TrumpHead Ransomware Removal Guide

TrumpHead Ransomware is a nasty infection that can encrypt files, remove shadow copies to mess with the system’s restore, create files, and then eliminate them at request. The funny thing is, this infection does not encrypt files. At least, not yet. Although it is possible that this malicious threat will never terrorize Windows users, it is also possible that it could attack at any point in the near future. This is why our research team has created a guide and instructions that explain how to deal with the threat. Of course, our main goal here is to delete TrumpHead Ransomware. If you are interested in learning all about the threat and its removal, please continue reading. Also, do not hesitate to leave questions in the comments section if anything is unclear or if you want to keep the discussion going.

You might not know this, but TrumpHead Ransomware is linked to BSS Ransomware, SnowPicnic Ransomware, and many other infections. Of course, all of these threats are file-encryptors, but that is not what we are talking about. It was found that all of these threats were built using the same open-source code, “Hidden Tear.” It is unknown who exactly stands behind this malware, but, considering that it does not appear to work properly, it is likely that we are dealing with amateurs here. In any case, the threat communicated with a C&C server successfully, it can delete shadow volume copies to make it not possible to restore the system, and it also can record the victim’s IP address. Overall, the threat is quite powerful, and so it is possible that TrumpHead Ransomware will start encrypting files in the future. Right now, it is set to encrypt files with .txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .jpeg, .gif, .png, .csv, .sql, .img, .mdb, .sln, .php, .asp, .aspx, .xml, .psd, .dat, .html, .mp3, .zip, and .pdf extensions, which might put many of your personal files at risk. Note that once files are encrypted, you cannot restore them even by removing the malicious ransomware.

Needless to say, the attackers behind TrumpHead Ransomware are not set out to encrypt files for fun. If they manage to encrypt files, they immediately introduce victims to READ_THIS.txt, a file that displays a message. It informs that there is no way of getting files back without paying a ransom of 0.8 Bitcoin. You are asked to do that in 48 hours, and wegotyoudata@protonmail.com is listed as a contact email address. At the time of research, the Bitcoin wallet address to which the ransom must be paid was interchangeable. All in all, regardless of that, we do not recommend paying the ransom or then emailing cyber criminals because that could put you at an even greater risk. Do not expect cyber criminals to give you a decryptor if you pay the ransom, but do expect them to expose you to malware and scams in the future if you share your email address. Therefore, we suggest you remove TrumpHead Ransomware ransom note right away. Of course, that is the least harmful file of the bunch. It is most important that you delete the malicious launcher and the copy that is created in the %TEMP% directory.

The copy of TrumpHead Ransomware should automatically delete itself after the execution; however, you should check the directory anyway. Unfortunately, we do not know where the main launcher of the ransom note is. You will have to find it on your own if you decide you want to remove TrumpHead Ransomware manually. The good news is that you do not need to worry about clearing the system on your own. You can employ an anti-malware program that will take care of the issue automatically. As soon as the threat is contained, you can start thinking about security. Anti-malware software will take care of your operating system, but we recommend that you secure your personal files by backing them up. If files were encrypted, they are lost, and you can remove them to free space.

How to delete TrumpHead Ransomware

1. Delete the launcher of the malicious ransomware.
2. Delete the ransom note file READ_THIS.txt.
3. Move to %TEMP% (tap Win+E to launch Explorer and enter the path into the box at the top).
4. Check if the copy of the launcher still exists and, if it does, Delete it.
5. Move to %USERPROFILE%\Pictures\Backgrounds\.
6. Delete the background image file [date].bmp.
7. Empty Recycle Bin and then run a full system scan using a real malware scanner.