.pwned Virus Files – Remove and Restore Data - How to, Technology and PC Security Forum | SensorsTechForum.com

.pwned Virus Files – Remove and Restore Data

This article has been created with the purpose to guide you on how to remove Decryption Assistant ransomware and restore .pwned encrypted files.

A ransomware infection, known as Decryption Assistant virus has been reported to be spread in the wild since the second half of May, 2017. The virus uses AES encryption algorithm after it infects Windows-based systems and then encrypts the files on the compromised computers, making them no longer able to be opened. After this has been done, the .pwned ransomware infection leaves behind a ransom note, name “Decryption Assistant” in which it has instructions on how to pay a hefty Bitcoin fee in order to decrypt the files. In case you have become a victim of this infection, however, recommendations are to read this article thoroughly.

Threat Summary

Name.pwned Virus
TypeRansomware, Cryptovirus
Short DescriptionEncrypts documents, music, videos and other important files on the computers it infects. Demands a hefty payoff in Bitcoin for decryption.
SymptomsSlow computer, freezes during the encryption, changed wallpaper, opened file with ransom instructions, named “Decryption Assistant”. Encrypted files are added the .pwned file extension.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .pwned Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .pwned Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does .pwned Ransomware Infect

In order for this ransomware infection to slip into your computer, .pwned ransomware aims to infect the computer with a loader also known as the infection file. Such loader usually aims to drop the infected files of the ransomware while remaining obfuscated.

Such malicious file may be pretending to be a legitimate e-mail attachment or uploaded file online. The e-mails that may be distributing the .pwned file virus may have deceitful messages embedded within them. The files may be pretending to be:

  • Invoices.
  • Fake flash player updates.
  • Fake key generators.
  • License activators.
  • Updates for software such as Flash Player or other program that is often used.

Once the victim opens the malicious file, the inevitable happens and the virus begins it’s activity on the compromised computer.

.pwned Ransomware – More Information

Once the .pwned file virus has infected your computer, the malware drops it’s malicious files. One of them has the name
FlashPlayerUpdate.exe and besides it other files may be also dropped In the following locations:

  • %Downloads%\HANSA\
  • %Desktop%
  • %SystemDrive%\chicken\
  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalLow%

After the malicious files of the .pwned ransomware are already dropped, the virus may assume administrative privileges by executing a malicious script. From there, Decryption Assistant ransomware may begin to modify the Windows Registry editor, more specifically, the following registry sub-keys:


As soon as the registry entries are modified by the user, the ransomware may be capable to run on system start and encrypt the files, before any security software loads up.

In addition to this, the .pwned file infection may further delete the shadow volume copies on the infected computer. This is achievable without the user noticing. The following commands trigger the deletion:

process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

This is done with the purpose of reducing the chances of restoring the files encrypted with the .pwned file extension.

.pwned File Ransomware – Encryption Process

The primary purpose if Decryption Assistant ransomware is to encode the important files of it’s victims. The virus is pre-programmed to scan for specific file types and if the file extensions match to the ones it is created to encrypt, .pwned virus enciphers them. Among the targeted file extensions are believed to be the following:


After the encryption process by the Decryption Assistant ransomware is complete the files can no longer be opened. This is because blocks of data of those files is replaced with data from the encryption algorithm AES, also known as advanced encryption standard. The files may appear like the following if they are encrypted by this ransomware:

The .pwned ransomware also does not forget to notify the victim of the situation:

All important data including your personal pictures, music, videos, documents and many more has been encrypted. The data cannot be recovered unless a fee has been paid to decrypt them.
The private decryption key for the data has been stored on our server and will be sent to this computer once the payment is sent. Any attempt to removing this software will lead an immediate destruction to the private key.
To obtain your decryption key, you will first need a bitcoin wallet to send us the payment. You can start the process by clicking {Decrypt Files} which will start the payment process.
We advise you immediately buy the bitcoins before the countdown timer drops to zero which will immediately destroy your private key.

Remove .pwned Ransomware and Restore Your Files

Before actually removing the .pwned file virus from you computer, we recommend that you backup your files beforehand.

After this, you can proceed with the removal by following the removal instructions below. For maximum effectiveness of the removal and future protection of your files, security expers always advise to take advantage of an anti-malware program to remove .pwned ransomware.

At this point, there is no known decryption for the .pwned ransomware infection. However, some of the files encrypted by this ransomware can still be restored with alternative methods, like the ones we posted in step “2. Restore files encrypted by .pwned Virus” below. They are not 100% guaranteed to work, however there is a good chance you may restore a big portion of your files by using them.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share