Putty Ransomware Remove and Restore Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Putty Ransomware Remove and Restore Files

Article created to help remove Putty ransomware virus from your computer and restore the files encrypted by it via AES algorithm.

A ransomware virus named the same way as the notorious network connection management tool PuTTy has appeared in the wild. The virus uses Advanced Encryption standard to encode the important files on the computers it infects. After this, the Putty ransomware may request from victims to pay a hefty ransom fee to decrypt files encrypted by the virus. The Putty ransomware may be spread on a global scale, so if your system has been infected by it, we advise you to read the following material.

Threat Summary


Putty Virus

Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions”, linking to contacting the cyber-criminals.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Putty Virus


Malware Removal Tool

User ExperienceJoin our forum to Discuss Putty Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Putty Ransomware – How Does It Infect

The infection process of Putty begins with it’s methods of distribution. The virus has a payload file which is named CamSnap.exe. This file can be identified with the following SHA256:

  • 07ba533a694e1733f8ef1c18ac191867382f4ca7a51244cda6ef5ec119fbfe53
  • wfdb8c7c1fa5b44419ae43679be83782f46cb40b422805c86c7cc4ffe72454f6f

Both the CamSnap files are uploaded in VirusTotal, but only one of them has a high detection rate:

This executable (CamSnap) may imitate the installer of a program aiming to make it easier how one takes pictures with his web camera, according to the publisher’s description:

Image Source: Cnet

This points out to this ransomware being distributed via fake installers of programs. These installers may be uploaded on Torrent websites as well as sites that offer free software.

Putty Virus – More Information

After the malicious executable is opened, the Putty virus may run an obfuscated script which may inject code into legitimate Windows processes, such as rundll32.exe and svchost.exe. Then, more malicious files may be dropped onto the user’s computer. The files may be located in the following Windows directories:

  • %AppData%
  • %Roaming%
  • %Local%
  • %SystemDrive%
  • %Windows%

Then, the Putty virus may execute the vssadmin command used to delete shadow volume copies from the infected computer.

After this command has been initiated, the Putty virus may also take advantage of the Windows Registry editor by modifying different Windows Registry sub-keys within it. The usually targeted of those are the following:

→ HKEY_CURRENT_USER\Control Panel\Desktop\
HKEY_USERS\.DEFAULT\Control Panel\Desktop\

Putty Ransomware – Encryption Process
As soon as Putty ransomware begins the encryption process, the virus is pre-configured to target files of the following file types:

  • Microsoft Office documents.
  • PDF documents.
  • Videos.
  • Archive files.
  • Audio files.
  • Images.
  • OpenOffice documents.

In addition to this, the ransomware infection also begins to employ the AES (Advanced Encryption Standard) algorithm on the files, making them no longer openable. After the encryption process is complete, Putty ransomware may drop a ransom note type of file on the computer of the victim asking for a hefty payoff to be made to get the encrypted files back.

Remove Putty Ransomware and Restore Files Encrypted by It

For the removal of this virus, we recommend you to follow the removal instructions in this article below. They will help you fully get rid of Putty ransomware’s malicious files. In case you are having difficulties in manually removing this virus, experts advise using an advanced anti-malware program as the best tool for the job, because it will automatically get rid of all malicious objects and protect the system in the future.

In case your system’s files have been encrypted by Putty ransomware, recommendations are to focus on restoring them using the alternative methods in step “2. Restore files encrypted by Putty Virus” below. But, bear in mind that some these methods tamper with the files and you should backup the encrypted data before trying to mess with it.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share