UmbreCrypt Ransomware Removal Guide

If UmbreCrypt Ransomware finds a way to your operating system, it is possible that you can say goodbye to all your important files. This Trojan ransomware is a major and severe hit to your computer as it can encrypt hundreds of file extensions in a matter of a few minutes tops. If you have not saved a backup copy of your files, unfortunately, you might lose them all in this nightmare of a Trojan invasion. After finishing the encryption of your files, this ransomware displays a note with information about what you are supposed to do in order to recover them. However, we must warn you that the cyber criminals behind this malicious infection may not keep their promise. Keep in mind that this ransomware is all about extorting money from you. Once you pay the fee, why would these criminals bother to deliver? But, of course, this is all up to you, i.e., whether your pay the ransom or not. No matter which way you decide, you need to know that you must remove UmbreCrypt Ransomware if you want to ever use your computer again. Please read our article to find out more about this dangerous Trojan infection and how you can protect your computer from this and similar malware threats, and also how you may be able to restore your files after all.

There are usually a couple of ways for Trojans to infiltrate your operating system. First of all, these threats can come through spam e-mails. Opening such an e-mail is quite risky because sometimes even that can trigger the drop of a Trojan. But more commonly you need to click on a link in the body of the mail or on an attachment, including video and image files. Second, they may be triggered by infected links on social networking sites, such as Facebook and Twitter. You may find a “must-see” video or image on your wall, and if you click on it, this Trojan might enter your computer. Another option is that you download it from a malicious website directly or in a bundle.

So basically any of these channels may be the source of this Trojan as well. That is why it is actually possible to avoid this infection if it tries to attack you in one of these ways. For example, if you only open e-mails and attachments that you are actually expecting to get. Also, you need to be very careful where you click on social networking sites and suspicious sites as well. You need to remember that one single click can result in this dangerous Trojan landing your computer. We have also heard about reports from users claiming that this ransomware infection may have been installed on their computer manually, either through a remote desktop or hacked terminal services, but we cannot confirm this information. In any case, whichever way this Trojan finds to your operating system, there is one thing you can do: you must remove UmbreCrypt Ransomware the moment you notice it on your computer even if this does not help with decrypting your files.

We have found that this is not a unique ransomware infection; in fact, this threat is simply a new variant of HydraCrypt and CrypBoss, which are both serious Trojans. This ransomware uses the AES encryption algorithm to encrypt your files. This is a built-in Windows algorithm; therefore, it usually takes from as little as 10 seconds up to a few minutes for this infection to finish with your files. That is why there is not too much chance for you to catch it in the act and stop it. This threat is quite thorough and can encrypt over 400 file extensions, including .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .zip, .flv, .js, .css, .rb, .png, .txt, .mkv, .bmp, .dot, .xml, .pps, and .dat, just to mention a few. The encrypted files get an umbrecrypt_ID_[victim_id] extension, for example, image.jpg.umbrecrypt_ID_b4500913. This ransomware also creates a ransom note text file for every folder that has encrypted files in it. This text file is called README_DECRYPT_UMBRE_ID_[victim_id].txt. Unfortunately, this infection can cause damage up to 15 bytes at the end of each file. The only good news is that these last bytes are not really vital for most files. In fact, this can be repaired by opening and saving the files again.

Interestingly enough the files are not encrypted in the following directories: %SystemRoot%, %PROGRAMFILES%, %PROGRAMFILES(x86)%, %ALLUSERSPROFILE%. Once this ransomware finishes its vicious job, it displays its ransom note. This provides information about the fact that your photos, videos, documents, and other files have been encrypted and what you have to do in order to restore them. This note discloses a unique ID that belongs to your computer and two e-mail addresses (umbredecrypt@engineer.com and umbrehelp@consultant.com) that you can use to contact these criminals. You need to send them your ID and a request to buy their software that is supposed to enable you to decrypt your files. You are given 72 hours to contact them. There are no more details revealed about the way of the money transfer and the amount either. If you want to find out about that, you need to send them an e-mail. Although, we would advise you against engaging with these cyber criminals in any way.

We recommend that you delete UmbreCrypt Ransomware immediately, because you cannot feel safe using your PC until you do so. You must understand that even if you remove this dangerous Trojan ransomware, it is possible that you will never be able to use your files again without the decryption key. However, you may be in the luck because there seems to be a decryption tool already available on the net. This decrypter can figure out the key once you drop an unencrypted and encrypted version of a file onto the executable’s shortcut. This may be a lengthy process that may take as long as a couple of days depending on your machine. When the decrypter finds out the key, it will display a pop-up with the key. Then, you can try to decrypt a few files first just to check if it really works. With this tool it is possible that you will be able to restore your files and do not have to say goodbye to them in the end. All’s well that ends well, as they say.

Fortunately, this ransomware does not lock your screen and your .exe files either; therefore, there is no need for you to reboot your system in Safe Mode. You can actually eliminate this serious threat manually. But since it involves deleting some registry keys, we suggest that you only use our instructions below if you are a more experienced computer user. If you want to make sure that you are protected against similar attacks, first, remember to make a backup copy of your files regularly, and second, install a decent anti-malware tool.

How to remove UmbreCrypt Ransomware from Windows

1. Tap Win+R and enter regedit. Click OK.
2. Locate and delete these registry values in HKCU\SOFTWARE\Microsoft\Windows key:
   ChromeRandomAdress3264 (value data: “havuwifi.exe”)
   ChromeSettiings3264 (value data: “C:\Users\user\AppData\Roaming\ChromeSetings3264\{random name}.exe”)
   ChromeStarts3264 (value data: “C:\Users\user\AppData\Roaming\ChromeSetings3264\{random name}.exe”)
   MicrosoftUpd32 (value data: “dENx7zcCXtZSkoqHQUxNxBnA5aM2QvK7Ko6fLx2PrnwaKhG2kMmmv6IW9a5VwqKrzUW6LwBloHwWfLRv627KSaWHcXGP5FKVTyzmqRS5”)
3. Locate and remove the following registry keys:
   HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.umbrecrypt_ID_{unique user ID}
   HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.umbrecrypt_ID_{unique user ID}
4. Exit the editor.
5. Tap Win+E.
6. Locate and remove %AppData%\ChromeSetings3264 folder.
7. Locate and remove this file: C:\Windows\Tasks\SA.DAT.umbrecrypt_ID_{unique user ID}
8. Empty your Recycle Bin.
9. Restart your PC.