PedCont Ransomware

Posted by Lisa Blanc on June 14, 2018

What is PedCont Ransomware?

PedCont Ransomware has been developed by cyber criminals who want users’ money. It seems that this malicious infection is not that prevalent yet, but you might still encounter it, especially if you tend to download software from random P2P websites, open attachments spam emails hold, and use weak Remote Desktop Protocol (RDP) credentials. It is not like other threats categorized as ransomware. It seems that it is more dangerous than an ordinary ransomware infection. Unlike typical crypto-malware, it does not encrypt any files on victims’ computers, but it ruins the Windows OS instead. You will see this for yourself – it opens a window after the successful entrance but then, after some time, shuts down the computer. The same happens if the opened window is closed by the user. The next time the Windows OS loads up, there is only a black screen with a cursor. No system utilities can be accessed too. In other words, users can no longer perform any activities using their computers. There is a possibility that other versions of the same threat working in a slightly different way are available or will be released in the future, so make sure you do not leave your computer unprotected. No matter what kind of ransomware infection finds a way to enter your system, make sure you do not give cyber criminals what they want most from you – your money.test

What does PedCont Ransomware do?

PedCont Ransomware will not lock any files on your computer, but it does not mean that it will not do anything at all. Once it slithers onto computers successfully, it opens a window with a message for users. Users find out that the ransomware infection has collected all their personal files and keeps them on its remote server. If they want to get them back, they need to send 50 USD worth of Bitcoin within 72 hours. It is very likely that it is a lie, i.e. your files have not been copied anywhere, so you should not rush to make a payment. To be frank, we see no reason why you should send money to cyber criminals behind this ransomware infection. Since PedCont Ransomware has already ruined your Windows OS, these files are already lost too, and it is not likely at all that crooks will recover them for you. Also, the ransomware infection will not be removed and your operating system will not be fixed. There is not much you can do to remove PedCont Ransomware from your system as well. Do not worry; this threat will not bother you anymore after you reinstall your Windows. Theoretically, it may be possible to save the OS by deleting malware from the system within the first seconds after detecting it on the system, but we have to admit that it is a very challenging task. Because of this, we do not think ordinary users could accomplish it successfully.

Where does PedCont Ransomware come from?

It seems that PedCont Ransomware is distributed using well-known distribution methods. According to researchers, there is a huge possibility that this malicious application will also be distributed via spam emails. It is, without a doubt, not the only malicious application that can travel inside these emails, so you should not go anywhere near them. In order not to encounter PedCont Ransomware, users should also not download any applications from dubious websites because this threat might pretend to be a legitimate file, as researchers have observed. At the time of research, it was distributed as AliceRides.mp4_Unpack.WinRAR_SFX.scr. Last but not least, specialists say that this infection might easily enter computers if users’ Remote Desktop Protocol credentials are weak. You need to break your bad habits in order not to encounter malware. It is equally important to install a reputable antimalware tool on the system.

How to delete PedCont Ransomware

Theoretically, it is possible to remove PedCont Ransomware by erasing the malicious Value from all registry keys (find them all listed below) it affects, but this must be done within seconds after its entrance because if the computer is restarted and the Windows OS is ruined, you could do nothing but reinstall your operating system. There is no point in deleting the ransomware infection in this case – it will be gone after you reinstall your Windows.

Remove PedCont Ransomware

  1. Launch Run.
  2. Type regedit and click OK.
  3. Access the Run registry key (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run).
  4. Locate and delete the SCRService Value.
  5. Remove the Debugger Value from all registry keys listed below:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avast.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhost.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Microsoft.Photos.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdge.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\plugin-container.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\skype.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tor.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\updater.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinRAR.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avast.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhost.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\ mod
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Microsoft.Photos.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdge.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\plugin-container.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\skype.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tor.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\updater.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinRAR.exe 100% FREE spyware scan and
    tested removal of PedCont Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *