Uefi Ransomware – How to Remove and Restore Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Uefi Ransomware – How to Remove and Restore Files

This article has been created to help you remove Uefi ransomware from your computer.

In addition to the newer ransomware variants coming out in August 2017, Uefi Ransomware is also one that must not be underestimated. The virus pretends to encrypt the files on the computers it has compromised, demanding from it’s victims to send the sum of $350 to the BitCoin address of the cyber-criminals who are behind the threat in order to decrypt them. If you have become a victim of the Uefi ransowmare infection, we strongly advise you to read this article thoroughly.

Threat Summary

NameUefi Ransomware
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on the computers that have been infected by it, demanding $350 ransom payoff to get them back.
SymptomsChanges the wallpaper on the infected computer and adds a decrypt.txt ransom note on the desktop of the victim PC.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Uefi Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Uefi Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does Uefi Ransomware Infect

The infection process of Uefi Ransomware is possibly conducted in several ways, the main of which may be via e-mail spam. The e-mails that infect with Uefi ransowmare may use malicious e-mail attachments or web links that can cause the infection itself. They usually contain multiple different types of e-mail messages that portray the malicious e-mail attachments in them as legitimate ones, such as:

  • Receipts.
  • Invoices.
  • Confirmation letters.
  • Bank account activity and balance sheets.

After the victim has been tricked into opening the fake e-mail attachments, the virus may immediately connect to a remote host and download the payload of Uefi ransomware.

Other methods by which one could become a victim of this ransomware virus is to download a fake setup, key generator or other type of fake executable file, posing as legitimate online.

Uefi Ransomware – Malicious Activity

Uefi ransomware is not to be mistaken with the first-ever ransomware virus, coming out with that name on March 2017 which actually attacked the UEFI of a compromised PC.

Although using the same name may be a hint that this ransomware may be created by the same people behind the original Uefi Ransomware virus, this malware has nothing to do with it.

After infection with this virus, you may find some of it’s payload files dropped under different names in the occasionally targeted Windows folders:

After dropping it’s files, the Uefi Ransowmare virus may execute them as hidden processes in Windows Task Manager. Since the files contain various functions, which are the key behind the activity of Uefi ransomware, executing them may result in the virus:

  • Creating mutexes.
  • Generating new types of permissions that give the virus administrative rights over your computer.
  • Modify the Windows Registry Editor.

Regarding the Windows Registry Editor, the malware may take advantage of the following Windows Registry sub-keys:

  • Run.
  • RunOnce.

After this ransomware virus has finished it’s preparation phase it may begin to make it’s presence known on the compromised computer and change it’s wallpaper to the following image:

In addition to this, a decrypt.txt file is dropped which has the following ransom note:

Your Files Are Encrypted By Uefi Ransomware!
In Order To Get Your Files Back
Please send 350$ worth of Bitcoin to this address:
Refer to decrypt.txt for further instructions.

Uefi Ransomware – Does It Encrypt Files

At the moment, it has been established that Uefi ransomware only pretends to encrypt files, whereas in fact, the virus does not perform encryption on them. Instead, the malware aims to scare off the infected victims into paying hefty ransom fees, as reported by malware researchers on Twitter:

Remove Uefi Ransomware and Restore Files

Before beginning the removal process it is always recommended to focus on backing up your files. Then, you can proceed with following either the manual or automatic removal instructions below. If you lack the experience in manually removing ransomware, like Uefi Ransomware, we strongly recommend you to focus on following the automatic removal instructions below. The removal of the Uefi ransomware virus may be easier than usual as it does not encrypt any files. For maximum effectiveness and faster removal, experts strongly advise to focus on using an advanced anti-malware software which aims to help you remove it’s malicious executable as well as other support type of files completely.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share