If you want to have a bad day, let Poop Ransomware in. It will immediately encrypt your personal files in the Contacts, Desktop, Documents, Downloads, Links, and Pictures folders (in the %USERPROFILE% directory). Once these files are encrypted, you will not be able to read them, and no program will be able to open them for you. Even legitimate file decryptors that you can find online will not resolve the issue. That is because the encryptor used by the attackers is very complex. They had to make sure that the files were undecryptable so that they could successfully demand money in return for their own decryptor. They suggest that once you pay, a “decryption code” would be sent right away, and then you would be able to recover your files. What else could they say? After all, they need to convince you to pay the ransom. We do not recommend interacting with cybercriminals at all. Instead, you want to figure out how to delete Poop Ransomware as soon as possible.
Poop Ransomware belongs to the Hidden Tear family, which we have mentioned many times before when analyzing Facebook Ransomware, EnybenyCrypt Ransomware, SymmyWare Ransomware, and hundreds of other malicious threats. They are mostly introduced to users as spam email attachments, but exposed vulnerabilities (especially in remote desktop access) could be exploited too. Ultimately, the infection has to slither in silently because if you notice it, you might remove it before the malicious processes are initiated. Unfortunately, you do not have much time for that. Poop Ransomware starts encrypting files right away. Afterward, it creates a copy of itself and then it removes itself. So, even if you recognize and delete the malicious file, if you do not know about the copy, you might be unable to eliminate it successfully. The copy is likely to be named “local.exe,” and you should find it in a folder named “Windows Folderuser” (in the %APPDATA% directory). Obviously, you need to remove this file, but note that that will not automatically restore your files.
The copy of the malicious Poop Ransomware is meant to launch a window to deliver the message from the attackers. Right at the top, it declares this: “SYSTEM HACKED AND FILES ENCRYPTED.” The message lists 5 steps that you, allegedly, need to take if you want to obtain a decryption code. If you follow these steps, you will send a ransom of about 0.12 Bitcoin to 1K3YKBq8qGrnmJ7TKkLbTiGL59UHBYh7LF, create an account on telegram.org, and will send a screenshot confirming the payment to @CyberDexter. 0.12 Bitcoin (the size of the ransom could be different for you) might not seem like a huge sum, but that, in fact, is over 1,000 US Dollars. Do you have that kind of money? Are your files worth it? If non-essential or non-valuable files were encrypted, and if you have backup copies stored outside the system, you should definitely NOT follow the instructions. Even if you want to get your files back, remember that cybercriminals are untrustworthy and that you are unlikely to get the decryption code even if you pay the full ransom.
Backing up files is crucial, and only if you have your personal files backed up, will you be able to remove Poop Ransomware without any consequences. If you do not own backups, your files will remain encrypted, and they will be as good as lost. Unfortunately, decrypting files does not appear to be possible, and the decryption code proposed by the attackers might not even exist either. Sure, you could take the risk, and follow the instructions provided by cybercriminals, but since you would have to sacrifice a lot of money and communicate with the attackers, you should really think twice before making any decision. Of course, regardless of what you do, you must remove Poop Ransomware at the end. Although the threat should erase itself, we cannot guarantee that it will not fail. Also, there is a copy that you need to erase. If you cannot handle the threat manually, we strongly advise employing anti-malware software that would reliably clean your system and protect it against malware attacks in the future.