Wiki Ransomware Removal Guide

Threats from the Dharma/Crysis Ransomware family keep appearing as our researchers came across a new variant called Wiki Ransomware. This new version acts more or less the same as other threats from the mentioned ransomware family. If you want to learn how such malicious applications behave and what can be expected from them, we invite you to read our full report. In the article, we also discuss where the malware might come from and how it can be erased. If you feel up to the task, you could try to remove Wiki Ransomware manually by following the instructions provided below. As for inexperienced users, we recommend employing a reliable security tool capable of dealing with such threats. Should you have any questions or need any help with the malware’s deletion, do not hesitate to comment below the article.

Probably the most often cause of receiving a threat like Wiki Ransomware is careless behavior. To be more precise, victims of such malicious applications often get tricked into launching their installers. Such files can be sent to targeted victims via email, or they might be spread through unreliable file-sharing websites, advertisements, and so on. Thus, users should be careful with all files that come from unreliable sources. It is best to avoid opening any data that you do not know to be safe for sure. However, if you feel you have to launch a questionable file, make sure that you first scan it with a legitimate antimalware tool. Such a tool should be able to tell if a file has any malicious components. In case it does, your chosen tool should be able to help you get rid of the malicious file safely.

Like other infections from the Dharma/Crysis Ransomware, the new variant should encrypt files, such as documents and pictures with a strong encryption algorithm. Because of this, affected files become unavailable and can only be restored with special decryption tools. Such files ought to have a second extension called .id-{random characters}.[bitlocker@foxmail.com ].wiki, for example, document.docx.id-B4A6FEC6.[bitlocker@foxmail.com ].wiki. Eventually, the malicious application ought to open a pop-up window with a picture of a golden lock. It should show a message from the malware’s developers. According to it, all files have been encrypted by Wiki Ransomware, and they can only be restored with decryption tools purchased from the threat’s developers. There is no payment information as a user is asked to contact the hackers for further instructions via email. Their email address should also be given in text files called FILES ENCRYPTED.txt that could be scattered among directories containing encrypted files.

Needless to say, it is impossible to tell if the hackers mean to keep up with their promises. In other words, dealing with them is risky and could end up hazardously. If you do not want to take any chances, we advise not to follow the hackers’ left instructions. Also, we recommend deleting Wiki Ransomware as leaving it on your system could be dangerous. As mentioned before, there are a couple of ways to get rid of this malicious application. The first one is to erase Wiki Ransomware manually while following our provided deletion guide located below. The other option is to get a reputable antimalware tool, complete a full system scan, and delete any detected threats by pressing the tool’s given removal button.

Get rid of Wiki Ransomware

1. Tap Ctrl+Alt+Delete.
2. Pick Task Manager.
3. Select the Processes tab.
4. Look for a process associated with the malware.
5. Select the process and click End Task.
6. Leave Task Manager.
7. Tap Win+E.
8. Go to these locations:
   %TEMP%
   %USERPROFILE%\Downloads
   %USERPROFILE%\Desktop
9. Find the malicious file opened before the system got infected, right-click it, and select Delete.
10. Navigate to these paths separately:
    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
    %WINDIR%\System32
    %APPDATA%
11. Search for files named Info.hta, right-click them and select Delete.
12. Navigate to these paths:
    %WINDIR%\System32
    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
13. Identify malicious executable files, e.g., file.exe; right-click them and choose Delete.
14. Erase files called FILES ENCRYPTED.txt.
15. Close File Explorer.
16. Tap Win+R.
17. Type Regedit and click Enter.
18. Go to: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
19. Identify the malware’s created value name, e.g., file.exe, right-click this value name, and press Delete.
20. Locate this directory: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
21. Find the malicious application’s created key, e.g., mshta.exe, right-click it, and select Delete.
22. Close Registry Editor.
23. Empty Recycle Bin.
24. Restart the computer.