.pennywise Ransomware — How to Remove Virus Infections

.pennywise Ransomware — How to Remove Virus Infections

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article will aid you to remove .pennywise Ransomware. Follow the ransomware removal instructions provided at the end of the article.

.pennywise Ransomware is one that encrypts your data and demands money as a ransom to get it restored. Files will receive the .pennywise extension. The .pennywise Ransomware will leave ransomware instructions as a desktop wallpaper image. Keep on reading the article and see how you could try to potentially recover some of your locked files and data.

Threat Summary

Name.pennywise ransomware
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts files by placing the .pennywise before the affected files on your computer system and demands a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will encrypt your files and leave a ransom note with payment instructions.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by .pennywise ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .pennywise ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.pennywise Ransomware – Distribution Techniques

This is a new version of the Jigsaw ransomware family which has been found in live campaigns. The samples are low in number which doesn’t exactly give out the main tactic used by the criminals. One of the most popular ways is to send out email phishing messages which are used to coerce the victims into believing that they have received a legitimate message from a service, company or product that they use.

The criminals can additionally create fake websites that coerce the victims into thinking that they are accessing a legitimate site. Such sites can be search engines, download portals, product landing pages and etc. Malicious elements and site links can lead to the .pennywise ransomware infection.

The .pennywise ransomware infection code can also be embedded in payload carriers of which there are two main variants:

  • Application Installers — The virus installation scripts can be made part of setup files of popular applications. The criminals will choose software that is frequently installed by end users — the original installers will be taken from the official legitimate sources and modify them accordingly.
  • Documents — The same approach can be undertaken with documents across all popular types: spreadsheets, presentations, databases and text files. Their macros will be infected with the virus delivery script and the prompt to run them will be spawned after the files have been opened by the victims.

The virus infections can also be caused through the interaction with browser hijackers. They are dangerous virus infections that are masked as legitimate plugins made for the most popular web browsers, most commonly they can be found on the relevant repositories using fake user reviews and developer credentials. When installed they will change the default web browser settings in order to redirect the victims to a hacker-controlled page and also deploy the .pennywise ransomware.

.pennywise Ransomware – Detailed Analysis

Like other similar Jigsaw ransomware variants the .pennywise virus features a typical behavior pattern. It is very possible that this version is made by the criminal collective behind the distribution. The alternative solution is to make a custom order through the underground markets.

The Jigsaw family of threats is based on the modular platform of the base virus which allows the hackers to carry out various malicious tasks. Some of the most common ones include the following:

  • Data Harvesting — The .pennywise ransomware engine can be used to scan the local drive contents for any information that seems useful to the attackers. In most cases this includes machine identification metrics which are used to create an unique ID signature that is applied to every individual computer. Its input values are taken from the list of installed hardware components, system settings and system environment values.
  • Identity Theft — The same engine can be used to harvest the personal information about the victim users. It is programmed to scan data such as the following: name, address, interests, phone number and any stored account credentials.
  • Security Software Bypass — The engine can be used to scan for the presence of any applications or services that can stop the .pennywise ransomware infection. This is done by searching for their processes and signatures, usual targets are anti-virus programs, firewalls, intrusion detection systems, virtual machine hosts and debug environments.
  • Windows Registry Changes — The .pennnywise ransomware can access and modify the Windows Registry thus affecting both third-party applications and the system itself. This action can lead to very serious stability and performance issues, as well as the inability to launch certain options or applications.
  • Automatic Start — The .pennywise ransomware engine can modify configuration files and boot options in order to start every time the computer is powered on.

A particularly dangerous action is when the active .pennywise ransomware infection is used to deploy other threats. Among them may be Trojan clients which are used to establish a connection with a hacker-controlled server. It allows the criminals to take over control of the infected machines, steal user data and also spy on the victims in real-time. Other Jigsaw related components can be added in future versions as well.

Related: .Game File Virus (Jigsaw) – Remove and Restore Files

.pennywise Ransomware – Encryption Process

The .pennywise Ransomware encrypts user data with a strong cipher according to a built-in list of target data extensions. In most cases it will target the most popular ones:

  • Archives
  • Backups
  • Documents
  • Images
  • Videos
  • Music

The victim files will be renamed with the .pennywise extension and a lockscreen displayed to coerce the victims into paying a decryption fee to the hackers. The test samples can be unlocked with the following key: PsTqQNhR77oKJXvBWE3YZc.

Remove .pennywise Ransomwareand Try to Restore Data

If your computer system got infected with the .pennywise ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share