Wiki Ransomware

No, Wiki Ransomware does not spread via Wikipedia pages. In fact, the name of this infection makes no sense at all. The truth is that the attackers behind this infection had to choose some kind of a file extension, and “.wiki” was the one they chose. The full extension is “.id-{ID}.[bitlocker@foxmail.com ].wiki,” and it includes a unique ID given to every victim and an email address. This format has been used by Uta Ransomware, Save Ransomware, MGS Ransomware, Wal Ransomware, and many other infections that came before them. They were all created using the Crysis/Dharma Ransomware code, and that is why they all have so many similarities. In this report, of course, we focus on the removal of Wiki Ransomware, but you can learn about all infections from this family by reading this report. We discuss the common distribution methods, obstacles when it comes to deleting this malware, and, of course, the protection of the Windows operating system against this kind of ransomware.

You might have figured out that something has happened only after the “FILES ENCRYPTED.txt” file was created on the Desktop or when the “Info.hta” file was opened. The .TXT file is a text file, and it informs that all locked files can be returned if the victim emails bitlocker@foxmail.com. The .HTA file opens a message via the browser, and it explains the things in more detail. For one, victims are informed that they need to send a message to bitlocker@foxmail.com within 24 hours and that they are expected to pay a ransom in Bitcoin (a virtual crypto-currency) to have the files restored. The exact sum of the ransom is not disclosed, but it is stated in the message that the price depends on how fact the victim contacts the attackers. On top of that, the message claims that free decryption is guaranteed. Can you trust cybercriminals? No, you cannot. Their claims to help you if you follow their instructions are most likely to be bogus, and that is why we do not recommend getting involved. Furthermore, if you contact Wiki Ransomware, you do not know what they could send you. For all you know, you could receive malware installers instead of a decryptor.

Some file-encrypting infections are cracked by malware researchers, who are able to create decryptors. The victims of such infections can have their files restored for free. Unfortunately, that is not the case with Wiki Ransomware. At the time of research, a free decryptor did not exist. The promises made by the attackers could not be trusted either. What does that leave you with? Empty hands. It is possible that you are in a helpless situation, but if you have backups, there is nothing for you to worry about. Once you delete Wiki Ransomware – and the removal is discussed in the following paragraph – you will be able to replace the corrupted files with backups. Needless to say, it is imperative to stay on top of your backups because only if you have copies of all of your personal files will the attackers stand no chance of terrorizing you. Hopefully, you are in a position to replace the encrypted files, and you do not need to think about contacting cybercriminals or following their ridiculous demands.

As you can see by looking at the guide below, the first step you need to take if you decide to delete Wiki Ransomware manually is to eliminate the launcher. Where is it? What is its name? We cannot answer these questions, and that is why you might have trouble with manual removal. There is nothing to worry about because this is not your only option. You can always hire a professional to do the job for you. Of course, it is best to install an anti-malware tool you trust. Investing in your virtual security is the smart move, and if you invest in it by implementing anti-malware software, you will not need to worry about the removal of Wiki Ransomware or the protection of your Windows operating system. If you do not secure your system, a new infection could invade before you know it. Note that ransomware usually spreads via emails, downloaders, and backdoors opened using unpatched vulnerabilities. Do you have questions? You can share them with our research team via the comments section below.

Wiki Ransomware Removal

1. Find the {unique name}.exe file that launched the threat and Delete it.
2. Move to the Desktop and Delete the ransom note file, FILES ENCRYPTED.txt.
3. Launch Explorer by tapping Win+E keys at the same time.
4. Enter %APPDATA% into the quick access field to access the directory.
5. Delete the second ransom note file, Info.hta.
6. Enter %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ into the quick access field.
7. Delete the ransom note file, Info.hta, and a malicious {unique name}.exe file.
8. Close Explorer and then Empty Recycle Bin.
9. Perform a thorough Windows scan using a trusted malware scanner.