AIR Ransomware

What is AIR Ransomware?

AIR Ransomware was created to encrypt files. Unfortunately, it can encrypt 181 different types of files, among which we have .doc, .docx, .png, .gif, .raw, .jar, .java, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der, .dat, and many other types. When files are encrypted, they cannot be restored manually. Furthermore, tools that could do it automatically did not exist at the time of research. In some cases, free decryptors are created to crack the encryptors used by malware, but that does not happen too often. If you decide to look for a tool like that, make sure that you are careful because it is possible that you could end up installing something that is not only useless but also malicious. As you might have figured out yourself, you cannot restore files by removing AIR Ransomware. Nonetheless, you want to delete this infection, and you want to get it done fast. Anti-Spyware-101.com research team has analyzed this malware for you, and we are ready to assist you.

How does AIR Ransomware work?

AIR Ransomware is not unlike Start Ransomware, Nols Ransomware, 3442516480@qq.com Ransomware, Kiss Ransomware, and other recently reported file-encrypting infections. All of them attack operating systems, encrypt files, and then make demands. When it comes to the attack, it is likely that you could face AIR Ransomware via email because that is how most file-encryptors are spread. The attacker creates a misleading message, attaches the launcher as a harmless-looking file, and then sends it randomly to thousands of targets. Bundled downloaders could be used too, and we have also seen infections spreading with the help of Trojans or remote-access vulnerabilities. When AIR Ransomware is executed, it immediately moves itself to the %WINDIR% directory. This is done silently, and if you do not know to check this location, you are unlikely to be capable of deleting this malware manually. The threat also drops two files: %WINDIR%\Tulips.jpg and TRY_TO_READ.html (on the Desktop). These three elements – including the launcher file – are the ones that you need to remove from your operating system.

Even though AIR Ransomware avoids files located in the folders that are named "Content.IE5," "Default," "Intel," "Local Settings," "Microsoft," "NVIDIA," "ProgramData," "Program Data," and "Windows," it can encrypt most of your personal files. After encryption, the ".[random number].ex_parvis@aol.com.AIR" extension is added to their names. This is what makes the messages represented using Tulips.jpg and TRY_TO_READ.html files more believable. The .jog file replaces the Desktop wallpaper, and the .html file is dropped on the Desktop. Both of them state this: “I am truly sorry to inform you that all your important files are encrypted.” The messages also list ex_parvis@aol.com, ex_parvis@tutanota.com, and ex_parvis@protonmail.com email addresses, which you are instructed to send messages to if you want to have your files decrypted. Well, if you send a message, you will not only expose yourself, but you will also be instructed to pay money in return for a decryptor, and if you think that that is a good deal, you are mistaken. If you pay the ransom, you are likely to get NOTHING in return, and so you need to figure out if you want to take risks. We suggest that you do not because we fear that you will lose money for no reason.

How to remove AIR Ransomware

AIR Ransomware deletes shadow volume copies, which means that you cannot restore files using an internal backup. That is why we do not recommend using such backup. Instead, we recommend using online clouds or external drives to store copies of your personal files. If you have copies stored safely, you can replace the corrupted files, and you have an easy way out of this very messy situation. If you do not have backups, we do not have an effective solution for you yet, but we do not recommend paying the ransom anyway because we really do not believe that that would work out for you the way you image it. Hopefully, that is not something you need to worry about at all. Of course, first and foremost, you need to delete AIR Ransomware, and we hope that you can do that manually, using the guide below. If you want to protect your system, you should install anti-malware software, and if that is the path you choose, you do not need to worry about the removal of the threat because the software will get rid of it automatically.

Removal Guide

1. Go to the Desktop and Delete the file named TRY_TO_READ.html.
2. Simultaneously tap Win+E keys and Windows Explorer will appear.
3. Enter %WINDIR% into the field at the top to access the directory.
4. Delete the malicious {random letters}.exe file and a file named Tulips.jpg.
5. Empty Recycle Bin and then set a desired wallpaper.
6. Install and employ a trusted malware scanner to check for leftovers. Download Removal Tool100% FREE spyware scan and
   tested removal of AIR Ransomware*