Deal Ransomware

Deal Ransomware is an encryptor, and if it finds its way into your operating system, it is set to encrypt personal files, including documents and photos. If you do not have copies of these files stored outside the computer, you are not in a good position because, at the time research, the threat was undecryptable. As you might know already, there are hundreds and thousands of infections that can threaten to delete, steal, and encrypt your files, which is why it is crucial that you create backups and also secure your operating system. Keep this in mind for after you remove Deal Ransomware. You might have heard that lightning never strikes twice, but when it comes to ransomware, it can strike as many times as you allow it. Therefore, besides discussing the threat and its elimination, we also discuss Windows security. If you are curious and want to learn what our malware researchers have learned when analyzing the dangerous threat, you should continue reading.

Do you open spam emails, or do you delete them right away? Do you leave your remote access enabled, and do you skip updates that are associated with RDP? If you are not careful with spam and remote access systems, you could create backdoors for Deal Ransomware to slither in without notice. According to our research team, this infection is a clone of Phobos Ransomware, which means that it is part of the Crysis/Dharma Ransomware family, just like RSA Ransomware, VIRUS Ransomware, and many other infections. Our research team has created removal guides for these infections already. Besides invading operating systems using the same methods, these infections also act the same. First, of course, they encrypt files. When Deal Ransomware encrypts files, the “.id[number-number].[butters.felicio@aol.com].deal” extension is added to the names. You can use this extension to identify the corrupted files just by looking at them. You are unlikely to notice when files are encrypted, unless you have personal files placed on the Desktop. This is where you might also find a file named “info.txt.” We want you to get rid of this file, but you can open it first.

The .txt file created by Deal Ransomware delivers a message. This message states that your operating system was infected by a “virus” and that your personal files were “locked but not corrupted.” The purpose of the message is to trick you into sending a message to butters.felicio@aol.com and ezequielanthon@aol.com. If you did that, it is most likely that the attackers behind the malicious ransomware would instruct you to pay money for a decryptor. To guarantee that you do not overlook this message, Deal Ransomware also uses a file named “Info.hta” to launch a window entitled “encrypted.” This window delivers the same message that we see in the .txt file. You should not communicate with cybercriminals at all because we fear that they could try to use your email to expose you to new infections after extorting money out of you. When it comes to the ransom, we doubt that you would get a decryptor in return for it anyway. Even if you do not have backups and you cannot find a legitimate decryptor, we still do not recommend fulfilling cybercriminals’ demands.

As long as you can find the launcher file (the name is random, and the location is unknown), you should have no trouble deleting Deal Ransomware manually. If this option is not suitable in your case, you can install anti-malware software. In fact, that is what we recommend doing. Once this software scans your system and automatically removes Deal Ransomware along with any other remaining threats, you will not need to worry about Windows security separately. The software will reestablish full-time protection. This, without a doubt, is very important if you want to evade malware. Hopefully, you have backups that can replace the encrypted files after the removal, but if you do not, make sure you remember to backup files in the future. If you end up paying the ransom, and your files get decrypted – note that this is unlikely to happen, and we really do not recommend paying the ransom – do not forget that you still need to delete the threat and figure out Windows protection.

Deal Ransomware Removal

1. Delete the ransom note file called info.txt (likely to be found on Desktop).
2. Tap Win and E keys on the keyboard together to launch Windows Explorer.
3. Enter the following paths into the field at the top (one by one) and Delete the file called Info.hta:
   • %HOMEDRIVE%
   • %LOCALAPPDATA%
   • %USERPROFILE%\Desktop\
4. Enter the following paths into the field at the top and Delete a malicious {unique name}.exe file:
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
5. Tap Win and R keys on the keyboard together to launch Run.
6. Type regedit into the dialog box and then click OK to launch Registry Editor.
7. Navigate to the following paths and Delete the {unique name} value that points to the location of the malicious {unique name}.exe file in step 4:
   • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
8. To complete the removal, Empty Recycle Bin.
9. Install and use a malware scanner to check for hidden leftovers.