Supportfriend@india.com Ransomware Removal Guide

In this article, we are going to talk about a recently discovered ransomware-type program known as Supportfriend@india.com Ransomware. From the outset, we want to clarify that we advocate for removing this program because complying with the demands of the cyber criminal that created it will only finance the release of new similar applications. In any case, this particular infection already has dozens of clones that are nearly identical in terms of functionality. To find out more about this program, we invite you to read this whole article.

Some ransomware-type applications are set to lock an infected computer’s screen while others have algorithms configured to encrypt the files that are stored on an infected PC. In this particular case, Supportfriend@india.com Ransomware is a program dedicated to encrypting the files using a unique encryption algorithm. Our research has shown that it uses the RSA cryptosystem with a 2048-bit size key which makes encryption extremely difficult if you opt to use some kind of third-party decryption tool. Unfortunately, the only way to get the decryption key that is stored on this ransomware’s Command and Control server is by purchasing it, but it might not come cheap because its creator might ask you for 2 BTC (1,211.82 USD) or more. Nevertheless, there is no guarantee that you will receive the decryptor once you have made the transaction because the developer has to send it to you manually.

The reason that makes ransomware and Supportfriend@india.com Ransomware in particular so malicious is the fact that it is set to encrypt most if not all of your personal files. For example, it will encrypt file formats such as .7z; .asp; .avi; .bmp; .cad; .cdr; .doc; .docm; .docx;. and .gif, among others. In short, it is set to encrypt images, videos, documents, executable files, audios, and so on. Moreover, it is set to encrypt these and other file formats in nearly every location on your computer, but it will skip a handful of folders, such as %AppData%, %Windows%, %System32%, and %Temp% because they contain files needed to run the operating system. The encryption is done in a matter of minutes, and you can even observe your files being encrypted because their icons will be removed and their file names appended with the .xtbl file extension. Also, this ransomware will add an ID number and the Supportfriend@india.com email address to the names as well.

After encrypting your files, Supportfriend@india.com will generate two new files. Once of them is named how to decrypt your files.jpg which is set as the desktop wallpaper and features white text over a black background saying that your files have been encrypted and that you need to contact the developer via Supportfriend@india.com. The other file is named Decryption instructions.txt and it also features text saying that you need to write to the said email address. However, you should not contact the developer because you might not get the decryption tool if you agree to pay the ransom.

If you are wondering how Supportfriend@india.com Ransomware can infect your computer, then we have your answer. Our research has revealed that this ransomware is being disseminated through malicious emails that feature zipped file attachments that, when opened, run a malicious script and secretly infect the computer. The emails might pose as legitimate tax return forms, invoices, and so on and it can be difficult to catch on to the deception on the part of the developer. Many users open the attachments out of curiosity, and we urge you to refrain from falling into this trap if you get an email you were not supposed to get.

In closing, Supportfriend@india.com Ransomware is just a mere ransomware-type application, but it is dangerous nonetheless because its encryption code is yet to be broken. Therefore, if your computer has become infected with it, then you should not pay the ransom for the decryption tool and delete this malicious program instead. You can eradicate it with the help of an antimalware tool such as SpyHunter or use our manual removal guide featured below.

How to delete this malware

1. Press Windows+E keys.
2. In the File Explorer’s address box enter each of the following locations.
   • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
   • %WINDIR%\System32
   • %WINDIR%\Syswow64
   • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
3. Find the randomly named executable file and delete it.
4. Close the File Explorer
5. Then Press Windows+R keys.
6. Type regedit and hit Enter.
7. Go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
8. Find a randomly named string whose Value data is (for example) %WINDIR%\Syswow64\randomname.exe and Delete it.

Take note that that the Value data is the same the executable’s file path.