Ransomware Potato File Virus Removal (+Recover Files)

How to Remove Potato Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

    YOUR FILES WERE ENCRYPTED
    using military-grade encryption (AES-256). The encrypted files
    have the additional extention .potato. You won’t be able to retrieve your
    data unless you make a payment by following the steps below:
    1. Download the TOR browser
    2. Access the following adress through TOR Browser for further instructions
    http://tzakpakp6v5vwqqh.onion/
    3. Enter your ID (see below) and hit “GET KEY” for further instructions
    NOTICE: There’s a folder on your desktop named POTATO which
    contains the following files:
    ID_number.txt – an unique number that identifies your computer, which is mandatory for the payment process
    encrypted.txt – a list of files that were encrypted; if you decide to have them back,
    DO NOT DELETE IT
    decryptor.exe (including MSVCR100.dll) – the program you’ll use for decryption
    once the payment is made and the decryption key is transmitted to you

Yes, there is such a thing as Potato Ransomware. Its name doesn’t really sound devastating, does it? This program is a member of the most destructive family of infections, though. Ransomware. There is a reason why all PC users dread ransomware-type viruses. Numerous reasons, actually. Ransomware is secretive, stealthy and aggressive. It’s also on the rise right now. Hence, the Internet is full of dangerous file-encrypting infections. Those are more than capable of causing damage. The problem with Potato Ransomware, apart from the obvious, is that it’s still under development. If hackers decide to improve it, the possibilities are endless. This program starts wreaking havoc as soon as your computer gets compromised. You will very quickly understand what makes ransomware so intimidating. Immediately after installation, the virus performs a scan. This way, it locates all the private files you’ve stored on your machine. All your files. Do you have important data on your PC? Most people do. This is exactly what hackers rely on in order to scam you. Potato Ransomware uses a complicated encrypting cipher. Thanks to the AES-256 algorithm, all your files get effectively locked. Consider your private information no longer accessible. Pictures, videos, presentations, music, MS Office documents. Ransomware goes after every single valuable file you have. It targets your favorite data and your memories. When the encryption is successfully complete, your files get renamed. They receive the .potato extension. Potato Ransomware also creates payment instructions because, after all, this is a scam. The virus is nothing but a clever attempt for a cyber fraud. A nasty scheme that allows hackers to blackmail gullible PC users. While locking your data, Potato Ransomware drops README.png and README.html files. You will find them in all folders which contain locked information. It goes without saying those are indeed quite a lot of folders. Crooks’ goal is to force their ransom notes on you as much as possible. You see, you might eventually follow these instructions if hackers get you to panic. According to the ransom messages, you need a decryption key to free your locked files. Conveniently enough, the decryptor doesn’t come for free. Hackers offer you a deal. There is absolutely no guarantee that crooks would follow their end of the bargain, though. If you trust hackers’ empty promises, you fall straight into the trap.

How did I get infected with?

You might come across a malicious potato.exe file in your inbox. The parasite pretends to be a legitimate email or message. Unfortunately, there’s a ransomware virus hidden behind it. All that it takes to compromise your PC is one single click. If you open the corrupted email, you let Potato Ransomware loose. We assume you wouldn’t want to deal with this nuisance again. Therefore, pay attention to what you click open. We recommend that you delete any messages whose senders you don’t know personally. Always keep an eye out for potential infections. No parasite is to be underestimated. Also, stay away from illegitimate websites and unverified freeware/shareware bundles. Other popular methods involve exploit kits, fake torrents, bogus program updates and third-party ads. This virus could have also used the help of a Trojan horse. You better check out your machine for more malicious programs. Potato Ransomware might be having company.

Why is Potato dangerous?

You’re supposed to make a payment. Hackers even provide you a highly questionable email address (potatoransom@sigaint.org) Do you think that contacting crooks is a good idea? Furthermore, do you think giving them money is a smart move? Those are the people who locked your files in the first place. Their very last concern is to free your information. Ransomware’s only goal is to extort Bitcoins from you. The question is, is it your goal to become a sponsor of greedy cyber criminals? Unless you’re actively trying to give hackers your money, take action now. Do not use the email address provided and do not download any TOR browser. You’d be playing a game that you simply cannot win. Potato Ransomware is attempting to scam you. That means your panic and anxiety could cost you money. If you give into despair, hackers will gain effortless profit at your expense. To prevent that, uninstall the ransomware on the spot. To do so manually, please follow our detailed removal guide down below.

Potato Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Potato Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

• Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
• Locate the process of the ransomware. Have in mind that this is usually a random generated file.
• Before you kill the process, type the name on a text document for later reference.

• Locate any suspicious processes associated with Potato encryption Virus.
• Right click on the process
• Open File Location
• End Process
• Delete the directories with the suspicious files.
• Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

• Open any folder
• Click on “Organize” button
  
• Choose “Folder and Search Options”
• Select the “View” tab
• Select “Show hidden files and folders” option
• Uncheck “Hide protected operating system files”
• Click “Apply” and “OK” button

STEP 3: Locate Potato encryption Virus startup location

• Once the operating system loads press simultaneously the Windows Logo Button and the R key.

• A dialog box should open. Type “Regedit”
• WARNING! be very careful when editing the Microsoft Windows Registry as this may render the system broken.

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

• and delete the display Name: [RANDOM]

• Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

• Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

• Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
• Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.