What is Viiperware?

Viiperware, which is also known by malware researchers as Viiperware Ransomware, is a new malicious threat that seems to be in its test phase only but it can already cause some headaches. This ransomware program is in fact based on the well-known Hidden Tear Ransomware, which is an open-source program that was originally designed for security specialists as an educational project. However, hackers and wannabes started to use it as a good base for ransomware infections. Although this particular version cannot yet cause total devastation on your computer, it certainly has the skills to do so in the near future once it gets finished. Right now it only encrypts your files in one test directory and it only asks for a small ransom fee in exchange for the decryption key, which is indeed saved on your system and can be used to recover any possibly encrypted files. Fortunately, it is not too complicated to remove Viiperware from your system but before you do so, let us tell you more about this threat as it can soon turn into a real beast.

Where does Viiperware come from?

Our malware experts at say that right now it is most likely for you to get infected with this ransomware via spam e-mails. The cyber crooks behind this threat may use deceiving techniques to get through to you and to make you want to open this mail and view its file attachment. In fact, this attachment is the key to this malicious attack as it is the malicious executable posing as an image or text document supposedly containing essential information or proof of an urgent matter. This matter can be anything that would make anyone want to click right away to open this mail no matter if it has ended up in your spam folder. It is really hard to resist a mail that seems to come from the local authorities, for instance, or any well-known company that would claim that you have not settled an invoice yet or you have given the wrong personal or banking details while booking online. Please remember that viewing the attached file practically means activating this potentially dangerous threat on your system. For the time being, you can delete Viiperware without losing your files but this may not be the case for too long. But it can give you just enough time to start making regular backups to protect your files.

It is also possible that in the future this ransomware will also spread via Exploit Kits. Therefore, it is important that you always keep your browsers and Java and Flash drivers updated from official sources. Such kits can take advantage of older software version, namely, the older security bugs. Cyber criminals can set up traps, i.e., malicious pages using Exploit Kits. If you get redirected to such a page, once your browser loads it, a malicious Java or Flash script is triggered to drop this infection and you will never even see it coming. If you do not want to remove Viiperware or suffer other consequences, you should be more cautious while browsing the web.

How does Viiperware work?

This test version of this ransomware seems to only target the "%USERPROFILE%\Desktop\test" folder, which may not even exist on most users computer. It can encrypt these file extensions: ".txt", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".odt", ".jpg", ".png", ".csv", ".sql", ".mdb", ".sln", ".php", ".asp", ".aspx", ".html", ".xml", ".psd", ".mp3", ".dll", ".cat", ".inf." This means that you could lose your documents, your photos, your databases, and even third-party program files if this infection succeeds. The affected files are supposed to get a ".viiper" extension, which clearly show what just hit you. This malware infection drops a ransom note text file called "READ_IT.txt" in all folders where files have been encrypted.

Once it has finished its mission, this threat displays its ransom note in an application window that has a viper clipart image on its left to emphasize its name and how "poisonous," i.e., dangerous it is. You can choose from five languages at the top, including "German," "English," "France," "Español," and "Russia." The whole ransom note is written in broken English with a number of spelling mistakes. These can, of course, be deliberate in order to pretend that these crooks are not native speakers. You have to pay 20 EUR to get the decryption key without which you are not supposed to be able recover you files. However, it is quite likely that your files are all untouched by this version. But even if any of your files have been encrypted, we can tell you how you can restore them and remove Viiperware as well.

How can I delete Viiperware?

As a matter of fact, this ransomware drops a file called "decrpt.dll" in your "%USERPROFILE%/Documents/" directory, which contains your decryption key. This key is usually stored on a secret remote server, and this may also change once this malware is finished. You can open this file in Notepad and copy the string to insert it in the dedicated field in the ransom note window. Once you have decrypted the supposed encrypted files, you can kill this malicious process and delete all related files. Please follow our instructions below if you can do this manually. If you want a more comfortable and more effective solution, we advise you to install a reliable anti-malware program, such as SpyHunter, which can also take care of all possible threats in the future.

Remove Viiperware from Windows

  1. Press Win+E to open File Explorer.
  2. Locate and open "%USERPROFILE%/Documents/decrpt.dll" in a text editor (Notepad).
  3. Copy the string from the file and paste it as your decryption key in the designated field in the ransom note window.
  4. Click on the "Decrypt my Files" button.
  5. Once done, press Ctrl+Shift+Esc to open Task Manager.
  6. Locate the malicious process and press End task.
  7. Exit the Task Manager.
  8. Press Win+E or change your active window to the File Explorer if still open.
  9. Find and delete all recently downloaded suspicious files.
  10. Bin all ransom note files.
  11. Empty your Recycle Bin and reboot your PC. 100% FREE spyware scan and
    tested removal of Viiperware*

Leave a Comment

Enter the numbers in the box to the right *