Invisible Empire Ransomware Removal Guide

Invisible Empire Ransomware enters systems unnoticed and then immediately locks all the files users keep on their computers. It has been noticed that this infection locks all the files no matter where they are located, which means that you will notice encrypted files on Desktop and %PROGRAMFILES% (%PROGRAMFILES(x86)%), %TEMP%, and %WINDIR% directories. If you have noticed that files cannot be opened, you can be sure that Invisible Empire Ransomware has managed to enter your system. Specialists at 411-spyware.com say that users who encounter this computer infection need to hurry to remove it from the system. Of course, only those users who are not going to pay money for the decryption of files should do that because it will be no longer possible to pay a ransom this ransomware demands after you delete it fully.

It has been found that Invisible Empire Ransomware is the newest version of Jigsaw Ransomware, which was prevalent on the web some time ago. Therefore, it is not surprising at all that Invisible Empire Ransomware acts exactly like Jigsaw Ransomware. As you already know, this threat will immediately encrypt files you store on your computer. It is clear that it will lock pictures, documents, videos, and other kinds of files containing these extensions:

3dm, .3g2, .3gp, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .raw, .rb, .rtf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, and .java

Invisible Empire Ransomware locks files using the AES encryption algorithm, and it adds the new filename extension to each of the encrypted files, e.g. pictures.jpg.payransom and mysong.mp3.payransom, so it will not be easy to unlock those files.

At the time of writing, Invisible Empire Ransomware asks users who want to gain access to files to transfer $150; however, it is said in the message that will be put on Desktop that the ransom will double after 24 hours and will reach $300. Cyber criminals seek to convince people to make a payment without thinking much, so users are told to pay money within an hour (you will see a clock ticking down on Desktop) if they do not want to lose 3 important files every hour. Researchers at 411-spyware.com do not recommend paying money because they know that cyber criminals might take money and do not give the decryption key. What’s more, a free decryption tool that can help to unlock files free of charge has been developed recently. Before you use a third-party tool to access your personal files, you should delete the ransomware infection. It is because the ransomware infection might encrypt new files, including decryptor, once again.

We suspect that Invisible Empire Ransomware does not differ from other ransomware infections the way it is distributed too. There is basically no doubt that this ransomware infection comes as a spam email attachment. It pretends to be legitimate file, e.g. an invoice, which explains why a number of people download the attachment without fear. We really doubt that it is the only way Invisible Empire Ransomware travels. According to researchers, it is also very likely that users can download it from untrustworthy third-party websites too. We are sure that it will become immediately clear for you if this happens because you will see a window on your Desktop (you will only be allowed to drag it to the edge of the screen), you will not be able to access your files, they will have the new filename extension, and you will see new files, e.g. wrkms.exe, Address.txt, dr, and EcryptedFilestList.txt in %APPDATA%.

It is not very easy to remove Invisible Empire Ransomware; however, you should do that if you are not going to pay the ransom to cyber criminals. We know that you will not find the removal process very easy, so we suggest that you use our manual removal instructions you find below the article or download and scan the system with an automatic malware remover, e.g. SpyHunter. Drag the window with the ransom note to the edge of the screen to be able to access the Registry Editor and Explorer easily.

Delete Invisible Empire Ransomware

1. Launch RUN (tap Win+R, enter regedit.exe, and click OK).
2. Move to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
3. Right-click on wrkms.exe and click Delete.
4. Close the Registry Editor and tap Windows key + E.
5. Go to %UserProfile%\Local Settings\Application Data.
6. Delete the Systmd folder.
7. Enter %LOCALAPPDATA% in the address bar and tap Enter.
8. Remove the Systmd folder.
9. Go to %APPDATA% and remove the Wrkms folder.
10. Find and remove the System32Work folder together with all the files in it.