Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


.Ransom File Virus – Remove and Restore Your Files

This article will help you remove .Ransom File Virus effectively. Follow the ransomware removal instructions at the bottom of the article.

.Ransom is the extension appended to files encrypted by a newly emerged ransomware written in the MSIL (Microsoft Intermediate Language). Some researchers might argue that it is based on HiddenTear. Once the payload for the ransomware is executed, your data will become encrypted and the virus will leave a ransom note with instructions for payment. Read on below to see how you could try to potentially restore some of your data.

Threat Summary

Name .Ransom File Virus
Type Ransomware
Short Description The ransomware virus encrypts files on your computer and demands 0.3 Bitcoin to be paid as a ransom.
Symptoms The ransomware will encrypt your files and then place the extension .Ransom on each encrypted file.
Distribution Method Spam Emails, Email Attachments, Executables
Detection Tool See If Your System Has Been Affected by .Ransom File Virus

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss .Ransom File Virus.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.Ransom File Virus – Infection

The .Ransom file virus could spread its infection via different methods. The payload file that initiates the malicious script for this ransomware, which in turn infects your computer machine, is circling the Internet and a malware sample has been found by malware researchers. You can see the VirusTotal detections for different security programs of that sample by checking the screenshot below:

The .Ransom file virus might also distribute its payload file on social media websites and networks for file-sharing. Freeware that is found on the Web could be presented as useful but at the same time could hide the malicious script for the cryptovirus. Refrain from opening files just as you have downloaded them, especially if they come from suspicious sources such as links or e-mails. Instead, you should scan them beforehand with a security tool, while also checking the size and signatures of these files for anything that seems out of the ordinary. You should read the ransomware preventing tips thread in the forum.

.Ransom File Virus – In Detail

The .Ransom file virus is called that way because it encrypts files while putting the .ransom extension to them. Malware researchers claim that the ransomware is written on the MSIL language. MSIL stands for Microsoft Intermediate Language, but by today’s modern standards its name would be CIL (Common Intermediate Language).

The .Ransom file virus could make entries in the Windows Registry to achieve persistence, launch and repress processes in Windows. Some entries are designed in a way that will start the virus automatically with each launch of the Windows Operating System, and one such entry is outlined right here:

→HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

The ransom note will show up after the encryption process is complete. The note is written in English, but also featured in other languages. Inside, you will see instructions for how to proceed with payment and the recovery of your files. The ransom note file for English-speaking users is called “README_TO_DECRYPT_FILES.html”, but has other names for different languages, including:

  • LEAME_PARA_DESCIFRAR_ARCHIVOS.txt
  • LEGGIMI_PER_DECIFRARE_I_FILES.txt
  • LESEN_SIE_MICH_UM_DATIEIEN_ZU_ENTSCHLUSSELN.txt
  • LISEZ_MOI_POUR_DECHIFFRER_LES_FICHIERS.txt
  • PROCHTI_MENYA_DLYA_RASSHIFROVKI_FAYLOV.txt
  • README_TO_DECRYPT_FILES.txt

The .html file will load the ransom note in a browser. You can preview the ransom message from the below picture:

That ransom message reads the following:

WARNING Encrypted Files
!!! YOUR FILES HAVE BEEN ENCRYPTED WITH RANSOMWARE !!!
The Key to Decrypt Your Files Will Be DELETED in 7 Days
Send Me 0.3 Bitcoins
You Have Only 7 Days From Now
Bitcoin Address: 1NTKmeeLp52y9oZVfVZEdUCJBK9xhTcZNW
Buy Bitcoins On:
– https://paxful.com/
– https://localbitcoins.com/
– https://www.bitpanda.com/
After Send Me an Email With Your ID: [redacted] alka@protonmail.com
I Will Send You the Key to Decrypt Your Files

The ransom note and any instructions from the .Ransom file virus should not be followed. You should NOT under any circumstance contact the cybercriminals. Your files may not even get restored, and nobody could give you a guarantee for it. Besides, supporting criminals is not a good idea. Also, the crooks may get inspired to do more criminal acts, such as the creation of more ransomware viruses.

.Ransom File Virus – Encryption Process

The .Ransom file virus ransomware will probably seek to encrypt files that have the following extensions:

→.7z, .bmp, .doc, .docm, .docx, .html, .jpeg, .jpg, .mp3, .mp4, .pdf, .php, .ppt, .pptx, .rar, .rtf, .sql, .tiff, .txt, .xls, .xlsx, .zip

Every file that gets encrypted will receive the same extension appended to each one of them, and that is the .ransom extension. The algorithm used for encryption is not known, but is probably AES.

The .Ransom file virus cryptovirus has not been seen to erase the Shadow Volume Copies from the Windows operating system, but that may be a possibility. That will also make the encryption rocess more viable since it will eliminate one of the ways for decrypting your files. Continue to read and see what kind of ways you can try out to potentially recover some of your data.

Remove .Ransom File Virus and Restore Your Files

If your computer got infected with the .Ransom file virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Manually delete .Ransom File Virus from your computer

Note! Substantial notification about the .Ransom File Virus threat: Manual removal of .Ransom File Virus requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove .Ransom File Virus files and objects
2. Find malicious files created by .Ransom File Virus on your PC

Automatically remove .Ransom File Virus by downloading an advanced anti-malware program

1. Remove .Ransom File Virus with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by .Ransom File Virus
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.