May Ransomware Removal Guide

Although the end of June is nearing, May Ransomware can still hit your system hard. This new ransomware threat can cause severe damage to your personal files if it manages to slither onto your system. This malicious program usually enters your computer without your knowledge even if you may be the one who activates it. Once active, this ransomware encrypts your most important files so that your attackers can extort money from you to buy the decryption key. Without this key it is virtually impossible to recover your files as this vicious program uses a deadly combination of encryption algorithms that cannot possibly be cracked. At least, we have not found any free tool on the web that could restore your files after this attack. No wonder why we emphasize the need for a backup copy either on cloud storage or on a removable drive. It is not safe to pay any money to cyber criminals because, on the one hand, you may not get your decryption key anyway, on the other hand, this is tantamount to supporting cybercrime. We recommend that you remove May Ransomware immediately even if it means the loss of your precious files.

Basically, there are two or three possible ways for you to let this beast on board. One of the most frequently used method by crooks to spread such ransomware programs is spamming campaigns. It is possible that you get a mail that looks totally authentic to you and, what is more, very important for you to open it right away. These criminals may use well-known companies, hotels, airlines, parcel delivery services, or even local police departments as the sender of this spam so that you would not even have a doubt about its authenticity. When you look at the subject, it may look something like "Re: Overdue Invoice #23062017_UPS" or "Suspicious transactions on your bank account." As you can see, these crooks may try to regard a matter that could draw your attention right away to the mail and would make you want to open it.

Opening this spam is one thing because this alone may not infect your computer with this dangerous ransomware. As a matter of fact, you need to save and run the attached file in this spam for May Ransomware to be initiated. This attachment can pose as the scanned image of the supposedly unsettled invoice, wrongly ordered flight ticket, or wrong credit card details, but it can also be a text document with malicious macro code. Since this malicious threat encrypts your files upon activation, when you finally notice what has happened, you cannot save your files from encryption by deleting May Ransomware. You need to be extra cautious whenever you open mails and download attachments for this very reason.

It is also possible that you see a banner or pop-up ad while surfing the web and it warns you about an outdated driver or software that you can directly install by clicking on a button in this ad. However, this click may just cost you all your precious personal files because instead of the latest version of Adobe Flash, you may simply drop this ransomware onto your system. You should also be careful with your clicks on ads and links on suspicious websites because you might be redirected to a malicious page set up with Exploit Kits. In this case, it is enough that your browser loads this page and the malicious Java or Flash code will drop this infection. This type of attack can only be successful if your browsers or drivers are out of date. Thus, it should be clear how to avoid such an attack, right?

This ransomware seems to use a dangerous combination of two encryption algorithms: AES-256 and RSA-4096. This makes it practically impossible to crack. Since these algorithms are actually built-in in your Windows Operating System, the whole encryption process should not take too long depending on the performance of your PC and the amount of data to be encrypted. All affected files get a ".locked" extension, which is quite a common one since we have seen it a number of times. This infection drops a ransom note text file called "Restore_your_files.txt" in every folder where it encrypted files. This is to make sure that you will know what to do once you realize that you cannot access your photos, videos, documents, and more.

This ransom note tells you that your files have been encrypted and you have 5 days to pay the ransom fee to get your decryption key. You have to send 1 Bitcoin (around 2,724 dollars) to a given Bitcoin address and then, send an e-mail to "decrypt@mayofware.solutions" with a subject containing your unique ID, which may look something like this: "fb2bb2db9d174bd7a914670b4b9651f5." These crooks promise to contact you once they get your money and your e-mail. You are also offered to send two files to the same address if you want proof of decryption for free. We do not advise you to contact these cyber criminals in anyway, not to mention sending them this huge amount of money. Of course, it is all up to you how you decide but we definitely recommend that you remove May Ransomware as soon as possible.

As you can see, having a recent backup on a removable drive could save you now. Hopefully, you have one and all you need to do is follow our instructions below and delete May Ransomware and all its related files. In fact, this is what we suggest even if you do not have a backup but keep in mind that this would definitely mean the loss of your files even though there is not much you can do about it. This dangerous infection may finally make you consider to protect your PC more efficiently. This is why we suggest that you find a reliable anti-malware program, such as SpyHunter and install it as soon as possible to automatically safeguard your system against all known malicious and potential threats.

How to remove May Ransomware from Windows

1. Open your Windows File Explorer by tapping Win+E.
2. Check out the following folders and delete the random-name ("*") executable:
   %ALLUSERSPROFILE%\Start Menu\Programs\Startup\*.exe
   %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe
   %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe
   %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe
   %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\*.exe
   %WINDIR%\Syswow64\*.exe (64-bit)
   %WINDIR%\System32\*.exe
3. Bin all instances of the ransom note file ("Restore_your_files.txt") from all infected folders.
4. Empty your Recycle Bin.
5. Tap Win+R and type regedit. Press OK.
6. Locate and delete the following registry entries where "*" represents a random name:
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\* (value data: "%WINDIR%\Syswow64\*.exe") (64-bit)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\* (value data: "%WINDIR%\System32\*.exe")
7. Exit your editor.
8. Restart your computer.