Mr.Dec Ransomware Removal Guide

Mr.Dec Ransomware is a dangerous infection that you want to keep away from your personal files at all cost. If you fail to protect yourself against this malware, it encrypts files, and there is no turning back after that. Although cyber criminals promise that file recovery is possible if you contact them and then pay a ransom, trusting this promise can cost you a lot of money. Whether you face this malicious threat, Rebus Ransomware, Scarab-Horsuke Ransomware, or any other threat that our research team has reviewed already, you are unlikely to gain anything by paying the ransom. So, what should you do then? It is possible that there is nothing to do, unless backup copies of your files exist outside the affected system. You could also look into legitimate file decryptors, but they rarely help ransomware victims. Without a doubt, there is stuff to learn about this malicious infection, and so you should continue reading. If you are here for the removal instructions only, scroll down below to find a guide that explains how to delete Mr.Dec Ransomware manually.

The malicious Mr.Dec Ransomware cannot execute itself. It must be downloaded onto the computer, or you must be tricked into downloading it yourself. It is possible that malware distributors could employ other threats to execute this ransomware, but our research team warns that they could use remote desktop connection to infiltrate the threat too. You could also be tricked into letting Mr.Dec Ransomware in if its launcher is concealed as a legitimate file or program. Once it, the infection should create a copy of itself as wincmd.exe in the %WINDIR% directory, and then it should remove the original executable. Other files that this malware creates are “DECODE KEY.KEY” and “Decoding help.hta.” The first one represents the personal ID code that the victim is identified by. The second one is the ransom note file that informs the victims that they must send the .KEY file to cyber criminals so that they could initiate the file decryption process. If the threat has corrupted extremely important and valuable files – and the corrupted files have the “[ID]{code}[ID]” extension attached to them – you are more likely to follow the instructions.

According to the ransom note in “Decoding help.hta,” you need to perform three steps to get your files back, and they all focus on communicating with cyber criminals. The first step instructs the user to create an email message with the ID code as the subject line. The second step involves attaching two personal files (no bigger than 2 MB) so that cyber criminals could prove that files can be decrypted. In the third step, you must attach the “DECODE KEY.KEY” file (located in the %WINDIR% directory). This email message must be sent to shine2@protonmail.com or shine1@tutanota.com. If you do this, cyber criminals behind Mr.Dec Ransomware will have the chance to request a ransom in return for a tool or a key that could be used for decryption. Would this tool be sent to you if you paid the ransom? There are no guarantees here, but, most likely, it would not. Therefore, if the requested ransom is huge, you need to think carefully if you should take the risk. Even if you do, and files are restored, you still need to remove Mr.Dec Ransomware.

Malicious components should not exist on your operating system, and so removing Mr.Dec Ransomware is crucial. How will you do it? Will you follow the instructions below to erase the infection manually? That is a valid option, but it might not be suited for you if other threats exist, and if you do not know how to protect your operating system so that malware would not invade in the future. An alternative to that would be to install anti-malware software. If malware exists, this software will delete it automatically. Also, it will keep protecting your system for as long as it is in place and all security updates are installed. Of course, you have to choose which option is best for you, but we recommend making use of anti-malware software. What about personal files? The ones corrupted by Mr.Dec Ransomware are, most likely, lost, but you can set up a file backup system to ensure that your files are not put in danger in the future.

How to delete Mr.Dec Ransomware

1. Tap Alt+F4 keys to close the full-screen window displayed by the ransomware.
2. Tap Win+R to launch RUN and then type in regedit.exe and click OK to launch Registry Editor.
3. In the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry, Delete values named search and unlock (only if their value data points to malware files).
4. Tap Win+E keys to launch Windows Explorer.
5. Go to %HOMEDRIVE% by entering the directory path into the bar at the top.
6. Delete the file called Decoding help.hta
7. Go to %WINDIR% and then Delete the files named DECODE KEY.KEY and wincmd.exe.
8. Immediately perform a full system scan after you Empty Recycle Bin.