Remove RansomPlus Virus and Restore Files

How to Remove RansomPlus Ransomware?

As you figured out already, RansomPlus is a ransomware virus. It’s one of the newest members of the file-encrypting family. And it’s just as harmful and aggressive as all other ransomware infections. To say the least, you’ve been quite unlucky to get stuck with this program. Ransomware-type parasites are immensely dreaded for a couple of reasons. Furthermore, the Web is filled with them. Hackers constantly work on new, creative ways to cause PC users damage. When it comes to ransomware, crooks always succeed. The RansomPlus virus follows the classic pattern. For starters, it scans your machine searching for personal files. What does “personal files” mean? It means the virus looks for every single bit of data stored on your machine. Ransomware is compatible with a huge variety of formats and, logically, creates a mess. After its thorough scan, RansomPlus finds your files. Pictures, music, MS Office documents, videos, presentations. The parasite goes after all your valuable files. As a result, the harm it causes is almost inevitable. The only way to prevent some serious trouble is by keeping backup of your personal data. Ransomware targets your files. Thus, if you protect your files in the first place, there’s nothing RansomPlus could do. The parasite starts encrypting your data immediately after its scam is complete. This is where it gets nasty. RansomPlus adds the .encrypted extension to your data. By using a strong (and still unknown) encrypting algorithm, this infection locks files. It then holds your data hostage and demands a ransom. That’s what every single ransomware parasite does. At the end of the day, ransomware is just a clever method for hackers to extort money from you. RansomPlus encrypts your information to trick you into paying. While locking your files, the parasite also drops its ransom notes. You will find these texts in all folders which contain encrypted data. In addition, the virus adds ransom instructions to your desktop as well. Why is this pest so stubborn to force these messages on you? Because hackers want you to comply. RansomPlus bombards you with the YOUR FILES ARE ENCRYPTED!!!.txt files in hopes that you’d panic. However, don’t panic. Crooks aim straight at your back account and they are shameless enough to lie to your face. According to their ransom notes, you need to pay 0.25 Bitcoins to receive a decryptor. Don’t even consider doing it.

How did I get infected with?

Chances are, RansomPlus was disguised as a legitimate email. Next time you receive some suspicious-looking message or email, know it might be dangerous. This is the oldest virus infiltration technique. It is also the most popular one. Ransomware usually gets attached to some corrupted spam email and waits for you to open it. Once you do, you let the infection loose and, ultimately, compromise your PC. Delete what you don’t trust. Especially if you don’t personally know the sender. Another efficient trick involves Trojan horses. Ransomware often gets spread online with the help of a sneaky, secretive Trojan horse. Check out your device for more potential intruders. You could be having a Trojan on your computer as well. Also, in the future avoid illegitimate websites/programs and third-party pop-ups. Watch out for malicious torrents, fake software updates and exploit kits. Last but not least, ransomware travels the Web via freeware and shareware bundles. When installing bundled programs, always check out what you’re giving green light to beforehand. Otherwise, you might accidentally download malware.

Remove RansomPlus

Why is RansomPlus dangerous?

RansomPlus attempts to convince you that paying the ransom is essential. It is not. Even though hackers promise a decryption key, those aren’t the people to bargain with. Crooks are focusing on one thing only – stealing your money. Freeing your locked files was never really part of the picture. As mentioned already, RansomPlus renames your files. That is how you know that your personal (and probably precious) information has been encrypted. Supposedly, you have to contact hackers via an email address the ransom notes provide. That would be a great mistake and you know it. Why risk it, then? Stay away from the andresaha82@gmail.com email address and keep your bitcoins. 0.25 Bitcoins equals about 240 USD. Quite a hefty sum of money, don’t you think? Forget about the bogus decryptor hackers promise and delete their pesky creation ASAP. To do so manually, please follow our detailed removal guide down below.

RansomPlus Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover RansomPlus Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

  • Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
  • Locate the process of the ransomware. Have in mind that this is usually a random generated file.
  • Before you kill the process, type the name on a text document for later reference.

end-malicious-process

  • Locate any suspicious processes associated with RansomPlus encryption Virus.
  • Right click on the process
  • Open File Location
  • End Process
  • Delete the directories with the suspicious files.
  • Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

  • Open any folder
  • Click on “Organize” button
  • Choose “Folder and Search Options”
  • Select the “View” tab
  • Select “Show hidden files and folders” option
  • Uncheck “Hide protected operating system files”
  • Click “Apply” and “OK” button

STEP 3: Locate RansomPlus encryption Virus startup location

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.

win-plus-r

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

  • and delete the display Name: [RANDOM]

delete backgroundcontainer

  • Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

  • Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

windows system restore

  • Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
  • Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.

Leave a Comment