Remove SmartRansom and Restore Encrypted Files - How to, Technology and PC Security Forum |

Remove SmartRansom and Restore Encrypted Files

Article created to show you how to remove SmartRansom Chinese ransomware virus and restore files encrypted by it.

A ransomware virus, that has a QR scanning code embedded in it’s ransom note so that a payoff in BitCoin can be paid by scanning the code from a phone with BitCoin wallet app. The virus has been detected in the end of May 2017 and has been reported to be spread only for Chinese users, but this does not mean that it can’t also be spread all over the globe. In case your computer has been infecred by the SmartRansom Chinese virus , we strongly advise you to read this article.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts the files on the computers infected by it without adding anything to them. Demands sto scan a QR code for payment to get the files back. (BitCoin payoff)
SymptomsSmartRansom, also known as Chinese ransomware displays a picture of a Chinese photo model and then changes it to the ransom note with the QR code and instructions.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by SmartRansom


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss SmartRansom.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

SmartRansom Virus – Distribution Methods

SmartRansom virus is the type of malware that may be spread via malicious e-mail spam, also known as malspam. Such e-mail messages aim to trick the victim into opening an e-mail attachment which is usually in an archive (.zip, .rar, .etc). The e-mails portray the attachment as an invoice, letter of confirmation or other document that “must be opened immediately”.

In addition to infecting victims using this strategy, the SmartRansom ransomware may also infect a certain computer by taking advantage of fake installers, web injectors from malicious web links sent online and fake updates.

SmartRansom – Analysis

As soon as the infection with this ransomware virus occurs, multiple types of files are dropped on the victim’s computer. These files include the malicious executable of the virus, named SmartRansom.exe, as detected by Payload Security below:

This file aims to read information from the infected computer, like it’s name and GUID. Then it contacts the following two hosts via TCP port 80:


The executable also imports numerous .dll files spread among different Windows locations. These files aim to create registry entries in sub-keys, like the Run and RunOnce keys. This enables the virus to run alongside Windows’s boot process. If those entries are created, you can find them in the following sub-keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

In addition to this activity, the ransomware also extracts an image which is set as a lockscreen image. The image, named AArI.jpg has the ransom note written in Chinese and can be exited from with the key combination Alt+F4:

Translated message:

Would you like to know who am I?
I am answering, your daddy.
I have enciphered your important computer files
You want to know how to get them back?
Scan the 2D code from your screen and pay me.
I will then send you the tool for decryption.
Do not forget to write down the key from the above part of the screen In order for me to help you decrypt this.

SmartRansom Encryption Process

The encryption process by SmartRansom is connected with targeting specific types of files to render no longer able to be opened. These files are reported by researchers to be the following:

→ .au3, .BMP, .CUR, .doc, .docx, .GIF, .ICO, .JPG, .MID, .MIDI, .pdf, .PNG, .ppt, .pptx, .prn, .psd, .rar, .txt, .WAV, .xls, .xlsx, .zip

After the files encrypted by SmartRansom have been encoded, the virus does not leave behind any file extension or marker on the files that is showing they have been encoded.

Remove SmartRansom Ransomware and Restore Encrypted Files

Before beginning the removal process of files encrypted by SmartRansom ransomware, researchers advise victims to backup their encrypted files before beginning the removal and recovery process.

To remove the SmartRasnom Chinese ransomware infection, you can follow either the manual or automatic removal instrucions below. However, since this virus creates multiple objects in various locations, cybersecurity experts advise removing SmartRansom automatically by using an advanced anti-malware program. It will not only fully remove this virus from your computer but will also make sure that your system is protected against future attempts on it’s security.

In case you are looking for methods to restore your files, at the moment there is no free decrypter. We will update this article as soon as there is one, so we suggest you to follow it. In the meantime, you can also try recovering your files by following the alternative methods in step “2. Restore files encrypted by SmartRansom” below. They are not 100% guarantee you will be able to restore the files, but with their aid, at least some of the data can be retrieved.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share