.PICO Ransomware v1.0 – How to Remove and Restore Files

.PICO Ransomware v1.0 – How to Remove and Restore Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article has been created in order to explain what is the Pico Ransomware virus and how to remove it plus how to restore files, encrypted with the added .PICO file extension.

A new ransomware virus, going by the name Pico Ransomware was recently detected by security researchers S!Ri. The malware is likely a variant of Thanatos ransomware and it’s main goal is to encrypt the files on your computer and then add the .PICO file extension to the files, encrypted by it. The virus then drops a ransom note file, called README.txt. The virus aims to ask victims to pay 100$ in BitCoin or Ethereum. If your PC has been infected by this ransomware, we strongly suggest that you read this article as it aims to help you to remove this virus and possibly restore your data.

Threat Summary

Name.PICO Ransomware v1.0
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files and then ask victims to pay $100 in Ethereum or BitCoin to get them to work.
SymptomsFiles are appended the .PICO file extension. The virus drops a ransom note, called README.txt
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .PICO Ransomware v1.0


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .PICO Ransomware v1.0.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.PICO Ransomware – How Does It Spread

The primary method of propagation used by the .PICO fles virus is believed to be infection by spammed e-mail attachments. These may come as the following fake documents:

  • Invoices.
  • Receipts.
  • Order invoices.
  • Some type of important statements from banks.
  • Suspicious account activity reports.

In addition to this, the e-mail also aims to convince victims that the file is of utmost importance so that they open it. The file itself may range from an executable to a Microsoft Word file that infects computers via malicious macros in the same chronology as the infection activities shown below:

In addition to via e-mail, the .PICO ransomware virus may also infect computers via other methods as well, like being uploaded on websites and pretend to be a file that the user is looking to download. Most often, viruses, like .PICO ransomware may pretend to be:

  • Patches.
  • Cracks.
  • Keygens.
  • Setups.
  • Suspicious account activity reports.
  • Activators.
  • Hack tools.

.PICO Ransomware – Malicious Activity

Once it has been installed on your computer, the .PICO virus creates the following folders and file directly on the Desktop:

→ %Desktop%\Ransomware\ThanatosSouce\Release\Ransomware.pdb

This does suggest that the virus has taken the source code of Thanatos ransomware, which came out back in February this year. The virus also drops the README.txt ransom note, which looks like the following:

Your files was encrypted. To decrypt your files,
follow next steps:

Pico Ransomware v1.0
1. Send $100 to one of these wallets:

2. Send your TXID and your MachineID to mail
E-Mail: [email protected]
Machine ID: {ID HERE}

Do not waste your time, files can only be
decrypted by our decode tool.

Another activity which is performed by the .PICO ransomware virus on the victim’s computer is that it may modify the Windows Registry Editor so that it runs the “Microsoft Update System Web-Helper” and “README.txt” automatically. The registry keys are located in the following sub-keys:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Microsoft Update System Web-Helper” = “C:\Windows\System32\notepad.exe %UserProfile%\Desktop\README.txt”

Judging by the similarities in the ransom notes, the .PICO ransomware is likely a variant made by a skid who likely purchased it in the deep web.

In addition to those activities, the .PICO ransomware may also delete the backed up files in Windows by executing the following commands as an administrator in Command Prompt:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

Furthermore, the .PICO ransomware may also have the same information stealing modules in it that it uses to steal data from the infected computers, such as:

  • Passwords and logins.
  • IP addresses and System Language and region.
  • Antivirus programs installed on your PC.

The main goal of .PICO is to encrypt the files on your computer, leaving them no longer able to be opened. But we did not manage to locate any decryption key that is encrypted on a victim machine, so paying the ransom may not get your files back.

.PICO Ransomware – Encryption Process

To encrypt the files on your PC, PICO ransomware may look for them based on their file extensions. The virus may scan for the following types of files:

  • Images.
  • Videos.
  • Archives.
  • Documents.
  • Audio files.
  • Backup files.
  • Database files.

Once the malware has detected the files, they are immediately encrypted, containing the .PICO file extension:

Remove .PICO Ransomware and Restore Files

In order to remove this ransomware virus from your computer, we strongly suggest that you follow the removal instructions underneath this article. They have been divided in manual and automatic removal methods. The most effective method of removing the .PICO file ransomware from your computer is to do it automatically with an advanced anti-malware program, as most experts would recommend to you. Such tool is fully capable of automatically getting rid of the .PICO ransomware’s malicious files and then ensure that your PC remains protected against possible infections in the future as well.

If you want to restore files, encrypted by this variant of .PICO ransowmare, we would recommend that you try out the alternative methods for file recovery down below. They may not be 100% effective to recover all your files, but with their aid you may be able to restore some of them.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share