Remove Trojan.Ransomcrypt.S Completely - How to, Technology and PC Security Forum |

Remove Trojan.Ransomcrypt.S Completely

Short DescriptionEncrypts important user data and demands ransom in return.
SymptomsThe user may have his files encrypted without his consent and may see a ransom note with instructions on how to pay for them.
Distribution MethodMalicious Links Spam Mail
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by Trojan.Ransomcrypt.S
User ExperienceJoin our forum to follow the discussion about the Trojan.Ransomcrypt Variants.

PC riskA variant of the Trojan.Ransomcrypt ransomware infection, this partucular trojan is famous for encrypting a wide array of file extensions and leaving a ransom note. This ransom note aims to scare users into paying the ransom via anonymous networks in return for the decryption keys, treatening the files may be lost forever. Experts advise users not to comply in any way with the demands of the cyber croooks because it is no guarantee in any way that the files will be decrypted.

Trojan.Ransomcrypt.S – How Did I Get Infected?

Such types of trojans may be downloaded on your computer via other malicious programs such as trojan.downloaders that may have already infected it. Another way to get them is by either visiting a malicious site that downloads the threat directly onto the user PC or by opening a dangerous spam mail attachment. Users are strongly advised to use spam filters since some emails may also be spoofed and they could think they are from a well known person or a company and fall into the trap.

Trojan.Ransomcrypt.S In Detail

According to Symantec, the .S variant of this trojan is also encrypts certain files on the user PC and leaves a ransom note. Once it has been activated on a target PC, it makes a copy of a malicious .dll file, called reg.dll in the %Temp% folder. After doing so, the Trojan begins tampering with PC settings, creating the following registry object for the copied .dll file:

→HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”WINUP” = “regsvr32 “%Temp%\reg.dll”

This registry entry aims to make the trojan run every time on system startup. The next step after that is for the trojan to connect to the attackers’ domain. One malicious domain identified by the Symantec threat analysis experts was:


After connecting to remote domain, the cyber threat then downloads these files onto the infected PC’s %Temp% folder:
t0.da0; t0.daa; t0.da1
After downloading the files it most likely uses them to encrypt user files of these formats:

→.txt .html .htm .css .wmv .wallt .odt .ods .odp .odm .odc .odb .doc .docx .docm .wps .xls .xlsx .xlsm .xlsb .xlk .ppt .pptx .pptm .mdb .accdb .pst .dwg .dxf .dxg .wpd .rtf .wb2 .mdf .dbf .psd .pdd .pdf .eps .ai .indd .cdr .jpg .jpe .jpg .dng .3fr .arw .srf .sr2 .bay .crw .cr2 .dcr .kdc .erf .mef .mrw .nef .nrw .orf .raf .raw .rwl .rw2 .r3d .ptx .pef .srw .x3f .der .cer .crt .pem .pfx .p12 .p7b .p7c

Just like CryptoWall Ransomware, the trojan then creates the HELP_DECRYPT.HTML(HL file that contains the same instructions such as the CyptoWall(HL ones.

Remove Trojan.Ransomcrypt.S Fully from Your PC

In order to remove the .S variant of this Trojan from your computer you should guide yourself by the step-by-step instructions below. It is recommended to boot in safe mode and scan your computer with advanced anti-malware tool. Also, for tech-savvy users and for a way to try and decrypt your data check these links:

Methods for decryption:

Scan and remove ransomware via a live OS:

1. Boot Your PC In Safe Mode to isolate and remove Trojan.Ransomcrypt.S
2. Remove Trojan.Ransomcrypt.S with SpyHunter Anti-Malware Tool
3. Remove Trojan.Ransomcrypt.S with STOPZilla AntiMalware
4. Back up your data to secure it against attacks and file encryption by Trojan.Ransomcrypt.S in the future
NOTE! Substantial notification about the Trojan.Ransomcrypt.S threat: Manual removal of Trojan.Ransomcrypt.S requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share