Defender Ransomware Removal Guide

Threat Level:
Rate this Article:
Comments (0)
Article Views: 337
Category: Trojans

Defender Ransomware is a harmful malicious application that will cause serious problems if it ever manages to infiltrate your system. Since it is a typical ransomware infection, it goes to lock files found on affected computers right away. Surprisingly, it does not demand money from users after locking files on their PCs. Of course, it does not mean that it is not dangerous. This only suggests that it might still be in the development stage, or it has been released just for fun. Do not be so sure that you cannot encounter it. If your system is unprotected, this infection might show up on your system without your knowledge one day. Are you reading this report because you have already encountered this threat? If so, you must delete it from your system as soon as possible no matter if it has locked your valuable files or not. It would be a lie if we told you that you could get rid of this infection very easily. It not only creates an entry in the Run registry key so that it could start working together with the Windows OS, but it also copies itself to %TEMP%\Cache right after it is launched by the user. Then, it sets the “hidden” attribute to this folder so that its copy could not be found and deleted. Do not worry; it does not mean that you cannot get rid of this nasty infection. Continue reading to find more about its removal.

As mentioned at the beginning, Defender Ransomware does not demand money from users, but it does not mean that it is not a dangerous threat. The first activity it performs once users launch it is encrypting their personal files. It affects all files it finds placed in %USERPROFILE%\Desktop, %USERPROFILE%\Documents, %USERPROFILE%\Videos, and %USERPROFILE%\Music directories. As can be seen, it targets the most valuable files; however, it does not want users’ money, which is very strange. You do not need to go to check all files you have to find out which of them have been affected by this ransomware infection. Defender Ransomware appends the .defender extension to all encrypted files, so you could easily distinguish them from those files that are fine. This ransomware infection not only locks data on users’ computers, but it also downloads a ransom note from and places this .txt file to all affected directories. You can open it but do not expect to find any information about the decryption of files there. If you ever encounter the updated Defender Ransomware version that demands money after locking files, you should not send money to cyber crooks. We know that you need your files back badly, but you need to understand that you might still not be able to unlock them after transferring money to crooks. It is quite common that ransomware developers take users’ money but do not give anything in exchange. By sending money to crooks users also encourage them to continue developing new infections.

It is hard to say when and how Defender Ransomware has entered your system because it is a newly-discovered infection, and, because of this, it is still hard to make any conclusions about its distribution. According to researchers at, this ransomware infection should not differ much from similar threats that belong to the ransomware category. That is, specialists believe that it is spread via email attachments mainly as well. It must be only one of several distribution tactics. Security specialists say that users should also be very careful with software they download from the Internet because they might install serious malware on their computers themselves. Some malicious applications are more sophisticated than others, so we cannot promise that you could prevent them all from entering your system easily. This is the reason we recommend having security software enabled on your computer too.

You will remove Defender Ransomware manually if you follow our instructions, but, unfortunately, you will not unlock any of your encrypted files by doing that. Since it is impossible to purchase the decryptor and free decryption software does not exist, it might be impossible to crack the AES encryption and unlock files. You could only restore them from a backup after you fully erase the ransomware infection.

Remove Defender Ransomware

Show Hidden Files

Windows XP

  1. Click the Start button (bottom-left corner of your screen).
  2. Select My Computer from the drop-down menu.
  3. Open the Tools tab and select Folder Options…
  4. Open the View tab.
  5. Under Advanced Settings, locate Hidden files and folders.
  6. Right below it, select Show hidden files and folders.
  7. Click OK.

Windows 7/Vista/8/8.1/10

  1. Go to Control Panel.
  2. Start typing “folder” into the search box at the top.
  3. Select Show hidden files and folders.
  4. Click the View tab.
  5. Find Hidden files and folders under Advanced Settings.
  6. Select Show hidden files and folders.
  7. Click OK.

Remove the ransomware infection

  1. Launch Run by pressing Win+R simultaneously.
  2. Type regedit.exe and click OK.
  3. Go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  4. Right-click on the MpCmdRun Value.
  5. Select Delete.
  6. Close Registry Editor.
  7. Tap Win+E.
  8. Open %TEMP%\Cache and delete MpCmdRun.exe.
  9. Remove all suspicious recently downloaded files to remove the ransomware launcher.
  10. Delete Defender_Ransomware.txt from all affected directories.
  11. Empty Recycle bin.
Download Remover for Defender Ransomware *
*SpyHunter scanner, published on this site, is intended to be used only as a detection tool. To use the removal functionality, you will need to purchase the full version of SpyHunter.

Defender Ransomware Screenshots:

Defender Ransomware

Defender Ransomware technical info for manual removal:

Files Modified/Created on the system:

# File Name File Size (Bytes) File Hash
1MpCmdRun.exe.exe20480 bytesMD5: 5dcc449d51c864eeb657c54679eb9d20

Memory Processes Created:

# Process Name Process Filename Main module size
1MpCmdRun.exe.exeMpCmdRun.exe.exe20480 bytes

Comments are closed.