PokemonGo Ransomware Removal Guide

PokemonGo Ransomware is a malicious application that locks personal data on user’s computer and displays a ransom note in the Arabic language. It is yet unknown where the malware could be spread as it might be still in development. The worst part is that the infection may also create a backdoor administrator account on the system and gain access to it at any time. Under these circumstances, we advise you to eliminate the ransomware immediately. The removal instructions below will show you how to erase it manually. However, since the threat is new and it might yet change, it might be better to use a trustworthy security tool that could carefully check the system. We also encourage you to read the rest of the text and learn more details about this threat.

According to our specialists, the malware might infect user’s computer after a malicious executable file named PokemonGo.exe is opened. The executable file should have a Pikachu icon, so it is easy to relate it to a well-known mobile game called Pokemon Go. After you open the malicious file, PokemonGo Ransomware should create a key called “Hack3r” = 0 in the Windows Registry. This key is added to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList location, so it creates a new user account under the name of Hack3r. This is how the malware gains access to your computer.

Besides creating a backdoor administrator account on the computer, the malicious program should also lock particular data. It appears to be that PokemonGo Ransomware’s creators target your private data, such as photos, documents, videos, and so on. To be more precise, the infection could affect files that have .txt, .rtf, .doc, .pdf, .mht, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .htm, .gif, .png, .txt, .rtf, .doc, .pdf, .mht, .docx, .xls, .xlsx, .ppt, .pptx, .odt, and .jpg extensions.

The files should be locked with AES encryption algorithm and to unlock it, you must have a unique decryption key and a decryptor. PokemonGo Ransomware displays a note that tells you to contact the infection’s developer with the provided email address. It is most likely that the cyber criminals should demand you to purchase decryption tools. We have to warn you that even after you transfer the money they might not send the decryptor. The infection is still reported to be in development, so you cannot be certain if the malicious application’s developers can provide you with such tools.

If you do not want to take any chances with PokemonGo Ransomware, it is better to erase it at once. Our researchers prepared a manual removal guide that is available below. However, we cannot be one hundred percent sure that the same instructions would work on updated or new PokemonGo Ransomware versions. Therefore, it would be better to use a trustworthy antimalware tool instead. Simply install the tool on the affected computer and let it scan the system. If you had any removable media devices connected at the time the malware infected your PC, they should be checked as well. Once the scanning process is over, you can click the deletion button and all of the detections should be removed automatically.

Remove PokemonGo Ransomware

1. Check Desktop, Downloads, Temporary Files and other possible locations and look for an executable file with a Pikachu icon (e.g.PokemonGo.exe), right-click it and press Delete.
2. Press Windows Key+R, type regedit and click Enter.
3. Locate the following path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
4. Search for a key titled as “Hack3r” = 0, right-click it and press Delete.
5. Restart the computer, open Control Panel and choose User Accounts.
6. Locate the Hack3r user account and erase it.
7. Empty the Recycle bin.