Ransomware Removal Guide

Threat Level:
Rate this Article:
Comments (0)
Article Views: 903
Category: Trojans

We would like to make you aware of a new malicious application called Ransomware because it can secretly infect your computer and encrypt your personal files and then demand that you pay a ransom to get them back. You should not fall into this trap because you will spend a fortune for the unclear possibility of getting the files back. We believe that the cyber crooks might not keep their end of the bargain, so you should remove this malware instead.

This file-encrypting ransomware is based on the CrySIS ransomware engine. It uses the RSA-2048 encryption key to encrypt all of the files on your PC. The RSA cryptosystem can make use of several key lengths. As you can see, in this particular case, it uses a 2048 bit long key which is sufficient to encrypt the files and keep them that way. Hence, decrypting the unique key is rather difficult, so do not rely on universal decryption tools to do the job. Now, the encryption key is public, but the decryption key is private because it is sent to the Command and Control Server and the only way you can get it is by paying the required sum of money. We want to stress that there is no guarantee that you will get the decryption key after you have paid the ransom. We do not know how much the cyber crook might want you to pay, but based on our encounters with its clones (of which are many,) we think that the ransom fee should be between 3 BTC (1749.24 USD) and 4 BTC (2332.32 USD.) As you can see, the amount of money the criminals wants you to pay is large and your files might not be worth this kind of money. Ransomware consists of a randomly named executable (e.g. Payload_c.exe) that is dropped in %WINDIR%\Syswow64 and %WINDIR%\System32, but can also be dropped in different locations, such as %ALLUSERSPROFILE%\Start Menu\Programs\Startup and %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup. Furthermore, the executable requires the addition of registry strings to run on system startup, so the ransomware creates a randomly named string at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run that features Value data such as %WINDIR%\Syswow64\*.exe and %WINDIR%\System32\*.exe. While encrypting, this ransomware also creates a file called How to decrypt your files.txt that is dropped on the desktop and Decryption instructions.jpg that is dropped in C:\Users\user. Both of these files feature the same basic information. Apparently, Decryption instructions.jpg is set as the desktop wallpaper and says that you have to contact the cyber criminal via or

In addition to creating files, this ransomware will append the encrypted files with a custom file extension. The short name of this extension is .xtbl, but it also contains one of the email addresses in brackets as well as a unique ID number. So if you have an image file named Picture.jpg, then the encrypted file name will read{}.xtbl. We have found that this ransomware can encrypt close to a hundred file formats that include .rar, .zip, .tif, .jpg, .bmp, .png, docx, .odb, .doc, .arj, .tar, .7z, .rar, and so on. In short, it can encrypt many of your valued files.

Our research has revealed that Ransomware is set to be distributed via malicious emails disguised as if they come from legitimate companies, such as DHL, Amazon, eBay, and so on. Typically, and email will feature a Word file that asks you to enable macros to enable the correct encoding. If you do that, then it will run its embedded malicious script and drop the main executable in the directories above.

If you do not have an anti-malware application, then this infection can easily slip in unnoticed and encrypt all of your precious files. Alas, there is no way to decrypt them for free. Therefore, you can risk paying the ransom, or you can refuse to be bullied by this cyber crook and delete Ransomware entirely. You can remove it using SpyHunter or the manual removal guide included below.

Remove Ransomware's executable

  1. Hold down Windows+E keys.
  2. Enter the following file paths in the File Explorer.
    • %WINDIR%\System32
    • %WINDIR%\Syswow64
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
  3. Locate the randomly named executable and delete it.
  4. Close the File Explorer.

Delete the registry strings

  1. Hold down Windows+R keys.
  2. Type regedit in the dialog box and click OK.
  3. In the Registry editor, go to HKCU\Control Panel\Desktop
  4. Find the Wallpaper string, right-click it and click Modify.
  5. Delete the Value data C:\Users\user\Decryption instructions.jpg
  6. Then, go to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers
  7. Find BackgroundHistoryPath0 and delete it.
  8. Finally, go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  9. Find two randomly named strings whose Value data of %WINDIR%\Syswow64\randomname.exe and %WINDIR%\System32\randomname.exe and delete them.
Download Remover for Ransomware *
*SpyHunter scanner, published on this site, is intended to be used only as a detection tool. To use the removal functionality, you will need to purchase the full version of SpyHunter. Ransomware Screenshots: Ransomware Ransomware


Your email address will not be published.


Enter the numbers in the box to the right *