Start Ransomware

When Start Ransomware attacks, it does that silently. However, you might have a part in the execution of this dangerous malware. According to our research team, this threat is likely to be spread using spam emails, and that means that you could be the one who opens the misleading message and then executes the infection’s launcher by opening a corrupted attachment. Of course, the email is convincing, and you might not suspect danger at all. Unfortunately, if you do not remove Start Ransomware the moment it slithers in, your files are encrypted. They are encrypted silently and quickly, and so you are unlikely to notice the process until you are informed about it by the infection itself. Unfortunately, once files are corrupted, it is too late to delete the infection to save the files. That being said, this malware needs to be eliminated from your operating system, and the sooner you do that – the better.

Just one glance at the vicious Start Ransomware makes it obvious that it belongs to the well-known Crysis/Dharma Ransomware family. Other threats that belong to it include Asus Ransomware, Wiki Ransomware, Uta Ransomware, Save Ransomware, and MGS Ransomware. There are hundreds of others too. This malware is created using the same code, and that is why it is predictable. We know that once Start Ransomware slithers in, it encrypts files and attaches the “.id-{code}.[starter@cumallover.me].start” extension, and we also know that removing this extension is a waste of time. We also know that once all files are encrypted, a window entitled “starter@cumallover.me” is supposed to pop up right away. The window always looks the same, and the message is always the same. The only thing that changes is the email address. In fact, there are two email addresses linked to the malicious infection. The first one of them is, of course, starter@cumallover.me, and the second one is pandao@keemail.me. According to the message represented via the window, you are supposed to email the attackers within 24 hours to obtain information on how to pay a ransom (in Bitcoin) in return for a decryption tool.

Start Ransomware also creates a file named “FILES ENCRYPTED.txt” on the Desktop, and the message represented via this text file also informs that you need to contact the attackers using one of the provided email addresses. It is no secret that cybercriminals want to link up with you. Of course, the main task for cybercriminals is to convince you to pay the ransom, but it is always possible that they could have other ideas. For example, if you agree to pay the ransom, they could send you a malicious file posing as a decryptor. Further down the line, they could try to scam you and expose you to new malware installers too. Of course, it is most likely that if you pay the ransom, you are unlikely to hear from the attackers behind Start Ransomware at all because they are unlikely to provide you with a decryptor. That is the main reason we DO NOT recommend emailing cybercriminals or paying the ransom. But what about your files? Can you restore them in other ways? At the time of research, that was not an option, but if you have backups, you can always delete the corrupted files and replace them with copies.

In conclusion, if you have been attacked by Start Ransomware, there is a good chance that your files have been corrupted irreversibly. If you have backups stored outside the infected machine, you are safe, and you can easily replace the corrupted files. Otherwise, it is possible that you have no options. That does not mean that you can trust cybercriminals, who claim that you would obtain a decryptor if you paid a ransom. Always remember that cybercriminals deceive and lie to get what they want, and so it is unlikely that you would get what you are promised just because you fulfill the demands. To delete Start Ransomware, you can either employ a trusted anti-malware program, or you can try to eliminate this malware yourself. If you choose to employ a program, malware will be removed automatically, and you will not need to worry about your security in the future. If you choose the manual removal option, you will need to erase malware and protect your system yourself.

Start Ransomware Removal

1. Delete recently downloaded files to, hopefully, erase the launcher.
2. Delete the file called Info.hta from these folders:
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
   • %WINDIR%\System32\
   • %APPDATA%\
3. Delete a malicious [random name].exe file in these folders:
   • %WINDIR%\System32\
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
4. Launch Registry Editor.
5. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
6. Delete all values associated with the malicious Info.hta and [random name].exe files.
7. Move to the Desktop and Delete the file named FILES ENCRYPTED.txt.
8. Empty Recycle Bin and then install a trusted malware scanner to check for malware leftovers.

N.B. To access the listed folder, tap Win+E keys to access Explorer and then use the quick access field at the top. To access the Registry Editor, tap Win+R keys to launch Run and then enter regedit into the dialog box.