdb, .pdf, and so on. Nevertheless, after being enciphered the user’s files should have a second extension, e.g., nature.jpg.bip. This is how you can separate them from files that have were not encrypted.

The last thing 5btc@protonmail.com Ransomware is supposed to do is create a file named Information.html. Moreover, our researchers say the threat could add a couple of Registry entries and Startup tasks so the infected machine would open the note when the computer gets restarted. The contents of the note explain what has happened to the user’s files with a couple of words as it mostly talks about how to contact the 5btc@protonmail.com Ransomware’s creators to get the means needed to decipher files encrypted by the malware. Also, it is said the user would need to pay for decryption in Bitcoins. It is important to understand there are no guarantees the hackers will deliver the needed tools, even if they say they promise it. Therefore, we advise thinking twice before deciding what to do after receiving this malicious application.

In case you decide you do not want to risk your money, you should erase the malware. Not only there is no point in keeping it on the system, but it might also be dangerous as well, and the ransom note that may appear after each restart could be annoying. To remove 5btc@protonmail.com Ransomware manually, you should locate all of the data belonging to it and erase it file by file. The instructions available below are here to help you with this task. Still, if you do not think you can handle it, we recommend installing a reliable antimalware tool instead. It would make the task easier, not to mention, this way you could clean the device from other potential threats too.

Remove 5btc@protonmail.com Ransomware

1. Tap Ctrl+Alt+Delete.
2. Launch Task Manager.
3. Look for the malware’s process.
4. Select the process and press End Task.
5. Leave the Task Manager.
6. Click Win+E.
7. Find these locations:
   %TEMP%
   %USERPROFILE%\desktop
   %USERPROFILE%\downloads
8. Look for the threat’s installer, right-click it and press Delete.
9. Navigate to these few paths:
   %ALLUSERSPROFILE%\Start Menu\Programs\Startup
   %APPDATA%\Microsoft\Windows\Start Menu\Startup
   %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
   %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
   %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
10. Find the malware’s ransom notes (Information.html), right-click them and choose Delete.
11. Exit File Explorer.
12. Tap Win+R.
13. Insert regedit and select OK.
14. Go to the given locations:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
15. Find value names with value data pointing to the Information.html location, right-click them and select Delete.
16. Exit Registry Editor.
17. Empty Recycle bin.
18. Restart the system.