ViaCrypt Ransomware Removal Guide

ViaCrypt Ransomware was first spotted at the end of June 2017. It is a new ransomware-type malware that can secretly enter your PC and encrypt many of your personal, valuable files. Its objective is to extract money from you by offering you to purchase a decryption key. However, the price may be too high, or you might not get the promised key, so our recommendation is to remove this program altogether. If your computer has been infected with this particular ransomware and you want to find out more about it, please read this short description which contains information on its distribution functionality and removal methods.

While there is no definitive answer to how this ransomware's developers disseminate it, we believe that ViaCrypt Ransomware is likely to come in email spam. Email spam is the most popular ransomware dissemination platform due to its effectiveness if it is done right. The main executable of this ransomware can be attached to the email. Also, the executable can masquerade as a DOC or PDF file as the creators of this ransomware can add a fake file extension before the original to give the impression that this ransomware is a document and not an executable application. The text inside the emails does not really matter as it is often subject to change, but we have observed some trends over the years. Hence, the emails can be disguised as tax return forms, receipts, invoices, business correspondence, and so on. Furthermore, it is also possible that its developers have somehow got ViaCrypt Ransomware bundled with pirated software that you can encounter on unreliable pirated software hosting websites. This ransomware can be injected by the installers, but it is also likely that you can find it bundled with keygens and cracking tools. Now let us see how this program works.

Once this ransomware is launched, it will start encrypting your files. It can encrypt many of your most valuable files such as pictures, videos, documents, and so on and then demand that you pay a ransom to restore them. This ransomware should append the encrypted files with a “.via” file extension, but the tested sample did not do that. Also, the file names remain the same, as this ransomware does not change them. Once it has finished encrypting your files, it drops a ransom note "your system has been encrypted! please read further instruction!.txt." The note contains five steps on how to get your files back and one of them requires you to visit http://sigmalab{.}lv/other/crypt/payment_request.php, a Latvian-based website. We have observed that this ransomware was created by Latvian-based cyber criminals as all of the text on the aforementioned website is in the Latvian language. However, the information provided in the ransom note is in English only.

We also want to point out that ViaCrypt Ransomware drops an additional executable file named crawl.exe in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup abs %USERPROFILE%\Desktop. This executable is required to decrypt your files once you have paid the ransom. Another file named “your_encryption_public_key.rkf” is also dropped on the desktop. This file contains the public encryption key that must correspond with the decryption key for your files to be decrypted.

ViaCrypt Ransomware is like many other ransomware-type computer infections that seek to infect your computer secretly and then encrypt your files and ask for money in return for a decryption key. While you can risk paying the ransom, we do not recommend you do it because you cannot trust cyber criminals to keep their word. Use the removal guide below or an anti-malware application such as SpyHunter to delete this program safely.

How to delete ViaCrypt Ransomware

1. Right-click this ransomware’s executable from where you launched it.
2. Then, Press Windows+E keys.
3. Type %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup in the address box and hit Enter.
4. Locate and delete "crawl.exe"
5. Go to the desktop and delete the second copy of "crawl.exe"
6. Then, delete "your_encryption_public_key.rkf" and "your system has been encrypted! please read further instruction!.txt"