Patcher Ransomware Removal Guide

A new ransomware infection has been detected recently. It is called Patcher Ransomware. At the time of writing, this malicious application is working on MAC computers only, but nobody knows what the future holds. Researchers working at 411-spyware.com have noticed at the beginning of their research that Patcher Ransomware does not differ much from ransomware infections affecting Windows computers, e.g. Ntk Ransomware, TrumpLocker Ransomware, and Unlock26 Ransomware. As has been found, it also encrypts users’ files and then demands money from them claiming that it is the only way to unlock the encrypted data. Just like other file-encrypting computer infections, it also enters systems illegally. Do not expect that your files will be decrypted after paying money because it has been noticed by specialists that the key which is necessary to do that is not sent by ransomware to its online server after the encryption of files is finished. This suggests that cyber criminals behind Patcher Ransomware cannot decrypt users’ files too, and there is no point in transferring the money they require. As you have probably already understood, it might be impossible to decrypt files touched by Patcher Ransomware, but it, surely, does not mean that Patcher Ransomware can stay on the system.

We should start by saying that users contribute to the entrance of Patcher Ransomware on their MAC computers, but, of course, it is not their fault because they are fooled into doing that. Once this ransomware infection successfully infiltrates computers, it opens a window on a user’s screen. It contains the Start button and a single sentence telling users to click on this button to launch a crack (yes, this ransomware pretends to be a crack for certain MAC applications). If a user does that, the encryption process starts. It locks data located in the /Users and /Volumes (it contains mounted external and network drives) directories. All encrypted files receive a filename extension .crypt, for example, picture.jpg.crypt, so it should not take long for users to find out which of the personal files have been locked by this computer infection. The last modified date of all files is changed to 13 February 2010 after the encryption too. Last but not least, this ransomware infection tries to eliminate free space of the root partition on a user’s hard drive. Fortunately, it does not manage to do that.

Users should be able to discover a .txt file (README!.txt) dropped by ransomware on their computers after it encrypts their files. Users find four steps there explaining how to decrypt their personal files. First of all, they are told that they need to purchase Bitcoins, send 0.25 Bitcoin to the provided Bitcoin address, and then write an email to rihofoj@mailinator.com with a unique IP address and a Bitcoin address used. Finally, users are told to leave their computers connected to the Internet for the next 24 hours after making a payment. Cyber criminals behind Patcher Ransomware only pretend that they can unlock files for users, but it is not true at all because they do not have the decryption key too. It means that there is no point in transferring money to them too, so do not do that by any means.

Patcher Ransomware is spread through torrent files and pretends to be a useful software crack. The appearance of this infection on computers starts from the torrent file which downloads a .zip archive. Users find a harmless-looking file having the Patch word in its name, e.g. Office Patcher after extracting it. Of course, they open this file expecting to launch a crack, but, unfortunately, they do not find useful software there. Instead, they launch a ransomware infection. A number of ransomware infections are disguised as beneficial software, so this method cannot be called new by any means. Be more careful because other file-encrypting threats might enter your PC pretending to be useful applications again and lock files.

Do not go to pay money to cyber criminals because they still could not unlock those encrypted files for you. This, of course, does not mean that you can let Patcher Ransomware stay on your computer. Deleting this file-encrypting threat with an automatic scanner working on MAC computers would be the best choice, of course, but if you have decided firmly to delete it manually, you should, at least, let our manual removal guide help you. Find it below this article. As you can see, it should be enough to erase only one malicious file.

How to remove Patcher Ransomware manually

1. Check the folder where all files downloaded from the web are located.
2. Find the file having Patcher in its name, e.g. Office Patcher.
3. Delete it.
4. Perform the full system scan with a reputable scanner working on MAC computers to make sure that all components of ransomware are deleted.