.Ransom File Virus – Remove and Restore Your Files

.Ransom File Virus – Remove and Restore Your Files

This article will help you remove .Ransom File Virus effectively. Follow the ransomware removal instructions at the bottom of the article.

.Ransom is the extension appended to files encrypted by a newly emerged ransomware written in the MSIL (Microsoft Intermediate Language). Some researchers might argue that it is based on HiddenTear. Once the payload for the ransomware is executed, your data will become encrypted and the virus will leave a ransom note with instructions for payment. Read on below to see how you could try to potentially restore some of your data.

Threat Summary

Name.Ransom File Virus
Short DescriptionThe ransomware virus encrypts files on your computer and demands 0.3 Bitcoin to be paid as a ransom.
SymptomsThe ransomware will encrypt your files and then place the extension .Ransom on each encrypted file.
Distribution MethodSpam Emails, Email Attachments, Executables
Detection Tool See If Your System Has Been Affected by .Ransom File Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .Ransom File Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.Ransom File Virus – Update December 2017

The latest developments regarding the .Ransom File Virus provides evidence that is either Ranion ransomware or somebody used that code and made the latest version of the .Ransom File Virus look like it since Ranion is RaaS (Ransomware as a Service) type of virus.

The new email for contact in the 1.07 version is the following:

  • secondgroupe@mail2tor.com

Besides the email, a victim’s computer would get the following picture as the new Desktop background:

That also serves as a ransom message and states the following:








From the note we find out that the AES encryption algorithm is being used in the new version and that victims have 7 days to contact the cybercriminals. If you are infected, you are not advised to contact the criminals as they might not recover your files and nobody could guarantee that everything will be back to normal.

.Ransom File Virus – Infection

The .Ransom file virus could spread its infection via different methods. The payload file that initiates the malicious script for this ransomware, which in turn infects your computer machine, is circling the Internet and a malware sample has been found by malware researchers. You can see the VirusTotal detections for different security programs of that sample by checking the screenshot below:

The .Ransom file virus might also distribute its payload file on social media websites and networks for file-sharing. Freeware that is found on the Web could be presented as useful but at the same time could hide the malicious script for the cryptovirus. Refrain from opening files just as you have downloaded them, especially if they come from suspicious sources such as links or e-mails. Instead, you should scan them beforehand with a security tool, while also checking the size and signatures of these files for anything that seems out of the ordinary. You should read the ransomware preventing tips thread in the forum.

.Ransom File Virus – In Detail

The .Ransom file virus is called that way because it encrypts files while putting the .ransom extension to them. Malware researchers claim that the ransomware is written on the MSIL language. MSIL stands for Microsoft Intermediate Language, but by today’s modern standards its name would be CIL (Common Intermediate Language).

The .Ransom file virus could make entries in the Windows Registry to achieve persistence, launch and repress processes in Windows. Some entries are designed in a way that will start the virus automatically with each launch of the Windows Operating System, and one such entry is outlined right here:


The ransom note will show up after the encryption process is complete. The note is written in English, but also featured in other languages. Inside, you will see instructions for how to proceed with payment and the recovery of your files. The ransom note file for English-speaking users is called “README_TO_DECRYPT_FILES.html”, but has other names for different languages, including:


The .html file will load the ransom note in a browser. You can preview the ransom message from the below picture:

That ransom message reads the following:

WARNING Encrypted Files
The Key to Decrypt Your Files Will Be DELETED in 7 Days
Send Me 0.3 Bitcoins
You Have Only 7 Days From Now
Bitcoin Address: 1NTKmeeLp52y9oZVfVZEdUCJBK9xhTcZNW
Buy Bitcoins On:
– https://paxful.com/
– https://localbitcoins.com/
– https://www.bitpanda.com/
After Send Me an Email With Your ID: [redacted] alka@protonmail.com
I Will Send You the Key to Decrypt Your Files

The ransom note and any instructions from the .Ransom file virus should not be followed. You should NOT under any circumstance contact the cybercriminals. Your files may not even get restored, and nobody could give you a guarantee for it. Besides, supporting criminals is not a good idea. Also, the crooks may get inspired to do more criminal acts, such as the creation of more ransomware viruses.

.Ransom File Virus – Encryption Process

The .Ransom file virus ransomware will probably seek to encrypt files that have the following extensions:

→.7z, .bmp, .doc, .docm, .docx, .html, .jpeg, .jpg, .mp3, .mp4, .pdf, .php, .ppt, .pptx, .rar, .rtf, .sql, .tiff, .txt, .xls, .xlsx, .zip

Every file that gets encrypted will receive the same extension appended to each one of them, and that is the .ransom extension. The algorithm used for encryption is not known, but is probably AES.

The .Ransom file virus cryptovirus has not been seen to erase the Shadow Volume Copies from the Windows operating system, but that may be a possibility. That will also make the encryption rocess more viable since it will eliminate one of the ways for decrypting your files. Continue to read and see what kind of ways you can try out to potentially recover some of your data.

Remove .Ransom File Virus and Restore Your Files

If your computer got infected with the .Ransom file virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share