Recently our specialists came across a new variant of BTCWare Ransomware called firstname.lastname@example.org Ransomware. Apparently, it encrypts all data it finds on the infected computer except the files associated with the operating system or other essential software. Afterward, the threat should leave a ransom note asking to contact the malicious application’s creators via provided email address. The reason we would not recommend putting up with such demands is that once you approach the hackers behind email@example.com Ransomware, they will most likely ask you to pay a ransom. Needless to say, doing so could be extremely risky as you could lose a lot of money in an instance and in vain. Therefore, instead of this, we advise users deleting the malicious application with the instructions provided a bit below or a reliable security tool of their choice. It will not undo what the damage done to your files, but at least you will be able to start anew.
In the remaining text, we will talk about the malware’s working manner, its deletion, and other vital details. First of all, it is believed, firstname.lastname@example.org Ransomware could enter the system after user launches a malicious email attachment, a harmful software installer, and so on. In other words, it could be the user himself who infects the system while acting carelessly. To make sure this never happens ever again, the user should stay away from doubtful Spam emails, unreliable file-sharing web pages, etc. Additionally, it would be recommendable to pick a reliable antimalware tool and install it on the computer so it could guard it against various threats and alert the user about possible dangers.
The moment, the user opens email@example.com Ransomware’s launcher, the threat should start encrypt every file it locates on the infected computer. Naturally, the data belonging to the system like the operating system is left alone to ensure the user’s computer will still be able to boot and display the ransom note. Afterward, the user should instantly notice the opened malware’s window. It appears after the threat launches a file called payday.hta. According to our specialists, it should be placed in the %APPDATA% directory. Also, to reopen it automatically after each restart the malicious application should create a few tasks in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run directories.
Besides the ransom note, the user should notice that all of his data now has a second extension called .[firstname.lastname@example.org]-id-AD0.wallet or similarly. Sadly, data marked this way cannot be opened. Plus, besides the encrypted files, the user may notice that some of the programs, which were running before suddenly stopped working since email@example.com Ransomware can lock not just personal files like photographs or documents, but also executable files belonging to programs you may have installed on the system. Of course, such software can be rewritten, but as for the other data, the user can only recover it by replacing it with backup copies; if we do not consider paying the ransom as an option.
The reason we do not think paying the ransom is a good idea is because there is a chance the hackers could trick the user by taking his money and not providing the promised decryption tool. Consequently, for those who do not want to risk their savings, we advise removing firstname.lastname@example.org Ransomware at once. To do so manually you should follow the instructions provided a bit below the article, but if the process seems a bit too complicated we would recommend leaving this task to a reputable antimalware tool.
|#||File Name||File Size (Bytes)||File Hash|
|1||! How Decrypt Files.txt||104 bytes||MD5: fa2a2a41c5a016c9c60d47ca7839474c|
|2||BTCWare Slacker.exe||272896 bytes||MD5: 2c1a9fff423a7afd1b25d1b4c7c5ae3c|
|3||payday.hta||13674 bytes||MD5: 6ea9ac61dfb9c9df7e81a1e3babc0be1|
|#||Process Name||Process Filename||Main module size|
|1||BTCWare Slacker.exe||BTCWare Slacker.exe||272896 bytes|