Radamant Ransomware

What is Radamant Ransomware?

Radamant Ransomware is a very malicious program. It is a kind of Trojan that belongs to the subcategory of ransomware. Therefore, removing this infection is crucial for the security of your system. Like most ransomware-type infections, this particular program has the ability to encrypt various file types and demand that you pay a ransom fee in return for the necessary decryption tool. However we urge you not to fall into the trap of cyber criminals and do not pay the ransom fee, since not can your files get irreversibly damaged, but you might also experience a financial loss. Nevertheless, the good news is that you can remove this ransomware and possibly decrypt the encrypted files using a third-party tool. In this article, however, we are going to provide you with information on how this application works and discuss various methods of getting rid of it.

What does Radamant Ransomware do?

Our malware researchers at Anti-spyware-101.com have analyzed and tested this infection and here is what they have found. Currently, there are two versions of this infection but both of them do the same thing — encrypt various file types (eg. doc, docm, docx, docxml). This ransomware is capable of encryption approximately 950 file types. The first version of Radamant Ransomware used the AES-256 algorithm encryption key RSA-2048 that encrypted files with a RDM extension, while he second version uses the RRK extension. However, it is only a matter of time before a new version will appear that will yet again use a different file extension of an entirely encryption algorithm altogether. The good news is that you can decrypt and thus restore your files to their prior state using a third-party tool. Nevertheless, we have found that some file types, such as .TXT files cannot be decrypted.

Radamant Ransomware’s developers take advantage of incautious users who do not protect their systems with real-time antimalware programs. To date it is not yet clear exactly how this infection is distributed, but our researchers have found that it is first installed in the system’s %Temp% folder. Once on your computer, the infection will copy itself to C:\Windows\directx.exe and also create several autorun registry keys that will launch this ransomware once your system boots up.

While testing Radamant Ransomware, our malware researchers have found that this infection creates two registry values. One registry value will be created in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run that will contain a file named svchost. This file is of the REG_SZ type registry value and its data line contains the value data C:\Windows\directx.exe. The same file and value data will be created in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. If you choose to delete this ransomware manually, then you should go the extra mile and delete these registry values as well.

However, these changes to your system are obviously not apparent as after your computer has become infected with Radamant Ransomware you will only see a message in your browser which states that “All your files and hard drives, removable media and network shares have been cryptographically encrypted AES-256 algorithm encryption key RSA-2048.” Also, the message will tell what to do next and this involves getting some cryptocurrency Bitcoin, and send 0.5 BTC (an equivalent of $230.88 USD) to the provided address. However, doing so is a terrible idea, since there is no guarantee that the cyber criminals will give you the decryption tool. Therefore, the only solution is to try to decrypt your files using a third-party decryption tool.

How do I remove Radamant Ransomware?

It is also crucial that you remove Radamant Ransomware before you attempt to decrypt your encrypted files. You can either do it manually or use a dedicated antimalware program, such as our recommended one called SpyHunter. The benefit of using this particular antimalware scanner is that it will delete all of Radamant Ransomware’s files and registry values and protect your system against future cyber attacks. However, you can try removing it manually using our instructions provided below.

Boot up your computer in Safe Mode

Windows XP

1. Click the Start button and then click Restart.
2. Press and hold the F8 key as your computer restarts.
3. On the Advanced Boot Options screen, select Safe Mode with Networking and press Enter.

Windows 7 and Vista

1. Open the Start menu and click Restart.
2. Press and hold the F8 key as your computer restarts.
3. On the Advanced Boot Options screen, select Safe Mode with Networking and press Enter.

Windows 8 and 8.1

1. Press the Windows Key+C, and then click Settings.
2. Click Power, hold down Shift on your keyboard and click Restart.
3. Click Troubleshoot, click Advanced options, and select Startup Settings.
4. Click Restart and press 5 on your keyboard to Enable Safe Mode with Networking.

Windows 10

1. Press the Start button, and then the Power button.
2. Hold down the Shift key and select Restart.
3. In the resulting, full-screen menu, select Troubleshoot.
4. Then, go to Advanced options and select Startup Settings.
5. In the Startup Settings screen, press Restart.
6. The PC will reboot, and bring you to a Startup Settings screen.
7. Use the arrow keys on your keyboard to select Enable Safe Mode with Networking.

Delete Radamant Ransomware files

1. Press Windows Key+E.
2. Enter C:\Windows\ in the address bar and press Enter.
3. Locate the file named directx.exe.
4. Right-click on it and then click Delete.

Delete Radamant Ransomware’s Windows registry values

1. Press Windows Key+R.
2. Enter regedit in the dialog box and click OK.
3. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run.
4. Locate a string called svchost.
5. Right-click on it and then click Delete.
6. Then go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
7. Locate a string called svchost.
8. Right-click on it and then click Delete.
9. Done.

Download Removal Tool100% FREE spyware scan and
tested removal of Radamant Ransomware*