Remove Random6 Ransomware and Restore Encrypted Files - How to, Technology and PC Security Forum |

Remove Random6 Ransomware and Restore Encrypted Files

This article aims to help you remove the newly detected Random6 ransomware dropping “RESTORE-{random 6 characters}-FILES.txt” ransom note and show how you can get your files back.

A new ransomware virus known as Random6, because it uses six random characters for file extension and unique identification has been detected by researcher Marcelo Rivero (@MarceloRivero).
The virus uses multiple different tactics to slither itself onto the computers of victims after which encrypt them files and deny the user from opening them unless a ransom is paid. In the event that your computer has been infected by the Random6 ransomware virus, we recommend that you read the following material.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionRandom6 encrypts the files, making them non-openable. The virus then drops a ransom note asking money to be paid to get them back.
SymptomsFiles are encrypted with an added 6 character file extension to them.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Random6


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Random6.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Random6 Ransomware – Distribution Methods

Since Random6 was detected to attack both companies and individual victims, the virus may be spread in more than one methods. One of those methods is reported to be via e-mail spam messages that carry malicious e-mail attachments in them. Such e-mails often pose as legitimate e-mails and their newest form includes carrying malicious Microsoft Word documents which infect your computer as soon as you click on the “Enable Content” button which triggers macros.

Other methods by which an infection with Random6 can take place is if the malicious files are downloaded via a fake web link posing as a legitimate button in the spam e-mail being sent, for example, the malicious spam below:

In addition to this, Random6 malicious files can also be uploaded online on torrent sites or suspicious software-providing sites. The virus may pretend to be a fake installer, fraudulent program activator or other key generators or license makers.

Random6 – More Information

As soon as it has infected your computer, Random6 ransomware aims to drop malicious files on multiple different Windows locations. The files may be under different, often random names, for example:


After the files are dropped on the computer the Random6 virus may create registry entries in the Run and RunOnce keys for the malicious file that is responsible for the file encryption process. These sub-keys of the Windows Registry Editor are located in the following places:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In addition to this activity, the Random6 ransomware virus also aims to perform other activities on the compromised computer among which may be the deletion of all the shadow volume copies as well as backups on the infected computer. This is achievable in Command Prompt via the bcedit and vssadmin commands when the virus runs them as an administrator without the user noticing:

→ process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”

Among the malicious activities of Random6 ransomware is to drop it’s ransom note, named “RESTORE-{random 6 characters}-FILES.txt”. It has the following message for the victims of this virus:

“Your files are Encrypted!
For decryption send letter on email in letter attach your Personal ID.
If email don’t works, register here:,
send letter to BM-N8azNh9xNVf2$gvav8pc3Uc9CCXtXMu
With your Personal ID and email for contacts.
After you send payment to given BTC adress in answer, you will get your files restored.
Your Personal ID:”

Random6 – Encryption Process

After Random6 infects your computer and triggers the malicious file which is responsible for encryption, it immediately attacks your documents, photos, music, videos, archives and other types of files. Among the file extensions targeted by Random6 may be many, for example:


After the encryption process by Random6 has completed, the files can no longer be opened. They are added a random file extension with 6 characters and it is the same for every file and the ransom note as well. The may look like the following:

Remove Random6 Ransomware and Restore Your Files

After the Random6 ransomware has infected your computer, the first action you must perform is to extract the encrypted files away from your computer (backup).

Then you can continue removing the malicious objects which Random6 creates on your computer. One method to do this is to follow the removal instructions after this article. Since manual removal may prove to be tricky primarily because Random6 modifies multiple different types of objects in Windows which may be risky to remove, experts advise using a more automatic approach. A ransomware-specific anti-malware scanner is advisable to be used in order to get rid of the malicious objects and settings changed by Random6 ransomware on your computer and protect it in the future as well.

If you are looking for a method to restore your files after you have removed Random6 ransomware, we have several alternative suggestions for you in step “2. Restore files encrypted by Random6”. They are a good temporary solution until malware researchers release a decryptor for this virus with which you can directly decrypt all files for free. Furthermore, bear in mind to use those methods at your own risk and always to backup the encrypted files and try the methods on copies of them instead.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share