Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Trojan.Ransomcrypt.S Completely

Name Trojan.Ransomcrypt.S
Type Ransomware
Short Description Encrypts important user data and demands ransom in return.
Symptoms The user may have his files encrypted without his consent and may see a ransom note with instructions on how to pay for them.
Distribution Method Malicious Links Spam Mail
Detection Tool Download Malware Removal Tool, to See If Your System Has Been Affected by Trojan.Ransomcrypt.S
User Experience Join our forum to follow the discussion about the Trojan.Ransomcrypt Variants.

PC riskA variant of the Trojan.Ransomcrypt ransomware infection, this partucular trojan is famous for encrypting a wide array of file extensions and leaving a ransom note. This ransom note aims to scare users into paying the ransom via anonymous networks in return for the decryption keys, treatening the files may be lost forever. Experts advise users not to comply in any way with the demands of the cyber croooks because it is no guarantee in any way that the files will be decrypted.

Trojan.Ransomcrypt.S – How Did I Get Infected?

Such types of trojans may be downloaded on your computer via other malicious programs such as trojan.downloaders that may have already infected it. Another way to get them is by either visiting a malicious site that downloads the threat directly onto the user PC or by opening a dangerous spam mail attachment. Users are strongly advised to use spam filters since some emails may also be spoofed and they could think they are from a well known person or a company and fall into the trap.

Trojan.Ransomcrypt.S In Detail

According to Symantec, the .S variant of this trojan is also encrypts certain files on the user PC and leaves a ransom note. Once it has been activated on a target PC, it makes a copy of a malicious .dll file, called reg.dll in the %Temp% folder. After doing so, the Trojan begins tampering with PC settings, creating the following registry object for the copied .dll file:

→HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”WINUP” = “regsvr32 “%Temp%\reg.dll”

This registry entry aims to make the trojan run every time on system startup. The next step after that is for the trojan to connect to the attackers’ domain. One malicious domain identified by the Symantec threat analysis experts was:

→65.49.8.104

After connecting to remote domain, the cyber threat then downloads these files onto the infected PC’s %Temp% folder:
t0.da0; t0.daa; t0.da1
After downloading the files it most likely uses them to encrypt user files of these formats:

→.txt .html .htm .css .wmv .wallt .odt .ods .odp .odm .odc .odb .doc .docx .docm .wps .xls .xlsx .xlsm .xlsb .xlk .ppt .pptx .pptm .mdb .accdb .pst .dwg .dxf .dxg .wpd .rtf .wb2 .mdf .dbf .psd .pdd .pdf .eps .ai .indd .cdr .jpg .jpe .jpg .dng .3fr .arw .srf .sr2 .bay .crw .cr2 .dcr .kdc .erf .mef .mrw .nef .nrw .orf .raf .raw .rwl .rw2 .r3d .ptx .pef .srw .x3f .der .cer .crt .pem .pfx .p12 .p7b .p7c

Just like CryptoWall Ransomware, the trojan then creates the HELP_DECRYPT.HTML(HL http://sensorstechforum.com/help_decrypt-files-description-and-removal/) file that contains the same instructions such as the CyptoWall(HL http://sensorstechforum.com/remove-cryptowall-3-0-and-restore-the-encrypted-files/) ones.

Remove Trojan.Ransomcrypt.S Fully from Your PC

In order to remove the .S variant of this Trojan from your computer you should guide yourself by the step-by-step instructions below. It is recommended to boot in safe mode and scan your computer with advanced anti-malware tool. Also, for tech-savvy users and for a way to try and decrypt your data check these links:

Methods for decryption:
http://sensorstechforum.com/restore-files-encrypted-via-rsa-encryption-remove-cryptowall-and-other-ransomware-manually/
http://sensorstechforum.com/remove-rsa-2048-encryption-key-from-cryptowall-3-0/

Scan and remove ransomware via a live OS:

http://sensorstechforum.com/forums/malware-removal-questions-and-guides/safe-way-to-scan-your-computer-and-detect-malware/

1. Boot Your PC In Safe Mode to isolate and remove Trojan.Ransomcrypt.S
2. Remove Trojan.Ransomcrypt.S with SpyHunter Anti-Malware Tool
3. Remove Trojan.Ransomcrypt.S with STOPZilla AntiMalware
4. Back up your data to secure it against attacks and file encryption by Trojan.Ransomcrypt.S in the future
NOTE! Substantial notification about the Trojan.Ransomcrypt.S threat: Manual removal of Trojan.Ransomcrypt.S requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.