Ranion 1.08 Ransomware

Posted by Lisa Blanc on March 12, 2018

What is Ranion 1.08 Ransomware?

Ranion 1.08 Ransomware, according to our Anti-Spyware-101.com research team, is an upgrade from the previously reported Ranion 1.07 Ransomware. Both infections were created using a builder that is available to anyone who is willing to pay some money. The previous version; however, was incapable of encrypting files, and the 1.08 version can do that. When it corrupts the files, it also creates a ransom note to introduce the victim to a ransom demand. Without a doubt, this infection was built for financial gain only, and, unfortunately, the cyber criminals behind it do not have any reservations when it comes to reaching their goal. If you have let in this dangerous malware in, the first thing you want to do is check which files were corrupted. It is easy to identify them by the “.ransom” extension that is added to their names. Unfortunately, this malicious threat is likely to corrupt documents, personal photos, and other sensitive data. Hopefully, you have backup copies of these files because restoring the originals is likely to be impossible. What is not impossible is removing Ranion 1.08 Ransomware, and we have created a guide that shows how to do it successfully.test

How does Ranion 1.08 Ransomware work?

When the malicious Ranion 1.08 Ransomware slithers in – which it is likely to do via spam emails – it creates a copy in the %PUBLIC% directory. Although the infection works using the original launcher .exe file, the copy can be employed in case the original file is deleted. The copy’s name is unique in every case because its name includes the time and date of the creation (e.g., “r44s_2018-03-12 0205.exe”). The threat also creates a point of execution in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The name of the registry entry should be “Backup-2018.” There are two other points of execution – both named “Message-2018” – representing the ransom notes. The two ransom note files are called “README_TO_DECRYPT_FILES.html,” and you can find them on the Desktop and in the %PUBLIC% directory. It is perfectly safe for you to open these files, but you need to be careful about how you use the information that is presented to you via them. The creator of Ranion 1.08 Ransomware informs that your files will be deleted in 7 days if you do not comply with the demands that are delivered via these files, and that is unlikely to happen. All in all, decrypting files is not possible, and so it does not really matter whether or not they are removed.

According to the ransom note representing Ranion 1.08 Ransomware, you need to pay a ransom of 999 USD in Bitcoins to the 13xVHparL62HuG8mRm42CBTZT6MtnrSytC Bitcoin wallet within 7 days to get an alleged decryption key. It is suggested that after you pay the ransom, you need to send your personal ID to 0dayservices0@gmail.com, and the key will be provided to you. It is highly unlikely that this would happen. Our research team has reviewed hundreds of file-encrypting ransomware infections, including Korean AdamLocker Ransomware, BaYuCheng@yeah.net Ransomware, or TBlocker Ransomware, and the victims of these threats never get their files back after invasion. Needless to say, following the instructions of cyber criminals is not something we could ever recommend doing. Instead of wasting your time and money, you should turn your focus to the removal of this malicious threat.

How to remove Ranion 1.08 Ransomware

It is important for you to know where the launcher of Ranion 1.08 Ransomware is. We cannot say where it could be or what its name could be because that is unknown. Hopefully, you can identify and delete the file, after which, you need to erase the copy, the registry entries, and the ransom note files. If you cannot remove Ranion 1.08 Ransomware manually, you can install an anti-malware program. That is the better option because you want to think about your future in the virtual realm as well. Clearly, your system lacks reliable protection, and a reliable anti-malware program can take care of that. Of course, you have to pick the right program; otherwise, you could get yourself into more trouble. Now, if you choose not to install anti-malware software, at least use a legitimate malware scanner to check your manual removal progress.

Removal Instructions

  1. Simultaneously tap keys Ctrl+Alt+Delete and select Start Task Manager.
  2. Click the Processes tab and look for a malicious {unknown name} process representing the ransomware.
  3. Right-click the process and choose Open file location, then go back, select it, and click End process.
  4. Go to the location of the malicious {unknown name}.exe file representing the ransomware.
  5. Right-click the file and choose Delete.
  6. Enter %PUBLIC% into the bar at the top to access the directory.
  7. Right-click and Delete the copy of the .exe file (name example: “r44s_2018-03-12 0205.exe”).
  8. Also, Delete the ransom note file named README_TO_DECRYPT_FILES.html.
  9. Move to the Desktop and Delete the ransom file named README_TO_DECRYPT_FILES.html.
  10. Simultaneously tap Win+R to launch RUN.
  11. Enter regedit.exe and click OK to launch Registry Editor.
  12. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  13. Delete the values named Backup-2018 and Message-2018.
  14. Move to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  15. Delete the value named Message-2018.
  16. Empty Recycle Bin and then perform a full system scan using a legitimate malware scanner. 100% FREE spyware scan and
    tested removal of Ranion 1.08 Ransomware*

Stop these Ranion 1.08 Ransomware Processes:

r44s_2018-03-07 0205.exe
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *