CryptoMeister Ransomware Removal Guide

When CryptoMeister Ransomware attacks the operating system, it immediately terminates explorer.exe to make you think that your computer was locked. By doing this, the infection makes your Desktop icons disappear, and the Task Manager vanishes as well. That, however, does not mean that your computer is locked, and you should not pay attention to the “Vérrouillé” window that pops up and informs you that your computer was locked. The purpose of this window is to carry the message that the creator of the ransomware has for you, and the contents of this message are discussed further in this report. Along with the “Vérrouillé” window, a timer window should appear as well. This one counts down from 600 seconds (10 minutes). Once the time is out, a file is erased. Even when the encryption is disabled (for example, if the server is down), the threat continues removing files! Due to this, you must delete CryptoMeister Ransomware as soon as possible.

The message that CryptoMeister Ransomware introduces you to is in French, and so it is most likely that it is specifically spread in those regions where French is the first language (e.g., France, Canada, Belgium, etc.). The message informs that your files are locked, and that you can unlock them by paying a ransom of 0.1 Bitcoin. At the time of research, this converted to around 192 USD or 172 EUR. The message also informs that if you try to bypass the lock-down and the encryption of the files, they will be posted online. Now, although that is highly unlikely to happen, not many users would want to take the chances. This is what might force them to follow the instructions represented via the CryptoMeister Ransomware message that include buying Bitcoins and sending them to a specific address. In our case, the address was not specified because the server was down, and the threat was not even capable of contacting wcn3a2igdpgxxlsg.onion and jop76omwbjfttasu.onion, which it should be able to do using the Tor Browser (rnsm_tor) that is silently downloaded to the %APPDATA% directory.

If you restart your computer, you will face CryptoMeister Ransomware anyway because of the RUN key called “rnsm” that is added to the Windows Registry. Although the sample we tested could not encrypt files – and, hopefully, that means that this infection is already “dead” – it should add random extensions to the files it encrypts. If that is the case, it makes it easier for you to spot the encrypted files. Look at them to see if you have backups. If you want to check backups, do so using a different computer because you do not want to hook any external drives or log into personal accounts while malware is still active, just in case. Although the ransomware is pushing you against using third-party decryptors, you should research this option if you have no other way of decrypting files. Paying the ransom requested by the creator of CryptoMeister Ransomware is not an option because it is highly unlikely that a decryptor would be provided to you if you paid the ransom.

Once you know what you want to do with your personal files, you have to remove CryptoMeister Ransomware. As you already know, you should not postpone this task because you are losing files every 10 minutes for as long as this infection is active. Of course, that might not matter if you come to terms that your files are lost, but you should not allow malware running. You should also not allow malware to slither into your operating system again, which is why employing anti-malware software is a good idea. If you employ this software, install security updates when they come up, and act carefully (e.g., refrain from downloading suspicious files), you should avoid malicious infections from attacking your operating system and personal data in the future. Furthermore, anti-malware software can delete CryptoMeister Ransomware right away. Eliminating this threat manually can be difficult. If you decide to follow the instructions below, make sure you do not skip the last step which entails examining your PC for leftovers.

How to delete CryptoMeister Ransomware

1. Launch Task Manager by tapping Ctrl+Shift+Esc.
2. Click the Processes tab and identify the malicious process.
3. Select it and click End task.
4. Click File and select New Task (Run…).
5. Enter explorer.exe into the dialog box and click OK to restore the Desktop.
6. Simultaneously tap Win+E to launch Explorer.
7. Type %APPDATA% into the box at the top and tap Enter.
8. Right-click and Delete the folder named rnsm_tor.
9. Right-click the file called rnsm.exe and choose Delete.
10. Simultaneously tap Win+R to launch RUN.
11. Type regedit.exe and click OK to launch Registry Editor.
12. Navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
13. Right-click the value called rnsm and choose Delete.
14. Perform a full system scan to check if your operating system is malware-free.