.sell Files Virus (Paradise) – How to Remove It (+ Restore Files)

.sell Files Virus (Paradise) – How to Remove It (+ Restore Files)

This article has been created in order to help you by showing how to remove the .sell files virus, a variant of Paradise ransomware and how to restore files that have been encrypted by it on your computer.

A new ransomware variant, going by the name of .sell files virus has been reported to infect unsuspecting victims’ computers and encrypt the important files on their computers. Being a variant of the notorious Paradises ransomware virus family, the .sell ransomware also adds a ransom note file, which is named #DECRYPT MY FILES#.html and has a random identification number within it. If you are among the victims of the .sell files virus, we advise you to read the following article and learn how to remove this ransomware and restore encrypted files.

Threat Summary

Name.sell Files Virus
TypeRansomware, Cryptovirus
Short DescriptionA variant of Paradise Ransomware which encrypts the files and asks to contact support@all-ransomware.info in order to negotiate file decryption.
SymptomsFiles are encrypted with an added .sell file extension and a ransom note, named #DECRYPT MY FILES# Is also added.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .sell Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .sell Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.sell Files Virus – Infection Methods

In order to infect a given computer, the .sell files virus aims to perform different types of activities, which may involve:

  • Masking the virus from antivirus and other protection software.
  • Making sure that the infection file imitates a legitimate file successfully.
  • Making sure to connect safely to a command and control server to download the payload.

In order to infect the victims, the .sell virus may be spread via different means that may be both passive as well as active. If active, you may receive the virus as an e-mail attachment, accompanying a seemingly legitimate e-mail, that aims to fool you it comes from a big company. The most often used companies are eBay, PayPal, DHL, FedEx and others that are similar. The e-mails often imitate as if they are automated and come from the official company, like the example below shows:

In addition to via e-mail, the virus may also be uploaded as a file that pretends to be legitimate on websites, such as software providing sites or websites which contain torrents. The files which it may imitate are often sought after files, like:

  • Driver or software setups.
  • Game patches, cracks.
  • Key generators for programs or games.
  • Software license activators.

.sell File Ransomware – More Information

The .sell files virus is the type of rasomware infection which is from the file encryption kind, meaning that your files are rendered no longer usable and a decryption key is generated which can unlock them but only after you have paid a ransom “fee” to the hackers.

The virus begins it’s malicious activity by dropping it’s malicious files on your computer system. They may reside under different names in the following Windows directories:

After the files of the .sell files virus have been dropped, the ransomware may interfere with key system Windows files, which may allow it to run files and scripts as an administrator on the infected computer. In addition to this, the virus may also create mutants and copies of itself, which can result in it becoming significantly more difficult to remove manually.

Furthermore, the .sell files virus is also the type of infection which aims to make sure it’s presence is known by dropping a ransom note, named #DECRYPT MY FILES# that has the following content:

Your files are encrypted!
Paradise Ransomware Team!
Your personal ID
[redacted] Your personal KEY

Your important files produced on this computer have been encrypted due a security problem.
If you want to restore them, write to us by email.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
Before payment you can send us 1-3 files for free decryption.
Please note that files must NOT contain valuable information.
The file size should not exceed 1MB.
As evidence, we can decrypt one file
The easiest way to buy bitcoin is LocalBitcoins site.
You have to register, click Buy bitcoins and select the seller by payment method and price
Also you can find other places to buy Bitcoins and beginners guide here:
write to Google how to buy Bitcoin in your country?
Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss
You are guaranteed to get the decryptor after payment
As evidence, we can decrypt one file
Do not attempt to use the antivirus or uninstall the program
This will lead to your data loss and unrecoverable
Decoders of other users is not suitable to decrypt your files – encryption key is unique

In addition to this, the .sell files virus may also delete the shadow volume copies on the infected computer, just like the previous variant(https://sensorstechforum.com/remove-paradise-ransomware-restore-paradise-files/) may have done. This happens via the virus executing the following command in Windows Command Prompt as an administrator:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

Furthermore, the ransomware may also add registry entries within the following Windows Registry sub-keys in order for it’s malicious files to run automatically when you boot Windows:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

.sell Files Virus – Encryption Process

In order to encrypt the files on the infected computer, the .sell ransomware may firstly scan for your important files and if it detects that files of these types exist, the virus will encrypt them. The files are usually commonly used ones that are likely important for you, such as:

  • Images.
  • Videos.
  • Archives.
  • Audio files.
  • Documents.

In order to encrypt the files on your computer, the Paradise ransomware virus may use an advanced cipher or a combination of two algorithms. These ciphers both aim to get your files to become no longer openable by replacing key data from the original files with data from the encryption algorithm. After encryption the virus generates a unique decryption key which corresponds to the encryption. The files may begin to appear like the following:


Remove Paradise Ransomware and Restore .sell Encrypted Files

In order to remove this virus, we recommend that you follow the removal instructions underneath this article. They are specifically created in order to help you to remove this variant of the virus either manually or automatically. Be advised that security experts strongly recommend removing Paradise ransomware automatically by downloading an advanced anti-malware software which will ensure future protection of your computer as well.

In addition to removing this virus, in order to restore files that have been encrypted by this iteration of Paradise ransomware, we advise you to check the step “2. Restore files encrypted by .sell Files Virus”.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share