RansomPlus Ransomware Removal Guide

Threat Level:
Rate this Article:
Comments (0)
Article Views: 793
Category: Trojans

A new computer infection that makes files unusable has been developed by specialists on the 28th of January, 2017. It has been given a name RansomPlus Ransomware. Even though this ransomware infection is a new threat, it has all the typical features of an on ordinary ransomware infection. As has been found by specialists working at 411-spyware.com, it also sneaks onto computers without permission, usually pretending to be a harmless email attachment, it encrypts all files it finds on its way, and, finally, it demands a ransom after it finishes encrypting text files, pictures, documents, and even programs. Files in a number of different directories, including %ALLUSERSPROFILE%, %ALLUSERSPROFILE%\Application Data, %USERSPROFILE%\Documents, %USERSPROFILE%\Music, %USERSPROFILE%\Pictures, %USERSPROFILE%\Videos, %LOCALAPPDATA%, and some folders (those whose name consist of 4 to 6 characters) in %HOMEDRIVE% will all be found and encrypted to obtain money from you. Cyber criminals perfectly know that it might not be that easy to get money from users, so they have programmed RansomPlus Ransomware to use AES-256 and RSA-2048 encryption algorithms which are extremely difficult to crack. In other words, crooks seek to make users pay money to them. There are no guarantees that you will receive a decryption tool even if you pay for it, so do not have high hopes.

It is already clear that RansomPlus Ransomware finds valuable files in certain directories and then encrypts them all by appending .encrypted to all these files, for example, picture.jpg.encrypted. To inform users about this unpleasant situation, a .txt file YOUR_FILES_ARE_ENCRYPTED!!!.txt containing a ransom note is dropped in places with encrypted files to make sure that users notice it and read what it is written there. As could be expected, users are asked to send a ransom of 0.25 Bitcoin (~ $240) to the following Bitcoin address of cyber criminals: 36QLSBTuBvK5rKD6PsM9tTFaacrjHCSNGd. Once the payment is made, they are also asked to contact cyber criminals by writing an email to andresaha82@gmail.com. A decryption key should be sent to users via email too, but if we were you, we would not expect much from cyber crooks. There are many cases when they send nothing after receiving what they wanted, i.e. money. In such a case, your only hope is free data recovery tools that can be downloaded from the web. Despite the strong encryption algorithm used by RansomPlus Ransomware, you should still try them all out. Of course, the luckiest users are those who have made a backup of files before the entrance of this file-encrypting threat because they could restore files from a backup easily.

Luckily, even though RansomPlus Ransomware performs activities previously-released ransomware infections do, it differs from them in a sense that it does not makes any modifications on the affected computer, i.e. it does not block any system utilities (e.g. Task Manager and Registry Editor), does not create a bunch of files, and, finally, it does not place a screen-locking ransom note on Desktop. This means that it will not be hard to erase it. Before you go to get rid of this infection, read the next paragraph to find more about the distribution of ransomware. This knowledge should help you to prevent similar threats from slithering onto your PC in the future.

Since RansomPlus Ransomware is not that prevalent yet, there is not so much information regarding its dissemination available. Of course, this infection enters computers without permission. Even though it appears on PCs illegally, users might be the ones who allow it to enter their systems by, for example, opening attachments from spam emails or downloading beneficial-looking programs from untrustworthy third-party websites. Users who do not think that they can protect their PCs from malware should go to install a security application on their computers. If it is reputable, it will not allow any other malicious applications to enter their systems ever again. Do not forget to update such a tool periodically to be protected from the newest infections too.

Personal files encrypted by RansomPlus Ransomware will not be unlocked the second this infection is gone from the system; however, it still needs to be erased as soon as possible so that it could not encrypt any files ever again. What users need to do to remove it fully is to find and erase its main executable file and then delete all ransom notes it leaves in folders with encrypted files. You are more than welcome to use our manual removal guide, but keep in mind that the full removal of this malicious application can be performed using an automatic scanner, such as SpyHunter, as well.

Remove RansomPlus Ransomware manually from your PC

  1. Press Win+E.
  2. Open %USERPROFILE%\Desktop, %USERPROFILE%\Downloads, and %TEMP% one after the other (type the directory in the URL bar to open it) and find the malicious file.
  3. Delete this file.
  4. Remove ransom notes YOUR_FILES_ARE_ENCRYPTED!!!.txt from all directories.
Download Remover for RansomPlus Ransomware *
*SpyHunter scanner, published on this site, is intended to be used only as a detection tool. To use the removal functionality, you will need to purchase the full version of SpyHunter.

RansomPlus Ransomware Screenshots:

RansomPlus Ransomware


Your email address will not be published.


Enter the numbers in the box to the right *