Remove Tilde Ransomware and Restore .~ Encrypted Files - How to, Technology and PC Security Forum |

Remove Tilde Ransomware and Restore .~ Encrypted Files

sensorstechforum-ransom-note-tildeA very interesting ransom virus, named Tilde has been detected to add the .~ (tilde sign) file extension to the files it encrypts. It uses a very strong AES encryption and demands 0.8 BTC from infected users. Tilde ransomware also changes the wallpaper of the infected computer with its ransom note aiming to scare off users into paying the ransom, claiming that it also uses a uniquely generated RSA key to strengthen its encryption. The ransomware also drops a .ini file and a .bmp image containing its ransom instructions. Users who have become victims of Tilde ransomware are strongly advised not to perform any activities associated with paying the ransom money to cyber crooks. Instead, we recommend reading this article to learn how to remove Tilde ransomware and try to restore files which cannot be directly decrypted.

Threat Summary



Short DescriptionThe malware encrypts users files and demand 0.8 BTC as a ransom payoff.
SymptomsThe user may witness ransom message as a desktop with instructions on how to make the payoff. Files are encrypted with the “.~” sign as a file extension.
Distribution MethodVia a malicious e-mail attachment.
Detection Tool See If Your System Has Been Affected by Tilde


Malware Removal Tool

User ExperienceJoin our forum to Discuss Tilde Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Tilde Ransomware – How Does It Replicate

There are several methods by which cyber criminals may distribute this virus all over the web. They include a huge investment into the latest tools that bypass standard OS defenses:

  • Program obfuscators.
  • Exploit kits.
  • JavaScript.
  • Spam bots or spamming services.
  • File joiners.

All of the different tools may be used to spread the virus via e-mail. One method of e-mail attacks is undertaking massive spam campaigns to infect as many users as possible. One of those e-mail subjects may be a free upgrade or a promise of anything for free. Users have also reported e-mails from banking institutions claiming their accounts have been suspected. Most e-mails use deceptive tactics just to get users to start opening the malicious e-mail attachments or URLs which can infect their computer via different combinations of the abovementioned malicious tools.

Malware attacks by Tilde ransomware may also be targeted against specific organizations by using spoof e-mails. This means that the black hat hackers may pretend to be someone from the company and send an e-mail address to the local e-mail server to infect computers in the local area network of the company like seen in the TV series Mr.Robot.

Some blackhats may also use the services of ad-supported applications, like browser hijackers which may cause direct redirects to malicious URLs if paid to do so.

Tilde Ransomware – In-Depth Analysis

After Tilde has successfully infected the computer of its victim, it may create one or more malicious files in several usually targeted Windows Folders:

commonly used file names and folders

The files may have different names, ranging from completely random to names appearing like legitimate Windows processes, such as svchost.exe, for example.

As soon as it has made the malicious files, Tilde ransomware may immediately start encrypting data and create registry values so that it runs every time you boot Windows, They may be located in the following keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Tilde Ransomware may begin to scan for a wide variety of file types, primarily associated with videos, music, photos, databases, virtual drives, remote drives and other files. After it detects the file extensions it is looking for; Tilde encrypts them using a very strong AES encryption. The files can no longer be opened after encoding with any software. They are appended the .~ file extension, and they may look like the following example:


After encryption, the Tilde Ransomware drops the following files containing its ransom note:

C:\Documents and Settings\Default User\Desktop\_RECOVER_INSTRUCTIONS.ini
C:\Documents and Settings\Default User\Templates\_RECOVER_INSTRUCTIONS.ini
C:\Documents and Settings\Local\Temp\Simple_Encoder\img.bmp

These files have the ransom note as a text .ini file and a .bmp image. Tilde Ransomware may modify the following registry key to change the wallpaper to its ransom note:

In the key:
HKEY_CURRENT_USER\Control Panel\Desktop
The value string:
“Wallpaper”=” C:\Documents and Settings\Local\Temp\Simple_Encoder\img.bmp”

The ransom note has the following text:

→ “All your system is encrypted.
All your files (documents, photos, videos) were encrypted.
It’s impossible to get access to your files without necessary decrypt key.
All your attempts to solve problem yourself will be unsuccessful!
We suggest you to read some articles about this type of encryption:
Now you have two options to solve the problem:
1. Format your hard disk. This way you’ll lose all your files.
2. Pay 0.8 Bitcoin and get key of decryption. At the end of this ad you’ll see your personal ID and our contact information.
Now you should send us email with your personal ID. This email
will be as confirmation you are ready to pay for decryption key.
After payment we’ll send you key of decryption with instructions how to decrypt the system.
Please, don’t send us emails with threats. We don’t read it and don’t reply!
We guarantee we’ll send you the decryption key after your payment so you’ll get access to all your files.
Our e-mail address: [email protected]

Tilde Ransomware – Conclusion, Removal, and File Restoration

As a bottom line, Tilde Ransomware is a relatively new variant, and it may be a heavily modified ransomware of other viruses, like Cerber, Troldesh or Locky or any other viruses that may be sold online. Cyber-criminals behind it aim to motivate users into paying and this is why contacting them is not suggestable.

Instead, experts advise removing Tilde ransomware completely from your computer. To do this, we recommend using an advanced anti-malware program since it will swiftly and automatically remove Tilde ransomware from your computer, in case you fail to locate manually and delete its files. More information you can find by carefully following the removal instructions below. They also include file restoration alternatives in step “3.Restore Files Encrypted by Tilde” below. These are methods with which you may attempt to revert your files in case direct decryption is not available. We also suggest you follow this article since we will update it as soon as a free decryptor has been released out into the public.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share