.Ransom File Virus – Remove and Restore Your Files
THREAT REMOVAL

.Ransom File Virus – Remove and Restore Your Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by .Ransom File Virus and other threats.
Threats such as .Ransom File Virus may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

This article will help you remove .Ransom File Virus effectively. Follow the ransomware removal instructions at the bottom of the article.

.Ransom is the extension appended to files encrypted by a newly emerged ransomware written in the MSIL (Microsoft Intermediate Language). Some researchers might argue that it is based on HiddenTear. Once the payload for the ransomware is executed, your data will become encrypted and the virus will leave a ransom note with instructions for payment. Read on below to see how you could try to potentially restore some of your data.

Threat Summary

Name.Ransom File Virus
TypeRansomware
Short DescriptionThe ransomware virus encrypts files on your computer and demands 0.3 Bitcoin to be paid as a ransom.
SymptomsThe ransomware will encrypt your files and then place the extension .Ransom on each encrypted file.
Distribution MethodSpam Emails, Email Attachments, Executables
Detection Tool See If Your System Has Been Affected by .Ransom File Virus

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .Ransom File Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.Ransom File Virus – Update December 2017

The latest developments regarding the .Ransom File Virus provides evidence that is either Ranion ransomware or somebody used that code and made the latest version of the .Ransom File Virus look like it since Ranion is RaaS (Ransomware as a Service) type of virus.

The new email for contact in the 1.07 version is the following:

Besides the email, a victim’s computer would get the following picture as the new Desktop background:

That also serves as a ransom message and states the following:

YOUR FILES HAVE BEEN ENCRYPTED

WITH -RANSOMWARE-

.:..:.

TO DECRYPT YOUR FILES YOU NEED
AN AES DECRYPTION KEY

** CONTACT US IN 7 DAYS **

OR YOU CAN’T DECRYPT YOUR FILES
ANYMORE

~~~

From the note we find out that the AES encryption algorithm is being used in the new version and that victims have 7 days to contact the cybercriminals. If you are infected, you are not advised to contact the criminals as they might not recover your files and nobody could guarantee that everything will be back to normal.

.Ransom File Virus – Infection

The .Ransom file virus could spread its infection via different methods. The payload file that initiates the malicious script for this ransomware, which in turn infects your computer machine, is circling the Internet and a malware sample has been found by malware researchers. You can see the VirusTotal detections for different security programs of that sample by checking the screenshot below:

The .Ransom file virus might also distribute its payload file on social media websites and networks for file-sharing. Freeware that is found on the Web could be presented as useful but at the same time could hide the malicious script for the cryptovirus. Refrain from opening files just as you have downloaded them, especially if they come from suspicious sources such as links or e-mails. Instead, you should scan them beforehand with a security tool, while also checking the size and signatures of these files for anything that seems out of the ordinary. You should read the ransomware preventing tips thread in the forum.

.Ransom File Virus – In Detail

The .Ransom file virus is called that way because it encrypts files while putting the .ransom extension to them. Malware researchers claim that the ransomware is written on the MSIL language. MSIL stands for Microsoft Intermediate Language, but by today’s modern standards its name would be CIL (Common Intermediate Language).

The .Ransom file virus could make entries in the Windows Registry to achieve persistence, launch and repress processes in Windows. Some entries are designed in a way that will start the virus automatically with each launch of the Windows Operating System, and one such entry is outlined right here:

→HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

The ransom note will show up after the encryption process is complete. The note is written in English, but also featured in other languages. Inside, you will see instructions for how to proceed with payment and the recovery of your files. The ransom note file for English-speaking users is called “README_TO_DECRYPT_FILES.html”, but has other names for different languages, including:

  • LEAME_PARA_DESCIFRAR_ARCHIVOS.txt
  • LEGGIMI_PER_DECIFRARE_I_FILES.txt
  • LESEN_SIE_MICH_UM_DATIEIEN_ZU_ENTSCHLUSSELN.txt
  • LISEZ_MOI_POUR_DECHIFFRER_LES_FICHIERS.txt
  • PROCHTI_MENYA_DLYA_RASSHIFROVKI_FAYLOV.txt
  • README_TO_DECRYPT_FILES.txt

The .html file will load the ransom note in a browser. You can preview the ransom message from the below picture:

That ransom message reads the following:

WARNING Encrypted Files
!!! YOUR FILES HAVE BEEN ENCRYPTED WITH RANSOMWARE !!!
The Key to Decrypt Your Files Will Be DELETED in 7 Days
Send Me 0.3 Bitcoins
You Have Only 7 Days From Now
Bitcoin Address: 1NTKmeeLp52y9oZVfVZEdUCJBK9xhTcZNW
Buy Bitcoins On:
– https://paxful.com/
– https://localbitcoins.com/
– https://www.bitpanda.com/
After Send Me an Email With Your ID: [redacted] [email protected]
I Will Send You the Key to Decrypt Your Files

The ransom note and any instructions from the .Ransom file virus should not be followed. You should NOT under any circumstance contact the cybercriminals. Your files may not even get restored, and nobody could give you a guarantee for it. Besides, supporting criminals is not a good idea. Also, the crooks may get inspired to do more criminal acts, such as the creation of more ransomware viruses.

.Ransom File Virus – Encryption Process

The .Ransom file virus ransomware will probably seek to encrypt files that have the following extensions:

→.7z, .bmp, .doc, .docm, .docx, .html, .jpeg, .jpg, .mp3, .mp4, .pdf, .php, .ppt, .pptx, .rar, .rtf, .sql, .tiff, .txt, .xls, .xlsx, .zip

Every file that gets encrypted will receive the same extension appended to each one of them, and that is the .ransom extension. The algorithm used for encryption is not known, but is probably AES.

The .Ransom file virus cryptovirus has not been seen to erase the Shadow Volume Copies from the Windows operating system, but that may be a possibility. That will also make the encryption rocess more viable since it will eliminate one of the ways for decrypting your files. Continue to read and see what kind of ways you can try out to potentially recover some of your data.

Remove .Ransom File Virus and Restore Your Files

If your computer got infected with the .Ransom file virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Note! Your computer system may be affected by .Ransom File Virus and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as .Ransom File Virus.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove .Ransom File Virus follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove .Ransom File Virus files and objects
2. Find files created by .Ransom File Virus on your PC

IMPORTANT!
Before starting the Automatic Removal below, please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by .Ransom File Virus

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...