CryptoMeister Ransomware

What is CryptoMeister Ransomware?

Our cyber security experts have recently analyzed a new ransomware-type computer infection called CryptoMeister Ransomware. This program was designed to encrypt your files and then ask you to pay money to decrypt them. Needless to say, paying the ransom is risky as this ransomware’s developers might not decrypt your files once you have paid. All they care about is extracting money from you, and they are not concerned about what will happen once you do. Therefore, you ought to remove it. This particular ransomware is tailored to French-speaking computer users so if you live in a French-speaking country, then you may want to read this article.testtest

What does CryptoMeister Ransomware do?

Once this ransomware has infected a computer, it will terminate the explorer.exe processes and render its ransom note. The ransom note is in French only, and it features five steps on how to purchase Bitcoins and pay the ransom. This particular ransomware asks you to pay 0.1 BTC. After rendering the ransom note, this ransomware will secretly download the Tor browser to %APPDATA%. The browser file will be named rnsm_tor. The Tor browser is set to connect to wcn3a2igdpgxxlsg.onion and jop76omwbjfttasu.onion sites. However, both of these sites are currently down, and it is unknown if they will come back online.

The good news is that CryptoMeister Ransomware does not encrypt files immediately after encryption. There is a 10 minute delay, and if you act quickly enough, then you might be able to delete this ransomware and not suffer the consequences of your files being permanently encrypted, provided that you do not pay the ransom. Once the 10 minutes have passed, this ransomware will begin encrypting your files with the AES encryption algorithm. This algorithm is very strong, and there is currently no decryption tool for the unique keys that CryptoMeister Ransomware uses. Once the encryption is complete, it will delete one of your files every 10 minutes to compel you to pay the ransom. If you want to get rid of this malicious program, then you can terminate its process in Task Manager or press Alt+F4 on your keyboard, relaunch explorer.exe and proceed to eradicate this ransomware manually or with an anti-malware tool.

Where does CryptoMeister Ransomware come from?

Our malware analysts at Anti-spyware-101.com think that this particular ransomware is most likely distributed using multiple distribution methods. They say that it can be distributed via email spam that contains this ransomware in an attached file. It can also be distributed using fraudulent downloads, infected websites with injected security exploits, web injects, fake updates and repacked infected installers. However, we want to note that not all of these methods may be used and certainly all at the same time.

Researchers say that regardless of the distribution method used, this ransomware will drop its main executable named rnsm.exe at %APPDATA%. Furthermore, it will inject a Point of Execution (PoE) subkey in Windows Registry which will enable it to start with Windows automatically. The subkey value name is rnsm, and it is injected in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, and you should get rid of it just in case after erasing the main executable file.

How do I remove CryptoMeister Ransomware?

Without a doubt, CryptoMeister Ransomware is one dangerous computer infection that you need to deal with a soon as possible, preferably within 10 minutes of it infecting your PC as you will be able to save your files from being encrypted. You have two possible options: you can terminate the ransomware, launch explorer.exe and download an anti-malware program such as SpyHunter to delete it for you or remove it manually using our guide. Please see the guide below for more information.

Remove CryptoMeister Ransomware manually

  1. Hold down Ctrl+Alt+Del.
  2. Select Task Manager and go to Processes.
  3. Find rnsm.exe, right-click it and click End process.
  4. Then, click File and select Run.
  5. Type explorer.exe and press Enter.
  6. Close the Task Manager.
  7. Then, hold down Windows+E keys.
  8. Type %APPDATA% in the address bar and hit Enter.
  9. Locate nsm.exe and rnsm_tor
  10. Right-click them and click Delete.
  11. Close File Explorer.

Delete the registry entry

  1. Press Windows+R keys.
  2. Type regedit in the box and hit Enter.
  3. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  4. Find rnsm subkey and delete it.
  5. Empty the Recycling Bin. 100% FREE spyware scan and
    tested removal of CryptoMeister Ransomware*
Disclaimer
Disclaimer

Leave a Comment

Enter the numbers in the box to the right *