The entrance of Tbhranso Ransomware, HiddenTear-based malicious software, will only bring you problems because this threat will lock your all files without hesitation if it ever infiltrates your computer. We are sure cyber criminals have borrowed the HiddenTear source code and developed this crypto-threat having the only goal in mind – to extract money from people. It is the reason this infection locks users’ personal files immediately after the successful entrance as well. If your pictures, documents, and other valuable files located in %USERPROFILE% and its subfolders have already been encrypted too, you should not even think about sending money to malicious software creators because they will not hesitate to take your money and then will continue developing new malicious software which you might encounter in the future. Also, there are no guarantees that you could decrypt those encrypted files after paying money to them, so we would go to delete Tbhranso Ransomware from the system without paying a ransom it demands if we were you. This infection does not create a point of execution and does not make any changes in the system registry, so it should not be very hard to delete it manually. The last paragraph of this article will provide you with more knowledge of its deletion.
Tbhranso Ransomware should be distributed via malicious spam emails, specialists say. You can find malicious links opening malicious domains containing ransomware in these emails, or you can find malicious attachments in them and allow malware to enter your computer by simply launching any of them. When Tbhranso Ransomware is executed, it drops a file straight to %APPDATA%. Then, it scans the compromised machine to find out where users’ personal files are located. When it finds users’ files, it mercilessly locks them all using the AES encryption algorithm. No doubt the file has been encrypted if you see a new extension .locked appended to it. You could not remove this extension and thus unlock your data. All these pictures, documents, music, videos, and other files located in %USERPROFILE% and its subfolders could only be unlocked with the special decryption tool. Cyber criminals behind this ransomware infection claim to have it, but there are no guarantees that they will share it with you, so we cannot let you send your money to crooks.
If you read the ransom note READ_IT.txt, you will find out immediately what cyber criminals expect from you. They want you to send to them 100 USD in Bitcoin to the address provided (1MMphN2Rc5xCf4TGTVXQ6B8VSbYdQyCgYS). Also, users are asked to send their PCs’ names to the email address provided (firstname.lastname@example.org) after making a payment. The ransom asked is not that small, so it would not be a sensible decision at all to send money to malicious software developers, especially when there are no guarantees that you will surely receive the promised tool for decrypting your files from them. Actually, you do not even need this tool if you have ever backed up your files because you could restore them from this backup at any time after eliminating the ransomware infection from the system. It is very important to remove this threat first so that it could not lock those restored files again.
It is very likely that Tbhranso Ransomware is not the last ransomware infection developed on the basis of the HiddenTear source code, so you need to be more careful from now on in order not to encounter new infections. First, you should stop opening attachments from emails sent to you by unknown senders. Second, it is very important that you do not download software from all kinds of file-sharing websites because the chances are high that you will download the ransomware infection from them one day. Finally, the installation of a reputable security tool is what we recommend for users too.
It is very likely that your files have been encrypted and the extension .locked has been appended to them because of the successful entrance of Tbhranso Ransomware. If it turns out to be true, remove this malicious application from your computer as soon as possible. You need to delete one malicious file and the ransom note it has drooped on your PC to erase this infection fully. Then, you should download the diagnostic scanner (click the Download button below this article to get it) and scan your system with it to check if there are no other files that belong to the ransomware infection active on your PC.
|#||File Name||File Size (Bytes)||File Hash|
|1||READ_IT.txt||300 bytes||MD5: da0d56b65e43fda7e32ef78d4ca2633f|
|2||TBHRanso.exe||193536 bytes||MD5: b74da335200715a823550470ecca768c|
|#||Process Name||Process Filename||Main module size|