Ransomware Removal and Restore Guide
THREAT REMOVAL Ransomware Removal and Restore Guide ransomware removal and restore files guide

Security researchers have found a new ransomware strain that targets computer users. The threat is classified as data locker ransomware as it corrupts essential data stored on infected machines and then asks victims for a ransom payment. Its name comes from the extension it appends to all encrypted files. The ransomware infection is further associated with a file Readme.txt dropped on the computer. The file contains ransom message send by ransomware authors.

This article aims to help all victims of ransomware to deal with its complete removal and reveal alternative options for files recovery.

Threat Summary
Short DescriptionThe ransomware encrypts files on your computer and displays a ransom message afterward.
SymptomsThe ransomware will encrypt your files and put the extension to them after it finishes its encryption process.
Distribution MethodSpam Emails, Email Attachments, Compromised Web Pages
Detection Tool See If Your System Has Been Affected by


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does Ransomware Infect?

Most of the times ransomware like infect systems by dropping a single executable file on the PC. That file can be embedded in word, excel or pdf document and then send to you as an attached file to an email message. This technique is preferred by hackers because it allows them to spoof the email sender name and the address. Thus by impersonating popular business and governmental organizations, they hope to trick you into infecting your device with the ransomware. Another standard way for ransomware payload distribution is web links that redirect to corrupted web pages. Such links are posted in emails, online advertisements, and social media.

What Does Ransomware Do to Your Computer?

Once payload is running on the computer, it initiates a sequence of malicious actions to complete the attack. First, it may connect its server to send data about the system and download additional malicious components. Then it may create new files in some essential Windows system folders and then activates its malicious processes.

Probably ransomware will access Windows Registry editor to create new values that will enable its payload to start on each system turn on. In addition, the same keys –
Run and RunOnce are likely to be modified after the cypto virus drops its ransom note on the PC. As these keys control all processes that need to start when the Windows is launched and all currently running processes, ransomware uses them to display its ransom note at the end of its infection.

Its ransom note might be situated on the Desktop under the name Readme.txt. What it reads is:

Access to your files was limited.
To return your files you have 72 hours. Write to us.
Our contacts.
Our email:
ATTENTION. To email ( write messages only from these e-mail services. From other email services, messages may not be received by us.
ATTENTION. We will reply you within 24 hours. If there is no response from us, please send your message again.
Tor email: colecyrus@torbox3uiot6wchz.onion
To register tor e-mail, use the service http://torbox3uiot6wchz.onion
This link opens in tor browser. Link to tor browser
Send us 3 encrypted files, each no more than 2 MB (only pictures, text documents or shortcuts).
We will decrypt them to you for free, to confirm that we can help you.
Together with the decrypted files you will receive further instructions


The given time frame aims to make you anxious and urge you to pay the ransom as soon as possible. Even though the demanded amount is not mentioned, it probably needs to be transferred in Bitcoins. For the sake of your security, it is better to avoid any negotiations with the crooks. There is no guarantee that you will receive a working solution for the encrypted files even if you pay the ransom.

Which Are the Files Encrypted by Ransomware?

Like most crypto ransomware is likely to have all file types that are frequently used set in its target data list. And the reviewed crypto virus can scan for files with file extensions, associated with the following file types:

  • Documents
  • Videos
  • Audio files
  • Pictures
  • Archives

The original code of all target files is modified by the ransomware via its built-in encryption module. According to security researchers uses AES-ECB or stream cipher to encrypt files. Afterward it marks them all with an extension of the same name and drops a ransom message that provides information on their decryption. The transformation restricts you from opening your files until you apply the decryption key.

How to Remove Ransomware and Restore Files

All steps that will help you to get rid of ransomware completely are covered in our detailed removal guide below. You can choose whether you want to remove it manually or automatically. Have in mind that due to the complexity of ransomware code the manual removal of all its files and objects from the infected host can be a hard task even for the tech savvy guys. So if you ransomware is still on the system even after you fulfill all steps from the manual removal, be advised to take the automatic approach.

After the removal, you can check the alternative files restore options that we choose for you. You will need to back up all encrypted files before the restore process because if something goes wrong during the restore process, it can be used for the next restore attempts.

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for three years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share