Decrypme Ransomware

Posted by Sarah Stewart on November 19, 2019

What is Decrypme Ransomware?

Decrypme Ransomware goes after the most sensitive part of your operating system – your personal files. Whether it is a wedding video, a work document, or a childhood photo, this malicious infection can grab the file and change its data to render it unreadable. The ransomware does not encrypt files with .decryptme, .dll, .encrypted, .exe, .ini, .lnk, .rdp, and .sys extensions, but these extensions do not really represent personal files, and the infection is not interested in those. In fact, it specifically avoids system files by circumventing all folders that are found in certain locations. These locations are \AppData, \Application Data, \intel, \nvidia, \Program Files, \Users\All Users, \Windows, allusersprofile, programdata, programfiles(x86), systemdrive, userprofile, and windir. If the infection encrypted system files, it would be much easier to resolve the problem, but personal files cannot be replaced, unless backups exist. If backups exist, you have nothing to worry besides deleting Decrypme Ransomware.testtest

How does Decrypme Ransomware work?

Anti-Spyware-101.com research team has found that Decrypme Ransomware is a new version of an old infection, MedusaLocker Ransomware. Both threats are believed to spread using spam emails or by exploiting remote access vulnerabilities. When it comes to emails, you have to look out for strange messages from unknown or unexpected senders that carry attachment files. These files might look harmless, but they might represent the launcher of ransomware. If the file is executed successfully, Decrypme Ransomware slithers in and starts creating chaos instantly. As we have discussed already, it encrypts files, after which the ".decrypme" extension is appended to their original names, and it also attempts to terminate processes and delete shadow volume copies. When it comes to processes, the threat is likely to terminate those that are associated with antivirus tools, malware removers, scanners, and Windows utilities. When it comes to shadow volume copies, the threat deletes them to ensure that victims cannot restore files from backup. Of course, this does not affect external or online backups.

A file named “HOW_TO_OPEN_FILES.html” is created by Decrypme Ransomware to make it clear to the victims what the attackers want. It is made obvious that they want money because they propose producing a decryption tool if the victim agrees to obey certain demands. These include initiating a conversation via mrromber@cock.li or mrromber@tutanota.com and then paying a ransom. Whether it is too big for you to pay or too small for you to even care, our research team does not recommend wasting your savings on cybercriminals. Unfortunately, if you agree to pay the ransom, you are unlikely to get anything in return for it. The ransom note suggests that the attackers can guarantee full decryption by decrypting one file for free, but, in reality, that is just bait to make you want to pay the full ransom. The Decrypme Ransomware ransom note also warns that attempts to change files manually would result in a complete loss of all data. That is just another scare tactic to make you act the way that attackers want you to act. Hopefully, you have external/online backups, and cybercriminals cannot intimidate you into doing anything risky.

How to delete Decrypme Ransomware

You must remove Decrypme Ransomware because it is a tool that can help cybercriminals hijack your personal files, terminate processes, delete backups, and do other horrific things. In the best case scenario, you will find and delete Decrypme Ransomware right away, but even if you discover this infection after all of your personal files are corrupted, you still need to perform removal. After you take care of that, you can use backups to replace the files – if that is an option – and, of course, secure your operating system. So, how can you remove the infection? There are several options, but we want to talk about the two main ones that victims of ransomware usually choose from. The first one is to get rid of the infection manually. The guide below might be able to assist you, but only if you can follow the steps. Another option – and that is the option we recommend – is to install anti-malware software. It is what we recommend because this software can both clean and protect the system at the same time, and further protection is crucial.

Removal Instructions

  1. If you can locate the malicious file that launched the threat, Delete it.
  2. Find the ransom note file named HOW_TO_OPEN_FILES.html and Delete it.
  3. Access Explorer (tap Win+E keys at the same time) and enter %APPDATA% into the field at the top.
  4. Delete the malicious file called svchostt.exe.
  5. Access Run (tap Win+R keys at the same time) and enter regedit into the Open box.
  6. In Registry Editor, move to HKEY_CURRENT_USER\Software\.
  7. Find the key named Medusa and Delete it.
  8. Move to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
  9. Find the value named svchostt and Delete it.
  10. Empty Recycle Bin and then use a malware scanner to examine the system for leftovers. 100% FREE spyware scan and
    tested removal of Decrypme Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *