What is Ransomware? Ransomware is a new dangerous threat that has hit the web only recently; however, it does not mean that this infection does not have roots. As a matter of fact, just like another recently emerged ransomware program called Ransomware, this threat is also based on the well-known CrySIS Ransomware engine. If this ransomware manages to slip onto your computer, there is a good chance that you will lose access to most of your files in this vicious attack as they get encrypted with a virtually impossible-to-crack algorithm. Your only chance to use your files again may seem like to be to contact the criminals behind this attack and pay them the ransom fee that is demanded. But we would advise you against it because there is no guarantee that you will get anything in return. Of course, you should also know that you do not have any other chance to recover your files since there is no free tool at present that could decipher them. Still, we believe that the most important thing is that you remove Ransomware the moment you notice its vicious work on your computer.test

Where does Ransomware come from?

Our malware researchers at say that this infection is mostly distributed in spamming campaigns. This means that you must have opened a fake e-mail with a malicious attachment that could convince you about its urgency and legitimacy. These criminals may use totally believable e-mail addresses to fool spam filters and users as well, including Internet providers, parcel delivery services, airlines, hotels, and so on. Additionally, they also use convincing subjects that can make you think you are dealing with an important issue that you need to settle ASAP. This could be an unsettled invoice, a wrongly done booking, a mistaken parcel delivery, and so on. Obviously, there is an attached document that can look like an image or text file, but, indeed, it is an executable file that will download this ransomware in the background without your knowledge and activate it. So if you always thought that spam filters would be able to save you from such dangers, you should think again.

The truth is, if you removed Ransomware from your system, it would already be too late because the time you can actually realize its presence is when the encryption is done. But still this is the only solution if you want to secure your computer even if it means that you will lose your files. This may sound very disappointing and, of course, it is all up to you how you decide. We must also tell you that you do have a chance in fact. If you save your files regularly onto an external HDD, you can easily transfer the clean files back to your computer; however, first, you still need to delete Ransomware.

What does Ransomware do?

This infection seems to belong to the same family that gave birth to Redshitline Ransomware, Ransomware, and among others. It uses the RSA-2048 algorithm to encrypt your files the moment it is activated. This ransomware targets the usual files, such as your documents, photos, videos, databases, and program files. When this malware finishes with a file, it adds an “.id-B4500913.{}.xtbl” extension to it, where “B4500913” is a unique ID. This threat also drops a file called "Decryption instructions.txt" in every affected folder that contains information about the attack, which is practically the same as you will see on your desktop when its image gets replaced.

This is the moment when you actually realize what has happened. You are supposed to send an e-mail to “” and if you do not get a reply within 24 hours, you can try “” as well. After contacting these crooks, you should get details about the ransom fee and how you have to transfer it. The most likely way is via a Bitcoin wallet; so you will most likely get information about how and where you can buy Bitcoins. The usual fee for ransomware programs ranges from 0.1 BTC up to 1 BTC, but in certain cases it can be even more. Obviously, before rushing to transfer the money to recover your files, you should also consider whether the stored data on your computer is worth the demanded fee at all. Also, what if a technical issue emerges and the infection loses connection to the C&C server? This could mean that you will never get the vital private key needed for the decryption. We do believe that the only right choice here is to remove Ransomware as soon as possible.

How can I delete Ransomware?

Since this is a major hit to your computer, you may think that it is impossible to remove Ransomware. So here is the only good news you will hear about this malware program: It is actually quite easy to clean your computer of this infection. All you need to do is follow carefully the instructions we have included below this article. If you do not feel confident about this, please use a trustworthy anti-malware program instead to be on the safe side. A proper security tool will also make sure that your system remains protected against all kinds of malware infections. If you need any help with the removal of this ransomware, please leave us a comment below.

Remove Ransomware from Windows

  1. Press Win+E.
  2. Search for and bin the random .exe file (might be “Payload1.exe” or “Payload_c.exe”) from these likely locations:
    %ALLUSERSPROFILE%\Start Menu\Programs\Startup\*.exe
    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe
    %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe
    %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe
    %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\*.exe
    %WINDIR%\Syswow64\*.exe (64-bit!)
  3. Bin the ransom note image (“C:\Users\user\how to decrypt your files.jpg”)
  4. Delete all instances of "Decryption instructions.txt" file from the infected folders.
  5. Press Win+R and type in regedit. Press OK.
  6. Overwrite the following registry values to change the desktop wallpaper:
    HKCU\Control Panel\Desktop\Wallpaper (value data: “C:\Users\user\how to decrypt your files.jpg”)
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers\BackgroundHistoryPath0 (value data: “C:\Users\user\how to decrypt your files.jpg”)
  7. Delete these random-name registry keys:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\* (value data: “%WINDIR%\Syswow64\*.exe”) (64-bit!)
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\* (value data: “%WINDIR%\System32\*.exe”)
  8. Exit the editor.
  9. Empty your Recycle Bin.
  10. Restart your system.
100% FREE spyware scan and
tested removal of Ransomware*

Leave a Comment

Enter the numbers in the box to the right *