Meds Ransomware

Do you know when and how Meds Ransomware entered your operating system? If you let this infection in by opening a spam email attachment or by downloading a software bundle, you might know exactly when this threat got in, and you might be able to tell where it landed. However, if the threat was downloaded by a Trojan or if remote attackers dropped it onto your computer without your permission using one of the exposed security loopholes, you might have a hard time understanding how or when this infection got in. Ultimately, it does not matter how it slithers in, and it is most important that you delete it before the files are encrypted. Unfortunately, most victims realize that they need to remove Meds Ransomware only after the files are encrypted. Is this the situation you are in? If it is, you should continue reading the report to learn how this malicious threat works and if you can restore your files.

The STOP Ransomware family continues to grow, and now Nuksus Ransomware, Dutan Ransomware, Zatrov Ransomware, and hundreds of other malicious threats are joined by Meds Ransomware. It is likely that the same attacker is behind most of these infections because the ransom note that they deliver usually instruct the victim to email gorentos@bitmessage.ch or gerentoshelp@firemail.cc, and, of course, multiple attackers are unlikely to use the same email account. Before the ransom note is created – which, by the way, is represented using a file named “_readme.txt” – Meds Ransomware encrypts your personal files. The “.meds” extension is added to their names, and while you can easily rename the file and delete the extension, there is no point in doing that. If your personal files were encrypted, that means that their data was changed, and to change it back, you need a decryptor. Unfortunately, a legitimate decryptor that could help did not exist at the time of analysis, but the attackers were using the ransom note to offer victims their own decryptor.

The ransom note that Meds Ransomware delivers is pretty generic. At first, it informs that personal files were encrypted. Then, it introduces the victim to a program (in this case, a “decryption tool”) that, allegedly, can restore the files. Finally, it introduces some conditions. Meds Ransomware instructs to pay a ransom of $980 (or $490 if paid within first three days) to have the decryptor sent to the victim. How do you pay this ransom? There is no information about that, but the attackers display the two email addresses we mentioned already, and you are suggested communicating with the attackers via them. That is the last thing you want to do because these attackers could scam you further if you exposed yourself to them. But what about your personal files? If you think that the criminals behind the infection would give you exactly what they promise in return for your money, you are naive. Of course, cybercriminals are unpredictable, but they almost never keep their promises or spend any time helping victims. Needless to say, we do not recommend paying the ransom under any circumstances. However, you are in control here, and you have to do what feels right for you.

Thankfully, more and more people nowadays use backups to create copies of their personal files outside the original location. For the most part, that is done so that files could be accessed from any device. However, now people start to understand that backups also “insure” the files against malware that can try to corrupt or remove it. Unfortunately, Meds Ransomware is not the only threat capable of encrypting your personal files, and there are thousands of other threats alike that could stand in its place. Needless to say, creating backups for personal files is no longer an option. It is a necessity. Hopefully, you have backups, and you do not need to think about the decryption of the files corrupted by the threat. In both cases, we suggest focusing on deleting Meds Ransomware from your system. While some users might delete the infection manually without trouble, we advise implementing anti-malware software. It will automatically erase all infection sand, at the same time, reinstate Windows protection to minimize the chances of malicious threats slithering into your operating system again.

Meds Ransomware Removal

1. Simultaneously tap Win+E keys to launch Windows Explorer.
2. Enter %LOCALAPPDATA% into the quick access field at the top. On Windows XP, enter %USERPROFILE%\Local Settings\Application Data\.
3. Right-click the [random name] folder containing malicious files and choose Delete.
4. In the menu on the left click This PC and then move to Local Disk.
5. Delete the folder named SystemID (with PersonalID.txt inside) and the file named _readme.txt.
6. Empty Recycle Bin and then immediately perform a full system scan to make sure that your system is clean.