Click on screenshot to zoom
Danger level 6
Type: Trojans
Common infection symptoms:
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel

OFFWHITE Ransomware

OFFWHITE Ransomware falls into the category of malicious infections that area built to extort money from Windows users. Ransomware is all about making victims pay ransoms, and in most cases, personal files are hijacked to make the victims pay the money more willingly. Files are hijacked by encrypting them, which entails scrambling the data to make them unreadable. Even though a matching decryptor should exist, the attackers are under no obligation to give it to the victims, and that is why most of them are left empty-handed even after the full ransom payments. Since you have found this article, we assume that you need to remove OFFWHITE Ransomware from your Windows operating system. Have you checked which personal files were corrupted by this malware? According to our research, the ".OFFWHITE" extension should be added to all of them. Unfortunately, you cannot recover files by deleting the extension of even the threat itself. Nonetheless, you have to eliminate this malware ASAP.

It was found that OFFWHITE Ransomware is part of the NEFILIM Ransomware family, and according to our research team, the launcher of this malware even has a digital signature, signed by Svos Pty Limited. It is believed that this malware uses RDP (remote desktop protocol) vulnerabilities to invade operating systems, which means that they must be weak to begin with. Windows protection must be taken very seriously because even one skipped or postponed update could allow cybercriminals to exploit unpatched vulnerabilities. Please keep that in mind after you delete OFFWHITE Ransomware and, hopefully, resume normal activities. Once inside the system, the infection starts encrypting files, and it encrypts everything in its way. According to our researchers, it only avoids files with ".exe", ".dll", ".ini", ".cpl", ".lnk", ".mp3", ".mp4", and ".com" extensions. Besides encrypting files, the infection also drops two files. One of them is a JPG file dropped to %TEMP% (could be named "scam.jpg"), and the second one is a ransom note file named "OFFWHITE-MANUAL.txt" dropped to %HOMEDRIVE%. After your files are encrypted and the infection’s files are dropped, it is set to delete itself automatically.

Both JPG and TXT files dropped by OFFWHITE Ransomware present the same message. According to it, military grade algorithms were used to encrypt your personal files and now you need the attacker’s software if you want to recover them. The message also claims that “valuable and sensitive” information found on your system was downloaded and will be leaked online unless you contact the attackers right away. To contact them, you need to send two encrypted files to one of the three listed email addresses:,, If you do this, you should receive instructions on how to pay for the private key, software, or whatever else the attackers might suggest could restore files. Is it possible that files on your computer were exfiltrated? Unfortunately, that is possible, and that might have happened before OFFWHITE Ransomware attacked as well. The problem here is that even if you follow the attackers’ demands and pay the ransom swiftly, there is no guarantee that your files would be decrypted or that cybercriminals would delete the stolen data from their servers. Due to this, we do not believe that paying the ransom would give you the desired results.

So, do you pay the ransom requested OFFWHITE Ransomware or do you just ignore this malware? We cannot decide what the best course of action is for you, and if the infected system belongs to a large company, the IT security team has to decide what is best. It is unlikely, however, that the attackers would immediately decrypt files or unleash the victim. Instead, they are likely to terrorize them, ask for more money, or flood the inboxes from which emails to the attackers were sent with spam emails. In the best-case scenario, the corrupted system did not contain extremely sensitive data, and the encrypted files have backup copies stored safely outside the computer. Without a doubt, even if you can resolve the encryption of the files, you still need to handle the removal of malware and the protection of your operating system. Other threats could exist, and you still need to delete OFFWHITE Ransomware leftovers (see guide below). We recommend implementing anti-malware software that can simultaneously secure systems and also remove any threats that might exist on them.

OFFWHITE Ransomware Removal

  1. Tap Win and E keys simultaneously to launch File Explorer.
  2. Enter %HOMEDRIVE% into the field at the top to access the directory.
  3. Delete the ransom note file named OFFWHITE-MANUAL.txt.
  4. Enter %TEMP% into the field at the top and Delete the file named scam.jpg.
  5. Tap Win and R keys simultaneously to launch Run.
  6. Enter regedit into the dialog box and click OK to access the Registry Editor.
  7. Navigate to HKEY_CURRENT_USER\Control Panel\Desktop.
  8. Delete the value named Wallpaper and then exit Registry Editor.
  9. Set the desired Desktop wallpaper and then Empty Recycle Bin.
  10. Install a trusted malware scanner to inspect your system for leftovers.
Download Spyware Removal Tool to Remove* OFFWHITE Ransomware
  • Quick & tested solution for OFFWHITE Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.