DeathNote Ransomware Removal Guide

Threat Level:
9/10
Rate this Article:
Comments (0)
Article Views: 123
Category: Trojans

In this report we will talk about a malicious program we came across recently; it is known as DeathNote Ransomware. The message displayed by it could say all of your files were enciphered and there is no way to decrypt them if you do not agree to pay a ransom. In reality, it seems the malware creates a single archive with all users’ files and puts a password on it. It means the data does not need any decryption. Instead, all the user has to do is type a specific password and the archive with all his files should open. Further, in the text, we will explain more about the malware and also mention a password that might help users unlock their data. What’s more, if after reading our text you decide to get rid of DeathNote Ransomware manually, you could follow our recommended deletion steps located at the end of this article. However, keep it in mind the process could be challenging, and it might be easier to install a trustworthy security tool.

It appears to be the malware could travel with various malicious files, e.g., suspicious email attachments, setup files, fake updates, harmful pop-up ads, and so on. One way or another the fact, DeathNote Ransomware is in the system should signal the user is a bit too careless while interacting with content from the Internet. In order to avoid similar threats in the future, it would be best to stay away from potentially harmful file-sharing web pages or other untrustworthy websites and ignore doubtful Spam emails. Sadly, in some situations, it takes only a few moments for the malicious program to ruin user’s files since the threat can work silently in the background and so the victim may not notice anything suspicious. Thus, if you have data, you do not wish to lose it is best to be careful. Another wise idea is to backup all necessary files so in case of an emergency you would not lose them.

Moreover, our specialists say, DeathNote Ransomware works a bit differently from ransomware applications that can encipher data. Apparently, it should not affect any files located in the C disk because doing so could result in the computer being unable to boot and consequently, the victim might not see the ransom note and pay the requested sum. Instead of targeting files in the C disk, the malicious program is after data available on other drives attached to the infected computer. For example, files located on F disk would be placed in an archive titled Death_N0te_encryted_files_of_local_disk_F. As we mentioned in the beginning, such archive should have a password, and the user could open it only after submitting it. The password our specialists found while testing DeathNote Ransomware was “pkantnibas722.” We cannot confirm if there is just one password or if it is generated for each computer individually, but we do not think you could lose anything by trying it.

Soon after the user’s files from the same disk are placed on a single archive, the malware should show a pop-up message claiming they were encrypted. Also, it is supposed to open another window with a ransom note. They say the user should go to a particular website where he could pay a ransom in exchange for a specific “unlock password.” Needless to say, it would be risky to deal with these people, and you might end up being scammed. Therefore, instead of taking any chances, we recommend erasing the malicious program.

If you do not want to put up with any demands and choose to remove DeathNote Ransomware, we could suggest two ways to eliminate it. Firstly, the user could try to erase it manually by completing the steps created by our specialists; they are located a bit below this paragraph. The second way is to download a reliable security tool, perform a full system scan with it and wait till it detects this malware and other possible threats. Then just click the removal button, and the tool should clean your system.

Get rid of DeathNote Ransomware

  1. Tap Ctrl+Alt+Delete.
  2. Select Task Manager.
  3. Locate a particular process belonging to the malware.
  4. Mark it and press End Task.
  5. Exit Task Manager.
  6. Press Win+E.
  7. Locate the given directories:
    %TEMP%
    %USERPROFILE%\Desktop
    %USERPROFILE%\Downloads
  8. Find a malicious file downloaded before the malware appeared.
  9. Right-click the doubtful file and select Delete.
  10. Locate this path: %APPDATA%
  11. Search for directories titled “batches” and “hitler.”
  12. Right-click these directories and select Delete.
  13. Next, find these paths one by one:
    %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    %ALLUSERSPROFILE%\ApplicationData\Microsoft\Windows\StartMenu\Programs\Startup
  14. Locate files titled deathnote.lnk, WIFI.lnk, and WINDEFEND.lnk.
  15. Right-click them one by one and press Delete.
  16. Exit File Explorer and empty your Recycle Bin.
  17. Reboot the system.
Download Remover for DeathNote Ransomware *
*SpyHunter scanner, published on this site, is intended to be used only as a detection tool. To use the removal functionality, you will need to purchase the full version of SpyHunter.

DeathNote Ransomware Screenshots:

DeathNote Ransomware
DeathNote Ransomware

DeathNote Ransomware technical info for manual removal:

Files Modified/Created on the system:

# File Name File Size (Bytes) File Hash
1cmdc.exe13824 bytesMD5: ef7d55a21922ba2f39e85c9d4c0f1272
2windows defender.bat1392 bytesMD5: d15eb8f7d509ed3b66e32b80e18e06dc
3WARNING.vbs140 bytesMD5: 27020740d4833b221ca06db9250705ae
4WIFI-CONNECT.bat322 bytesMD5: ce4317af9dffd8582f0aebd88a0d72a5
5note.vbs203 bytesMD5: 0fab8a60427ac657dc5a9513b92537ed
6mp3play.exe27373 bytesMD5: c2b2653daeaaa112cf8943b5d9a1a998
7WINDEFEND.lnk2134 bytesMD5: 6cb2116a15c677f7b82fcfec4c8af36d
8WIFI.lnk2126 bytesMD5: ceee1de0c8c818e5dfcc482a642595f5
9deathnote.bat6356 bytesMD5: 3f2dff2ccbc64a3eb9d8d703c6d26005
10Rar.exe562064 bytesMD5: dc0222f1e0868c3612a93ba2d83b99be
11death.bat2290 bytesMD5: 6469f7a1273dff301582ec7b1cd91f31
1250dca038c2306d0d7cc9833216461f979be25421cb67c7b033c30e33ba4b432a.exe6960762 bytesMD5: 2b02d485faf03c7abaa2cac243000f60
13death.lnk2108 bytesMD5: 8d5bd396f90b124a606fffc683cc9d60
14deathnote.lnk2102 bytesMD5: fb77bc6ea00cb9ffe988eef3196015c8
15wget.exe401408 bytesMD5: bd126a7b59d5d1f97ba89a3e71425731

Memory Processes Created:

# Process Name Process Filename Main module size
1cmdc.execmdc.exe13824 bytes
2mp3play.exemp3play.exe27373 bytes
3Rar.exeRar.exe562064 bytes
450dca038c2306d0d7cc9833216461f979be25421cb67c7b033c30e33ba4b432a.exe50dca038c2306d0d7cc9833216461f979be25421cb67c7b033c30e33ba4b432a.exe6960762 bytes
5wget.exewget.exe401408 bytes

Comments are closed.