Ender Ransomware Removal Guide

Threat Level:
9/10
Rate this Article:
Comments (0)
Article Views: 556
Category: Trojans

For now, Ender Ransomware looks more like a test version rather than a fully developed malicious application, although we do not know if it will or will not get updated in the future. Our researchers checked a couple of its samples; they say the malware is written poorly and does not work correctly on some Windows operating systems. Also, while testing the infection, it was discovered it could not encipher files located on the targeted device. Thus, if you receive Ender Ransomware, there is a chance it will not damage your data, but it could lock your screen. Users who need help with unlocking their screen should slide below the text and follow the provided instructions. Keep it in mind it is important to erase the malware too, even if it does not do much harm since it may block the screen again after a restart. For more information about the infection, continue reading our article.

Besides the things we mentioned at the beginning of the text, what shows Ender Ransomware might still be in the development stage is its provided messages. Most likely, one of the earliest versions of it showed a warning message saying “i am encrypted your PC Access, but i don't stealed your PC! But if you leave it alone... your PC will be encrypted forever!” This text was available for the user to see as it was presented on the malware’s window that was placed on top of the locked screen. The rest of the text suggests you need to get a decryption key for unblocking the screen, but there is no explanation on how to get it. Our researchers managed to find this key in the malicious application’s source code, but it appears to be there were more keys and they needed to be submitted through several pop-up windows that appeared one after another. Eventually the screen was supposed to be unlocked, but in the end, it did not, which again shows the threat might not be entirely developed yet.

The later version of Ender Ransomware locked the screen and showed a warning message saying the PC was locked and that the user needs a valid encryption key to access the computer. However, this time the note explained how such a code could be obtained. Firstly it suggested emailing the malware’s creators and asking for further instructions. The only problem is the cyber criminals did not provide any email address. Then they suggested another option: “if you don't have mail, pay 1 BTC to this BTC adress, and i give you file with codes:w675CQMxg8vXjntc0kEpNRA45xyHv.” One Bitcoin is a huge amount of money (around 5.361 US Dollars at the moment of writing), and there is a question of how the cyber criminals would deliver the needed codes? Therefore, if you encounter one of our described Ender Ransomware versions we advise you not to risk your savings when you can unlock your screen free of charge.

To unlock the screen, the user should launch his Task Manager and locate the malicious application’s process. The name of the process could be the same of a file that was opened before the system got infected as such a file was most likely the malware’s launcher. Then we recommend restoring the Windows Shell with the help of Windows Registry. Lastly, the user should find Ender Ransomware’s launcher and erase it permanently. All of these steps will be explained in the instructions located below, so feel free to use them for guidance if you require assistance. After the threat is gone, we recommend scanning the system with a reliable antimalware tool too; just to see if the malicious application is gone and check if there are any other possible threats.

Unlock the screen and restore Windows Shell

  1. Tap Ctrl+Alt+Delete.
  2. Open Task Manager.
  3. Select the Processes tab.
  4. Find the infection’s process, mark it and press the End Task button.
  5. Press Win+R, insert Regedit and press Enter.
  6. Look for this directory: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon
  7. Search for a value name know as Shell with a value data saying something like C:\EnderRansom.exe.
  8. Right-click the described value name and click Modify.
  9. Replace its value data (e.g., C:\EnderRansom.exe) with explorer.exe.
  10. Click OK and exit Registry Editor.

Get rid of Ender Ransomware

  1. Press Win+E.
  2. Navigate to these paths one by one:
    %TEMP%
    %USERPROFILE%\desktop
    %USERPROFILE%\downloads
  3. Locate the malicious application’s launcher (could be any suspicious recently downloaded file).
  4. Right-click the threat’s launcher and select Delete.
  5. Exit the Explorer and empty your Recycle bin.
  6. Restart the PC.
Download Remover for Ender Ransomware *
*SpyHunter scanner, published on this site, is intended to be used only as a detection tool. To use the removal functionality, you will need to purchase the full version of SpyHunter.

Ender Ransomware Screenshots:

Ender Ransomware
Ender Ransomware
Ender Ransomware

Ender Ransomware technical info for manual removal:

Files Modified/Created on the system:

# File Name File Size (Bytes) File Hash
12816c17f976b0a5eff83907cf3d13b688e7882e0762b62cb3e8433d4daa7958e.exe21448 bytesMD5: fd04507e1ae57bab78d7bcb94309922b

Memory Processes Created:

# Process Name Process Filename Main module size
12816c17f976b0a5eff83907cf3d13b688e7882e0762b62cb3e8433d4daa7958e.exe2816c17f976b0a5eff83907cf3d13b688e7882e0762b62cb3e8433d4daa7958e.exe21448 bytes

Comments are closed.