Sherminator Ransomware

What is Sherminator Ransomware?

Sherminator Ransomware appears to be a new variation of Mr.Dec Ransomware. Same as its early version, it encrypts files and shows a ransom note. The note does not ask for a ransom as it only claims a user needs to email the malware’s developers. However, based on our experience with such threats, we believe the demands for payment could be delivered later on via email. It is vital to understand that the hackers may promise anything to convince their victims to put up with their demands, but there are no guarantees they will hold on to their promises. Meaning, even if you do as told, you might not get your files decrypted. Thus, we advise thinking twice before putting up with any demands. If you decide it is not an option, we recommend removing Sherminator Ransomware with no hesitation. To learn more about it and its deletion, we invite you to read our full article and check the instructions available below.

Where does Sherminator Ransomware come from?

There are a couple of ways how Sherminator Ransomware might sneak onto your system. For starters, the victims could be tricked into opening the malware’s launcher by sending them disguised email attachments. Always remember that even a file that appears to be a text document can, in reality, be malicious. There are cases when hackers pretend to be from reputable companies and send emails in their names, asking to open an attachment. In such cases, the message in the email rushes users into opening the attached data. No matter how much the email might urge you to open the file, we recommend scanning it with a robust antimalware tool first to be safe. Also, you should know that such malicious applications might be able to enter a system due to its vulnerabilities, such as unsecured RDP connections, weak passwords, outdated software, and so on. Thus, to protect your device, you should not only watch out for questionable files but also eliminate all vulnerabilities that your computer might have.

How does Sherminator Ransomware work?

The malicious application should start with creating files listed in the removal instructions placed at the end of this article. According to our specialists at Anti-spyware-101.com, the threat needs such data to make the infected computers launch it automatically with Windows. Once it settles in, Sherminator Ransomware should start encrypting pictures, video/audio files, archives, text files, and data alike. Each file ought to be locked with a robust encryption algorithm, and it should get an additional extension. Our researchers say that the malicious application might generate a unique extension for each infected device, for example, in our case, the extension looked like this: .[ID]Jen3mgh3AA1p2PERK[ID].

As soon as all targeted files become locked, the malware should drop and launch a file called Decoder.hta. As a result, victims ought to see a red window with a message saying: “You are unlucky! The terrible virus has captured your files! For decoding please contact by email you.help5@protonmail.com.” The rest of it should explain that only the malware’s creators can help decrypt encrypted data and that victims should contact them and send them a couple of small encrypted files. Usually, cybercriminals promise to decrypt a few files free of charge as a guarantee. Nonetheless, as said earlier, there are no reassurances when dealing with hackers. The safest way to get your data back is to replace encrypted files with backup copies.

How to eliminate Sherminator Ransomware?

It is advisable to delete Sherminator Ransomware to ensure it does not encrypt your backup data or any newly created files. There is a possibility it could happen since the threat can relaunch with Windows after a restart. To prevent it, we advise deleting Sherminator Ransomware manually or with a legitimate antimalware tool of your choice. If you pick the first option, we can offer our removal instructions available below.

Reboot your computer in Safe Mode with Networking

Windows 8/Windows 10

1. Tap Windows key+I and press the Power button.
2. Click and hold the Shift key, pick Restart.
3. Pick Troubleshoot from the Advanced Options menu.
4. Select Startup Settings, pick Restart, then click the F5 key and restart the computer.

Windows XP/Windows Vista/Windows 7

1. Go to Start and select the Shutdown options.
2. Select Restart, then click and hold the F8 key as soon as the computer begins restarting.
3. Choose from Safe Mode or Safe Mode with Networking in the Advanced Boot Options window.
4. Press Enter and log on.

Erase Sherminator Ransomware

1. Click Windows key+E.
2. Locate these paths:
   %TEMP%
   %USERPROFILE%\Downloads
   %USERPROFILE%\Desktop
3. Locate the malicious application’s launcher.
4. Right-click it and select Delete.
5. Navigate to this path: %WINDIR%
6. Find a malicious executable file (e.g., svhost.exe), right-click it, and select Delete.
7. Go to: %AppData%\Microsoft\Windows\Start Menu\Programs\Startup
8. Right-click a file called Decoder.hta and choose Delete.
9. Exit File Explorer.
10. Press Windows key+R.
11. Insert Regedit and click Enter.
12. Locate the given directory: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
13. Find a malicious value name created by the threat (e.g., Autorun.SQL), right-click it, and press Delete.
14. Exit Registry Editor.
15. Empty your Recycle Bin.
16. Restart the computer. Download Removal Tool100% FREE spyware scan and
    tested removal of Sherminator Ransomware*