VIRUS Ransomware Removal Guide

If VIRUS Ransomware attacks your operating system and your personal files, you should start seeing the “.id-{unique code}.[amandacerny89@aol.com].VIRUS” extension everywhere you look. This extension should be added to your photos, documents, and various other kinds of personal files. Unfortunately, this extension signifies that your personal files cannot be read, and that is because they were encrypted. The dangerous ransomware can do that using a unique algorithm, and it was not yet deciphered at the time of research. It is possible that it will not be deciphered at all. Most ransomware infections remain undecryptable, and that is why keeping your system and your personal files protected is extremely important. Hopefully, if this malware got in, you at least have backup copies of your personal files. In that case, once you delete VIRUS Ransomware, you should be able to put the backups in place of the corrupted files. Unfortunately, if backups do not exist, even if you remove malware successfully, you will remain stuck.

According to our malware experts, VIRUS Ransomware is most likely to invade Windows operating systems via emails or downloaders. Remember that cybercriminals can create highly convincing email messages and exploit vulnerable or malicious bundled downloaders, and if you are not careful, you yourself could end up executing the launcher of the infection. Once it obtains an encryption key, the personal files on your operating system are encrypted mercilessly. VIRUS Ransomware is part of the Crysis Ransomware (Dharma Ransomware) family, and it is a clone of hundreds of file-encrypting threats, some of which include 3442516480@qq.com Ransomware, Start Ransomware, and Uta Ransomware. All of these spread in a similar manner, and so whenever you open strange messages or decide to download new files, you need to remember that there are thousands of infections that could be hiding. If the “amandacerny89@aol.com” window shows up on your screen, you can know for sure that it is too late to protect your operating system against VIRUS Ransomware because it has already encrypted all of your personal files.

VIRUS Ransomware uses the window to introduce you to a message. This message informs that files were encrypted, that a security problem was used, that you need to contact cybercriminals within 24 hours (using amandacerny89@aol.com or homer89263@hotmail.com), and that you need to pay a ransom in Bitcoins to obtain a decryptor. It is stated that the tool that cybercriminals, allegedly, can provide you with is the only tool that can help you. Can you trust cybercriminals? Not really. A file named “FILES ENCRYPTED.txt” is also created to reintroduce you to the same email addresses. If you sent a message, the attackers behind VIRUS Ransomware would immediately introduce you to an exact ransom and the payment details. Although they promise to give you a decryptor in return, you have to judge for yourself how trustworthy these promises can be. Our research team does not trust anything that cybercriminals say because we know that their only goal is to make money, and telling a lie or two to reach the goal is just another instrument at their disposal.

Do you own backups? We hope that you do because, in this case, you have an easy way out. First, you have to remove VIRUS Ransomware, and then you can move on to replacing the corrupted files with backup copies. If you have not created copies of your personal files, you are stuck, and, unfortunately, we cannot offer you anything at this point. Perhaps, a free decryptor will be created or leaked in the future, but we cannot predict anything right now. As for the removal, it is easiest to have VIRUS Ransomware deleted if you employ anti-malware software. This software can detect and delete all malicious components automatically. If you do not want to use such software – which is a shame because it can help you protect your system in the future – you have to delete the ransomware manually. Since we cannot know the exact location or name of the launcher file, we cannot predict whether or not you will be able to succeed on your own.

How to delete VIRUS Ransomware

1. Delete all suspicious files that you might have downloaded recently.
2. Delete the ransom note file called FILES ENCRYPTED.txt.
3. Launch Run (tap Win+R keys) and enter regedit into the dialog box.
4. In Registry Editor, follow to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
5. Delete 3 unique values that point to ransomware Info.hta and {random}.exe files in step 7.
6. Launch Windows Explorer (tap Win+E keys).
7. Check these locations (enter into the field at the top one by one) and Delete ransomware Info.hta and {random}.exefiles:
   • %APPDATA%
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %WINDIR%\System32\
8. Exit Registry Editor and Explorer and then Empty Recycle Bin.
9. Download a legitimate malware scanner and use it to check your system for leftovers.