PornBlackmailer Ransomware

What is PornBlackmailer Ransomware?

A scareware infection named PornBlackmailer has made its headlines in January 2018 when an online forum user created a post about a malicious .scr file reportedly downloaded from the free pornography website Xvideos. The PornBlackmailer ransomware blackmails victims to pay a fee so that they are not reported to the police about the use of pornographic material involving children.

It is still not specified whether the name of the infection PornBlackmailer is the right name for the threat, because the string "HowSexWithDolls" found in the codes of different variants of the threat suggests that this could be another name to use.

The PornBlackmailer ransomware differs from conventional ransomware infections that encrypt files and show the victim a ransom note in full screen or a program window. The PornBlackmailer does not tamper with the victim’s files but uses other scare tactics to extort money from the unsuspecting user. The infection should be removed immediately after being spotted, and you should also keep in mind that the threat resides on the computer even if no ransom notification is displayed after restarting the computer. The threat does not create its point of execution, which means that it does not start at every system startup, but that does not change the fact that it is necessary to remove PornBlackmailer.testtesttest

How does the PornBlackmailer work?

The PornBlackmailer ransomware gets on the computer alongside a video file. Once launched, the malicious file, pretending to be a .scr file, creates a folder named server_logs in the %APPDATA%\Roaming\Robit directory.  The folder is used to store information about your computer and your browsing behavior. More specifically, the PornBlackmailer ransomware saves your IP address, browsing history, and some other technical information in the file your_information.txt alongside four screenshots of the desktop, which are created in a separate folder named desktop_screens. If the PornBlackmailer ransomware manages to set your location, a file containing your location depicted in Google Maps is also created in the same server_logs folder.

Browser cookies are also targeted by the threat, so the infection copies them to its browser-cookies folder. As for the four screenshots, they are made in the hope of catching you browsing pornographic websites, so that the screenshots can supposedly be used as proof of your illegal activities.

When researching the PornBlackmailer, it has been found that the infection has two versions. The major difference between them is that they create different folders for storing the supposedly compromising data. Another version of PornBlackmail creates the directory Cerber with the folder server_log.

Like the vast majority of ransomware infections, the PornBlackmailer makes its own copy so that it can continue running on the PC in the event of the deletion of the original file. The copy is named temps.exe and added to the %APPDATA% directory. Furthermore, the file bg_robin.jpg, which is used to replace the desktop background is created in the same directory.

How does the PornBlackmailer ransomware look like?

The file bg_robin.jpg is put into use after all the malicious directories are created. The PornBlackmailer ransomare changes the desktop background to a black image containing a warning saying that the user is caught using pornographic content. Additionally, the IP address and instructions to find a .txt file named READ-ME are given in the warning. The victim is also given a 24-hour deadline for submitting the payment requested in the warning.

The READ-ME.txt file contains threatening demand that the user has to pay a fee of 0.01 BTC to prevent allegations of using child pornography. If the user does not pay the money demanded, the user is said to be denounced to the police, FBI, and other institutions. As proofs of the fact, the screenshots made are said to be sent to the law enforcement institutions. According to the scare notice, the data supposedly proving that the user has committed a crime is sent to a remote server. However, the analysis of PornBlackmailer has denied the deceptive statement.

How to remove the PornBlackmailer ransomware?

The PornBlackmailer ransomware can be removed manually, and our removal guide available below can help you delete the malicious components of the threat. However, we want to draw your attention to the fact that malware, including ransomware and scareware, is delivered to the computer in multiple ways. Paying attention to emails and avoiding infectious websites, such as adult and online gaming websites, is as important as updating software and the OS whenever updates are available. Nevertheless, all these preventative measures are insufficient without a reputable security tool. If you want to be keep your PC malware-free and be sure that your data is not being copied or damaged, consider implementing a reputable anti-malware tool.

How to remove PornBlackmailer ransomware

  1. Delete recently downloaded files from the desktop.
  2. Check the Downloads folder if you ever save files to that directory and delete questionable files.
  3. Delete nine copies of the READ-ME.txt file containing the threatening warning.
  4. Access the %APPDATA% directory, and delete the files temps.exe and bg_robing.jpg, or bg_cerber.jpg.
  5. Acccess the %APPDATA% directory, and delete the folder server_logs from the Robin, or Cerber, folder. 100% FREE spyware scan and
    tested removal of PornBlackmailer Ransomware*

Leave a Comment

Enter the numbers in the box to the right *