Serpent Removal Guide

Serpent is the latest threat to join the ever-growing ransomware family. According to the information we have gathered, this infection is the updated Hadeslocker Ransomware version that is primarily targeted at those who live in Denmark. In fact, once this infection slithers into your operating system, it immediately connects to remote servers to determine your geographical location. While it has the potential to attack operating systems all over the world, it does not initiate file encryption – which is what it was created to do – if the victim lives in any of these countries: Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, or Turkmenistan. Of course, if you live in these countries, you could become a victim of various other infections. Some of the latest ransomware threats we have analyzed include Fadesoft Ransomware, CryptoKill Ransomware, and Erebus 2017 Ransomware. Although these infections were created by different parties, they have similarities. For example, they are distributed using the same security backdoor. To learn about this, as well as how to delete Serpent, please continue reading the report.

Regardless of where you live, you have to be exceptionally careful about spam emails. You should not open them or interact with the content represented via them. For example, if you live in Denmark, you could be sent an email with the subject line that reads “Sidste påmindelse for udestående faktura {random number}.” If that happens, you should remove it immediately because the malicious Serpent could be hiding behind it. Unfortunately, the launcher is concealed as a regular Word document. When you try to open it, you are requested to enable macros, and this is how the infection is launched. As soon as the threat drops malicious files and modifies the Windows Registry to ensure smooth operating, it checks Volume Shadow Copies. Serpent deletes them and then overwrites them as well to ensure that you cannot do anything to recover your precious personal files. This is done as soon as the infection encrypts your files, and, considering that it targets 900 different kinds of files, you are likely to find that all of your documents, videos, photos, archives, and other personal files are encrypted. The files that are hit by the infection gain the “.serpent” extension, which, of course, is where the name of the threat comes from.

Needless to say, Serpent does not encrypt your files just for fun. On the contrary, the infection does that to ensure that cyber criminals who have created it have leverage when demanding a ransom fee. The more files are encrypted, and the more valuable they are to you, the more likely you are to follow the demands that are represented via “HOW_TO_DECRYPT_YOUR_FILES_[random characters].txt/html” (both TXT and HTML versions of this file exist). According to the message, you need to visit one of the listed pages and follow the instructions found on them. These instructions, of course, show how to pay a ransom, and the fee is quite big. 0.75 Bitcoins (converts to nearly 800 Euro) is the price that is asked of you for the “Serpent Decryptor.” Whether or not this tool exists we cannot confirm or deny. If you do not pay the ransom in 7 days, the fee supposedly rises to 2.25 Bitcoins (converts to nearly 2400 Euro). Do you have that kind of money? If you do not, you might feel helpless. Well, even if you had the money, we would not advise paying it because who knows if cyber criminals would decrypt your files. Maybe they would just take your money for nothing in return. This has definitely happened before.

Do you feel experienced enough to remove Serpent manually? If this is the path you choose, do not forget that this ransomware is a complex infection, and it is crucial that you scan your operating system afterward to check if your operating system is clean. It is possible that the scanner will detect leftovers or other infections. If that happens, make sure they are removed before resuming to normal activity. Afterward, you should also choose an anti-spyware tool to enable further protection. We believe that every user should employ such a tool, and so our recommendation is that you install it right away and let it take care of the removal of Serpent ransomware for you. Unfortunately, your files will remain encrypted even after you successfully delete this threat. Hopefully, they are backed up. If they are not, make sure to set up a backup system to protect your files in the future.

How to delete Serpent

1. Tap Win+E keys to launch Explorer.
2. Enter %UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ into the bar at the very top.
3. Right-click and Delete the [unknown name].vbs file.
4. Enter %UserProfile%\AppData\Roaming\ into the bar at the very top.
5. Right-click and Delete the [unknown name] folder (should hold the malicious [unknown name].exe file).
6. Right-click and Delete the HOW_TO_DECRYPT_YOUR_FILES_[random characters].txt/html file.
7. Right-click and Delete the malicious [unknown name] file that launched the infection.
8. Empty Recycle Bin and then perform a full system scan to check for potential leftovers.