.skeleton Files Virus – How to Remove and Restore Files

.skeleton Files Virus – How to Remove and Restore Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article has been created in order to help you by showing you how to remove the new version of Blind ransomware and how to restore .skeleton files, encrypted by it without paying the actual ransom.

New version of Blind ransomware, reported to encrypt the files on the infected computers by it after which leave them with the .skeleton file extension and add a ransom note, named How_Decrypt_Files.txt. It’s purpose is to get the victims whose files have been encoded to pay a hefty ransom fee in order to get the crooks to decrypt the files. If your computer has been infected by the .skeleton files virus, we advise you to read this article and learn how to remove the .skeleton file ransomware and how to restore files, encrypted by it on your PC.

Threat Summary

Name.skeleton Virus
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on the computers infected by it after which aims to extort the victim to make a payoff.
SymptomsLeaves behind the .skeleton file extension. Drops a ransom note, called How_Decrypt_Files.txt, containing ransom payoff instructions in it.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .skeleton Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .skeleton Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.skeleton Files Virus – How Does It Spread

For it to be widespread, the .skeleton files virus may come in many different forms. The main method by which your computer could become infected by this virus is if you open a malicious spam e-mail attachment that is embedded on a spammed e-mail. Such attachments often pose as legitimate files, like:

  • Invoices.
  • Fake receipts.
  • Fake order confirmations.
  • Banking statements.

In addition to this, the e-mails themselves are carefully written to seem legitimate, for example:

In addition to the malicious e-mails, the files spread by this virus may also pose as legitimate setups, key generators, software license activators and other types of fake files.

.skeleton Files Virus – Activity

When the .skeleton files virus has infected your computer, you will most certainly notice it, since this ransomware aims to make sure it’s presence is known. The .skeleton files virus drops it’s payload data upon infection in the following Windows folders:

  • %AppData%
  • %Local%
  • %Roaming%
  • %Temp%
  • %LocalLow%

After the malicious files of this ransomware infection have already been dropped on the victim’s computer, the malware may modify the Windows Registry Editor of your computer by adding registry values in the following Windows Registry sub-keys:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

After having done this, the .skeleton ransomware may also perform other malicious activities on the computers of victims, like delete the shadow volume copies by executing a script that runs the bcedit and vssadmin commands as an administrator in the background:

→ process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”

Among the activities off the .skeleton files virus is to also drop it’s ransom note, which is named How_Decrypt_Files.txt and has the following message:

Hello !
All your files have been encrypted !
If you want restore your files write on email – skeleton@rape.lol
In the subject write

Once the malware has dropped it’s ransom note, it may also touch system files of Windows and may create mutexes as well.

.skeleton Ransomware – Encryption Process

Since it’s a variation of the Blind ransomware infection, the .skeleton files virus scans for the following documents, audio files, videos and other data on the computers infected by it:

→ .1c, .3fr, .accdb, .ai, .arw, .bac, .bay, .bmp, .cdr, .cer, .cfg, .config, .cr2, .crt, .crw, .css, .csv, .db, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .gif, .htm, .html, .indd, .iso, .jpe, .jpeg, .jpg, .kdc, .lnk, .mdb, .mdf, .mef, .mk, .mp3, .mp4, .mrw, .nef, .nrw, .odb, .ode, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pdf, .pef, .pem, .pfx, .php, .png, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d, .rar, .raw, .rtf, .rw2, .rwl, .sql, .sr2, .srf, .srw, .tif, .wb2, .wma, .wpd, .wps, .x3f, .xlk, .xls, .xlsb, .xlsm, .xlsx, .zip

After encrypting the victims files, the virus adds behind the .skeleton file extension to them, making them look like the following:

Remove .skeleton Files Virus and Restore Data

In order to remove this ransomware infection we recommend that you follow the removal instructions down below. They are divided in manual or automatic so that they help you isolate the .skeleton files virus and then remove it. If manual removal does not work for you or you feel unsure how to do it, security experts strongly recommend that you download and advanced anti-malware software which will help you to automatically remove all the malicious files of this virus and protect your computer against future infections as well.

Be advised, that if you want to restore files, encrypted by the .skeleton ransomware, you can try and use the alternative methods for file recovery below in step “2. Restore files, encrypted by .skeleton Virus”. They are specifically created in order to best assist you into recovering as many files as possible without having to pay the ransom, but they are no guarantee of 100% success, so make a backup beforehand.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share