Defender Ransomware

What is Defender Ransomware?

Whoever created Defender Ransomware truly has no regard for virtual privacy. This infection corrupts files found on the infected operating system by encrypting data within them. Most other threats of this kind demand a ransom in return of a file decryptor or a decryption key (e.g., LockMe Ransomware or Xorist-Frozen Ransomware). Of course, in most cases, the cyber crooks behind these threats have no intention of keeping their promises and providing the victims with the decryption tools. In reality, decrypting files corrupted by ransomware is usually impossible. The surprising thing is that the threat we are discussing in this report does not even make a request to pay the ransom. On the contrary, the notification represented via a file (“Defender_Ransomware.txt”) created by the infection informs that “THIS RANSOMWARE IS NOT DECRYPTABLE.” Needless to say, the only thing that anyone can do is delete Defender Ransomware. You can scroll to the bottom to find a guide that explains how to remove this malicious infection, but we suggest reading the report first to learn more.test

How does Defender Ransomware work? malware research team does not have a lot of information about the suspicious Defender Ransomware, and that is because this threat appears to be a testing toy in the hands of cyber criminals. It is possible that the current version of this malicious infection will evolve into something much bigger and more aggressive in the future, but, at this point, we cannot even know if this threat is spread at all. If it was spread, it possible that it would be distributed with the help of misleading spam emails, but other methods of distribution could be employed as well to disperse the infection even more. From what we have gathered, when the infection’s .exe file is executed on the system, Defender Ransomware can create a copy in the %Temp%\Cache\ folder. In the sample we tested, the copy file was named “MpCmdRun.exe,” and the folder was hidden to ensure that the victims would not remove it. The only other file created by the threat is the TXT file, “Defender_Ransomware.txt.” According to our research, it is downloaded from, and then it is placed in four different folders.

Desktop, Documents, Music, and Videos folders in the %USERPROFILE% directory are where you will find the “Defender_Ransomware.txt” file. These folders are not chosen randomly. It was found that the devious Defender Ransomware encrypts files found in them and their subfolders. The AES encryption is employed for the process, and, once it is finished, the word “.defender” should be appended to the names of all corrupted files. If you discover this, there is no doubt that malicious files of the devious ransomware can be found on your operating system. You need to remove them as soon as possible because they could be used to download files – which is exactly how the TXT file is downloaded – and perform other malicious actions. If you were exposed to a different version of this malware, and a ransom was demanded, paying it is not recommended. All in all, at the moment, this is not a demand at all, and there is nothing that should make you postpone the removal of Defender Ransomware.

How to delete Defender Ransomware

It is possible that Defender Ransomware is not the only threat that exists on your Windows operating system. You can install a malware scanner to help you inspect your system and determine what is truly going on. What should you do if several threats were found? Regardless of the situation, installing anti-malware software is always the best option because it simultaneously erases malware and reinforces Windows protection to keep malicious threats away in the future. However, if you decide that you can protect your system yourself and that you want to remove Defender Ransomware manually, we have created a guide that shows how to eliminate this malicious file-encrypting threat from your own Windows operating system. Note that the original .exe file that is responsible for launching the threat has a unique name, and its location is unknown. If you cannot find and delete this file, you might have no other option but to employ automated anti-malware software.

Removal Guide

  1. Delete the {unknown launcher name}.exe file that launched the ransomware.
  2. Simultaneously tap keys Win+E to access Explorer.
  3. Enter %TEMP% into the bar at the top and then click the Organize button (at the top).
  4. Click Folder and Search options and then click the View tab.
  5. Select Show hidden files, folders, or drives and then click Apply.
  6. Go back to the %TEMP% directory, open the Cache folder, and then Delete the copy file, MpCmdRun.exe.
  7. Enter %USERPROFILE% into the bar at the top.
  8. Go to Desktop, Documents, Music, and Videos folders and Delete the Defender_Ransomware.txt file.
  9. Simultaneously tap Win+R keys to launch RUN and then enter regedit.exe into the dialog box.
  10. In Registry Editor move to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  11. Delete the value named MpCmdRun.
  12. Empty Recycle Bin to get rid of all malicious ransomware components.
  13. Install a legitimate malware scanner to scan your system and check if you need to remove anything else. 100% FREE spyware scan and
    tested removal of Defender Ransomware*

Stop these Defender Ransomware Processes:


Leave a Comment

Enter the numbers in the box to the right *