TrumpHead Ransomware Removal Guide

Threat Level:
Rate this Article:
Comments (0)
Article Views: 527
Category: Trojans

TrumpHead Ransomware is a nasty infection that can encrypt files, remove shadow copies to mess with the system’s restore, create files, and then eliminate them at request. The funny thing is, this infection does not encrypt files. At least, not yet. Although it is possible that this malicious threat will never terrorize Windows users, it is also possible that it could attack at any point in the near future. This is why our research team has created a guide and instructions that explain how to deal with the threat. Of course, our main goal here is to delete TrumpHead Ransomware. If you are interested in learning all about the threat and its removal, please continue reading. Also, do not hesitate to leave questions in the comments section if anything is unclear or if you want to keep the discussion going.

You might not know this, but TrumpHead Ransomware is linked to BSS Ransomware, SnowPicnic Ransomware, and many other infections. Of course, all of these threats are file-encryptors, but that is not what we are talking about. It was found that all of these threats were built using the same open-source code, “Hidden Tear.” It is unknown who exactly stands behind this malware, but, considering that it does not appear to work properly, it is likely that we are dealing with amateurs here. In any case, the threat communicated with a C&C server successfully, it can delete shadow volume copies to make it not possible to restore the system, and it also can record the victim’s IP address. Overall, the threat is quite powerful, and so it is possible that TrumpHead Ransomware will start encrypting files in the future. Right now, it is set to encrypt files with .txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .jpeg, .gif, .png, .csv, .sql, .img, .mdb, .sln, .php, .asp, .aspx, .xml, .psd, .dat, .html, .mp3, .zip, and .pdf extensions, which might put many of your personal files at risk. Note that once files are encrypted, you cannot restore them even by removing the malicious ransomware.

Needless to say, the attackers behind TrumpHead Ransomware are not set out to encrypt files for fun. If they manage to encrypt files, they immediately introduce victims to READ_THIS.txt, a file that displays a message. It informs that there is no way of getting files back without paying a ransom of 0.8 Bitcoin. You are asked to do that in 48 hours, and is listed as a contact email address. At the time of research, the Bitcoin wallet address to which the ransom must be paid was interchangeable. All in all, regardless of that, we do not recommend paying the ransom or then emailing cyber criminals because that could put you at an even greater risk. Do not expect cyber criminals to give you a decryptor if you pay the ransom, but do expect them to expose you to malware and scams in the future if you share your email address. Therefore, we suggest you remove TrumpHead Ransomware ransom note right away. Of course, that is the least harmful file of the bunch. It is most important that you delete the malicious launcher and the copy that is created in the %TEMP% directory.

The copy of TrumpHead Ransomware should automatically delete itself after the execution; however, you should check the directory anyway. Unfortunately, we do not know where the main launcher of the ransom note is. You will have to find it on your own if you decide you want to remove TrumpHead Ransomware manually. The good news is that you do not need to worry about clearing the system on your own. You can employ an anti-malware program that will take care of the issue automatically. As soon as the threat is contained, you can start thinking about security. Anti-malware software will take care of your operating system, but we recommend that you secure your personal files by backing them up. If files were encrypted, they are lost, and you can remove them to free space.

How to delete TrumpHead Ransomware

  1. Delete the launcher of the malicious ransomware.
  2. Delete the ransom note file READ_THIS.txt.
  3. Move to %TEMP% (tap Win+E to launch Explorer and enter the path into the box at the top).
  4. Check if the copy of the launcher still exists and, if it does, Delete it.
  5. Move to %USERPROFILE%\Pictures\Backgrounds\.
  6. Delete the background image file [date].bmp.
  7. Empty Recycle Bin and then run a full system scan using a real malware scanner.
Download Remover for TrumpHead Ransomware *
*SpyHunter scanner, published on this site, is intended to be used only as a detection tool. To use the removal functionality, you will need to purchase the full version of SpyHunter.

TrumpHead Ransomware Screenshots:

TrumpHead Ransomware

TrumpHead Ransomware technical info for manual removal:

Files Modified/Created on the system:

# File Name File Size (Bytes) File Hash
11-21-2019.bmp750054 bytesMD5: 3c89acf21b84351f9a56465a403b5e33
2TrumpHead.exe2722304 bytesMD5: 49fdb7e267c00249e736aad5258788d2

Memory Processes Created:

# Process Name Process Filename Main module size
1TrumpHead.exeTrumpHead.exe2722304 bytes


Your email address will not be published.


Enter the numbers in the box to the right *