Remove CuteRansomware Virus and Restore .Encrypted (加密)Files - How to, Technology and PC Security Forum |

Remove CuteRansomware Virus and Restore .Encrypted (加密)Files


CuteRansomware is the name of a virus, which uses Google Docs to try and stay hidden from security software. It encrypts specific files. The extension this ransomware puts to all encrypted files is .encrypted in Chinese or 加密. To remove this ransomware virus and see how you can try to restore your files, you should read the article carefully.

Threat Summary

Short DescriptionThe ransomware will encrypt all of your files, but may not always show a ransom note, depending on the variant. The file extensions which the ransomware searches to encrypt might be small in number, but not in importance.
SymptomsThe ransomware encrypts files and sets a new extension to each of them – .encrypted / . 加密.
Distribution MethodSpam Emails, File Sharing Networks
Detection Tool See If Your System Has Been Affected by cuteRansomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss cuteRansomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

CuteRansomware – Infection Spread

CuteRansomware might be spread with spam emails. Such emails have file attachments. Said attachments might contain malicious code, so opening them is not advised. If opened, your computer will be infected in an instant before you can react in any way. Other ways of spreading the infection to your PC is through social media sites and file sharing networks. The malware which contains the payload could be put in one of those platforms. Avoiding infection is manageable if you are very careful with what you do online.

CuteRansomware – Technical Analysis

CuteRansomware is a crypto-virus that was detected by an AVG researcher. The virus is named after a string that is repeated many times in its code – cuteRansomware. It gained popularity a few days ago, and lots of security programs detected more activity around it.

The ransomware in actuality utilizes the code from a C Sharp (C#) application developed by Ma Shenghao. The code found on GitHub available for download under the name “my-Little-Ransomware” is mostly copy-pasted and used for encrypting people’s files. Little, but significant changes are made to the code. On GitHub, there is a description in Chinese, from which it becomes apparent that the virus can execute on every start of the Windows operating system. Also, it seems that it is targeting Chinese users as almost everything is written in Chinese.

The CuteRansomware may create the following registry key to enable the automatic boot from each start of the OS:


After encryption, the ransomware does not display a ransom note but rather a pop-up notification box, which states in Chinese that your files are encrypted. Researchers from Netskope have found that this variant again uses a Google Doc as a Command and Control (C&C) server to send the symmetric decryption key and avoid detection.


Image source:

Although, a new sample of the cuteRansomware is in fact detected by lots of security programs on the VirusTotal website:


Do not pay any ransom money that may be asked of you. Do not contact the cyber criminals if contact details are provided as there is no guarantee that that will lead to the decryption of your data or if they will even answer. Read further, to see ways in which you might be successful in restoring some files.

The CuteRansomware uses the RSA algorithm along with AES 128-bit ciphers for file encryption. The encryption and decryption keys are sent to the cyber crooks via Google Docs as mentioned above. In that way, they do not create an additional C&C server and avoid detection by security software.

The following extensions were encrypted by the original ransomware:

→.png, .3dm, .3g2, .3gp, .aaf, .accdb, .aep, .aepx, .aet. ai, .aif, .arw, .as, .as3, .asf, .asp, .asx, .avi, .bay, .bmp, .cdr, .cer, .class, .cpp, .cr2, .crt, .crw, .cs, .csv, .db, .dbf, .dcr, .der, .dng. doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .dxg, .efx, .eps, .erf, .fla, .flv, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg. jpg, .kdc, .m3u, .m3u8, .m4u, .max, .mdb, .mdf, .mef, .mid, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .mrw, .msg, .nef, .nrw, .odb, .odc, .odm, .odp, .ods. odt, .orf, .p12, .p7b, .p7c, .pdb, .pdf, .pef, .pem, .pfx, .php, .plb, .pmd, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel. prproj, .ps, .psd, .pst, .ptx, .r3d, .ra, .raf, .rar, .raw, .rb, .rtf, .rw2, .rwl, .sdf, .sldm, .sldx, .sql, .sr2, .srf, .srw, .svg, .swf, .tif, .vcf. vob, .wav, .wb2, .wma, .wmv, .wpd, .wps, .x3f, .xla, .xlam, .xlk, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .zip

The files which this version of the ransomware seeks to encrypt use some extensions from the above list as well as the following extensions:

→.bmp, .png, .jpg, .zip, .txt, .pdf, .pptx, .docx, .py, .cpp, .pcap, .enc, .pem, .csr

After the whole encrypting process is finished, files on your computer machine will have another extension appended to them – .encrypted or more accurately 加密.

Interestingly enough, in the description for the first version of the ransomware, it states that some files might be recoverable, only when their scrambled names are fixed.

The CuteRansomware virus is unknown whether it deletes Shadow Volume Copies from the Windows operating system. Continue reading the article to the end to find out what you can try to restore some of your files.

Remove CuteRansomware and Restore .Encrypted Files

If your computer machine got infected with the CuteRansomware virus, you should have some experience in removing malware. You should get rid of this ransomware. The recommended action for you to take is to remove the virus efficiently by following the step-by-step instructions guide provided down below.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share