VIRUS Ransomware

VIRUS Ransomware is not a real virus. An actual computer virus would be capable of spreading and replicating itself, and, luckily, this malware cannot do that. When it comes to the distribution of this infection, it appears that cybercriminals rely on the victims to make the wrong move. It is likely that spam emails would be created to trick gullible recipients into thinking that they have received and must open a harmless file. Of course, it is malware in disguise. The same kind of disguise could be used to trick the users of bundled downloaders. The malicious infection could also be spread using the vulnerabilities that you failed to patch using updates. Whatever the case might be, the ransomware is not self-propagating. Unfortunately, that does not mean that it cannot make a huge mess once it slithers in. According to our malware research team, if the dangerous ransomware finds its way in, it can permanently encrypt your personal files. The worst part is that they will remain encrypted even if you remove VIRUS Ransomware quickly.

According to our researchers, VIRUS Ransomware derives from the Crysis/Dharma Ransomware, and that is why it is so similar to 3442516480@qq.com Ransomware, Start Ransomware, Asus Ransomware, Uta Ransomware, and hundreds of other infections alike. All of them were created using the same code. Once they slither in, they start by encrypting files, and, of course, personal files are the ones that are targeted. The “.id-{ID}.[amandacerny89@aol.com].VIRUS” extension is appended to the files that are encrypted by VIRUS Ransomware, and so you should have no trouble separating them from the unharmed files. Once that is done, the infection uses “Info.hta,” “FILES ENCRYPTED.txt,” and {unknown name}.exe files to make it clear what the attackers want. First, you are likely to face a ransom message that is represented using a window entitled “amandacerny89@aol.com.” According to this message, you can decrypt your personal files if you pay an unspecified ransom in Bitcoin, a popular crypto-currency. Although there is not enough information about the payment, you are provided with two email addresses (amandacerny89@aol.com and homer89263@hotmail.com), and it is stated that you have to send a message.

The “FILES ENCRYPTED.txt” file should be dropped someplace where you can find it quickly. Quite possibly, copies of it could be created next to the encrypted files. You can remove this file, but it is also safe for you to open it. The message inside is less detailed, but it basically confirms that your files were encrypted and that you need to email amandacerny89@aol.com or homer89263@hotmail.com to learn about decryption. So, cybercriminals really want you to send them a message. There’s no harm in that, right? Unfortunately, things are not so simple. If you emailed the attackers behind VIRUS Ransomware, they could send you other misleading messages, and they could do that when you least expect it; for example, months after the attack of VIRUS Ransomware itself. Even the request to pay money in return for a decryptor is likely to be a scam, and if you send the payment, you are unlikely to get anything in return. Needless to say, our research team does NOT recommend contacting the creator of VIRUS Ransomware or paying the ransom.

Since more and more infections like VIRUS Ransomware emerge, it has become imperative to protect personal files and, of course, the operating systems. When it comes to files, the best thing you can do is create copies and store them online or on external drives; or both if you want to be extra cautious. To protect the operating system, it is important to install a reliable anti-malware program. We suggest that you install it now because it will be able to automatically delete VIRUS Ransomware. Getting rid of this infection manually is not so simple, but if you want to give it a try, we have created a manual removal guide. Sadly, we cannot say that this is a complete guide because the launcher could be anywhere, and so we cannot point you to it. Hopefully, once you perform removal, you can replace the corrupted files with the copies stored in backup. If we can help you with anything else, do not hesitate to leave us a comment below.

VIRUS Ransomware Removal

1. Delete the launcher file (you can try erasing recently downloaded files).
2. Delete the ransom note file named FILES ENCRYPTED.txt (likely to be on the Desktop).
3. Tap Win+E keys together to launch Windows Explorer.
4. Enter these paths into the bar at the top and then Delete malicious Info.hta and {unknown name}.exe files:
   • %APPDATA%
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %WINDIR%\System32\
5. Tap Win+R keys together to launch Run and then enter regedit to launch Registry Editor.
6. Navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
7. Find and Delete three values whose value data point to Info.hta and {unknown name}.exe files.
8. Empty Recycle Bin and then use a malware scanner to check for dangerous leftovers.