.youransom File Virus Remove It Completely - How to, Technology and PC Security Forum | SensorsTechForum.com

.youransom File Virus Remove It Completely

This article aims to help you remove YourRansom ransomware using the .youransom file extension to encrypt files. It may also help restoring some of the encrypted files.

A virus has been spotted and reported to encrypt files of systems that are compromised. The ransomware is dubbed YouRansom by malware researchers and encodes files, dropping a README.txt file after that, which aims to offend and notify the victim to contact an e-mail for the return of files. Anyone who has been infected by this virus should not contact the e-mail [email protected] mentioned in the note and read this article instead. It will help you remove YourRansom ransomware and to try and get your encrypted files back.

Threat Summary



Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and README.txt “instructions” linking to a web page and a decryptor. Changed file names and the file-extension .youransom has been used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by YourRansom


Malware Removal Tool

User ExperienceJoin our forum to Discuss YourRansom.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

YourRansom Ransomware – How It Infects

In order to cause an infection, this particular ransomware virus may use spam e-mails in which it may include multiple e-mail attachments of malicious character. The malicious files that can be spread by this virus can vary, but they may be amongst the following file types:

→ ‘js’,’jse’,’html’,’htm’,’scr’,’sh’,’bat’,’jsx’,’cmd’,
‘vb’,’vbs’,’vbe’,’ws’,’wsf’,’wsc’,’wsh’,’ps1′,’ps1xml’,’ps2′,’ps2xml’,’psc1′,’psc2′,’msh’,’msh1′,’msh2′,’mshxml’, ‘msh1xml’,’msh2xml’,’scf’,’lnk’,’inf’,’reg’,’pif’,’hta’,’cpl’,’jar’,’class’, ‘exe”application’,’gadget’,’msi’,’msp’,’com’,’msc’,’sys’,’shs’,’wmf’,’chm’,’wmf’,’ozd’,’ocx’,’aru’,’xtbl’,’bin’,’exe1′,’386′,’dev’,’xnxx’,’vexe’,’tps’,’pgm’,’php3′,’hlp’,’vxd’,’buk’,’dxz’,’rsc_tmp’,’sop’,’wlpginstall’,’boo’,’bkd’,’tsa’,’cla’,’cih’,’kcd’,’s7p’,’smm’,’osa’,’exe_renamed’,’smtp’,’dom’,’vbx’,’hlw’,’dyz’,’rhk’,’fag’,’qrn’,’fnr’,’dlb’,’mfu’,’xir’,’lik’,’ctbl’,’dyv’,’bll’,’bxz’,’mjz’,’mjg’,’dli’,’fjl’,’ska’,’dllx’,’tti’,’upa’,’txs’,’wsh’,’uzy’,’cfxxe’,’xdu’,’bup’,’spam’,’nls’,’iws’,’ezt’,’oar’,’.9′,’blf’,’cxq’,’cxq’,’cc’,’dbd’,’xlv’,’rna’,’tko’,’delf’,’ceo’,’bhx’,’atm’,’lkh’,’vzr’,’ce0′,’bps’,’pid’,’hsq’,’zvz’,’bmw’,’fuj’,’ssy’,’hts’,’qit’,’aepl’,’dx’,’lok’,’plc’,’mcq’,’cyw’,’let’,’bqf’,’iva’,’xnt’,’pr’,’lpaq5′,’capxml’

The files may also be documents of Microsoft Office or Adobe Reader that have malicious macros embedded in them and may infect users by enabling those macros to edit and read the content of the document.

Usually the e-mails are written with messages that are deceptive and pretend that it’s of utmost urgency to take a look at the attachment. Most of them use big names of retailers, like FedEx, Amazon, bank names or other institutions, even governmental.

.youransom Ransomware – More Information

This particular ransomware virus may drop multiple files on the victim’s computer after an infection takes place. The files may be more than one and may be located in critical Windows folders, under different names, for example:

After dropping those files, the .youransom file virus may perform multiple activities on the victim’s computer, such as touch critical Windows files to ensure safe encryption, create mutexes and also heavily modify the Windows Registry Editor to ensure that the encryption runs on System Startup.

The .youransom ransomware may also delete the Shadow Volume copies of the infected computer to eliminate chances of restoring these files back to normal. This can happen via the bcedit and vssadmin commands:

For the file encryption process, .youransom ransomware does not mess around. The virus renders files unusable and ads a .youransom file extension to the files, making them appear like the following:

In addition to this, .youransom virus may also perform other activities on the infected machine. One of those activities is to generate a .key file which is also inaccessible. This specific file may also be encrypted by cyber-criminals and the unique decryption key could be sent to their servers. We understand this scenario is likely, because of the README.txt ransom note, dropped by this virus, which is rather offensive and disrespectful:

YourRansom Ransomware – Conclusion and Removal

Advices by experts are like with any other ransomware virus – do not pay the ransom! Even though YourRansom promises to restore the files for free, do not contact the e-mail and do not engage in any payment activity with cyber-criminals – they cannot be trusted. Instead you can remove this ransomware infection, preferably, by following our removal instructions below.

In case you are lacking the experience in malware removal or want maximum results, advices by analysts are always to use an anti-malware program for the scanning and removal of all objects modified or created by YourRansom ransomware.

For the restoration of the encrypted files, you can try and see the “2. Restore files encrypted by YourRansom” step below. They will help you get at least get some of the encrypted files back. But these have not yet been tested since the virus is in early stages (at the time of writing this), so make sure to back up your files before trying the methods out.

Manually delete YourRansom from your computer

Note! Substantial notification about the YourRansom threat: Manual removal of YourRansom requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove YourRansom files and objects
2.Find malicious files created by YourRansom on your PC

Automatically remove YourRansom by downloading an advanced anti-malware program

1. Remove YourRansom with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by YourRansom

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share