1 of 2
Danger level 6
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Normal system programs crash immediatelly
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel

Decrypme Ransomware

Decrypme Ransomware is a new variant of the malicious MedusaLocker Ransomware, and so it is no wonder that there are similarities between these two massive infections. In fact, there are so many similarities that your malware scanner or anti-malware tool might recognize it as MedusaLocker instead of Decrypme. Ultimately, the name does not matter all that much, and the most important thing is that the threat is discovered and then deleted. Ideally, you would discover and remove Decrypme Ransomware before it encrypted files, but that is unlikely to happen because this infection was created to be stealthy and silent. In fact, most victims discover it only after it reveals itself, and that happens after files are fully encrypted. What does that mean? That means that the files’ data is changed to ensure that it cannot be read without a special decryptor. Once your files are locked, cybercriminals are brave enough to make demands. Unfortunately, they have the upper hand in this situation, but that does not mean that you have to obey them. In fact, we suggest doing the opposite.

Just like Hermes837 Ransomware, Ccryptor Ransomware, Nakw Ransomware, and many other similar threats, Decrypme Ransomware has to slither in silently for the attack to work out the way that cybercriminals want it. That is why they are likely to exploit vulnerabilities (most likely, in remote access) and employ misleading spam emails to help the ransomware slither in unnoticed. After that, a cmd window should pop up, and the information inside should indicate that “LOCKER XP” is running, scanning, deleting services, killing files, and removing backup. If you do not ignore this window, that might help you recognize malware. If you are more experienced, this would be your chance to try to stop the infection. If it is not stopped, it destroys shadow volume copies, which means that you cannot use internal backup. Of course, the main task is to encrypt files. Decrypme Ransomware skips \AppData, \Application Data, \intel, \nvidia, \Program Files, \Users\All Users, \Windows, ALLUSERSPROFILE, ProgramData, PROGRAMFILES(x86), SYSTEMDRIVE, USERPROFILE, and WINDIR directories. It also avoids .decryptme, .dll, .encrypted, .exe, .ini, .lnk, .rdp, and .sys files. Everything else is fair game.

Once files are encrypted and the ".decrypme" extension is attached to their names, a ransom note file is dropped too. This file is named “HOW_TO_OPEN_FILES.html,” and it should be placed somewhere where you could find it. The Decrypme Ransomware note declares that files were encrypted and that you need a “unique decryptor” to have them restored. The main message is that you need to email mrromber@cock.li (or mrromber@tutanota.com if you do not get a response within 24 hours) to get information on how to “purchase” a decryptor. How much is this tool? Where do you get it from? How do you pay the ransom? These are the questions that the attackers would address only if you emailed them, but we do not recommend initiating communication because a) you do not want to be exposed to new threats and b) you cannot know if you would get anything out of it. In fact, we are pretty confident that you would NOT get a decryptor in return for the money, so keep it to yourself.

Decrypme Ransomware deletes shadow volume copies, but it cannot destroy the copies of your personal files that might be stored online or on external hard drives. Hopefully, you have such copies because that is your only chance of getting the files back. Once you remove Decrypme Ransomware, you can easily use the copies to replace the encrypted files. Unfortunately, free decryptors do not exist, and, as we discussed already, you are unlikely to obtain a decryptor by fulfilling the cybercriminals’ demands. We hope that you have a way out of this mess. First, you need to delete the infection, and while some might successfully remove the ransomware manually, we encourage all victims to employ anti-malware software. This software can simultaneously scan the system to detect malware, perform removal, and also reestablish full protection. Windows protection is important, and if you ignore it now, you could face a new infection soon enough. Of course, you cannot place all responsibility onto anti-malware software. You also need to look out for yourself, and if you want to be safe, you must never open spam email attachments, download unreliable files, or skip even the smallest updates.

Decrypme Ransomware Removal

Delete the ransom note file, HOW_TO_OPEN_FILES.html.
Delete recently downloaded suspicious files.
Tap Win+E keys to access Windows Explorer.
Enter %APPDATA% into the bar/quick access field at the top.
Delete the file named svchostt.exe (the name could change).
Tap Win+R keys to access Run.
Enter regedit into the box to access Registry Editor.
Navigate to HKEY_CURRENT_USER\Software\.
Delete the key named Medusa.
Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Delete the value named svchostt if the value data points to %APPDATA%\svchostt.exe.
Exit all windows and then Empty Recycle Bin.
Quickly perform a full system scan using a trustworthy malware scanner.

Download Spyware Removal Tool to Remove* Decrypme Ransomware
  • Quick & tested solution for Decrypme Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.