Remove Alma Ransomware

How to Remove Alma Ransomware?

Reader recently start to report the following message being displayed when they boot their computer:

Your files are encrypted!

Your ID: ……..
You can unlock .98lVq files using these instructions:
1) Download decrypter:
[links to executables on the TOR Network using the services of]
2) Read decryption instructions on our website:
[links to executables on the TOR Network using the services of]
3) If you can’t access these websites from your browser, you have to download TOR Browser:
[link to the download page of the TOR Browser Bundle]
4) Follow this link via TOR Browser:
[link to the payment portal for the Alma Locker Ransomware]

Ransomware is… well, ransomware. This program utilizes the AES-128 encrypting cipher to lock your private files. Once the virus encrypts your data, consider it gone. Alma Ransomware is a relatively new infection; we stumbled across it just a couple of days ago. However, it’s already managed to establish itself as a destructive threat. Being a typical ransomware-type parasite, this program renames your data. It replaces the original file extension with a random combination of 6 symbols. Your computer can’t recognize this brand new file format. As a result, your files are now inaccessible. The ransomware holds it hostage until you pay a certain sum of money. A ransom. In this particular case the sum demanded is 1 Bitcoin (approximately 575 USD). While encrypting your information, Alma Ransomware drops “Unlock_files_(6 random characters).html” and “Unlock_files_(6 random characters).txt” files. They provide payment instructions. The virus adds these ransom messages to your desktop. You will also find them in all folders that contain encrypted data. As you could imagine, that’s a lot of folders. Alma Ransomware isn’t subtle. Quite the opposite, hackers are directly asking you for money. You’re supposed to receive some decryption key in exchange for your Bitcoin. However, making a deal with crooks is, to put it mildly, not a great idea. Ransomware gets developed to serve one purpose only – to blackmail you. This is why it encrypts your files and this is why it displays a ransom message. The parasite modifies a great variety of file formats – .mp3, .mp4, .txt, .doc, .docx, pdf, .jpg, jpeg, .png, .tif, etc. Pictures, documents, music, videos, presentations. Anything you could think of falls victim to this nuisance. We assume that it’s clear why ransomware is so immensely dreaded. Alma Ransomware locks all your files. You’ve probably stored some important data on board; it gets encrypted as well. This way the virus could end up causing you a serious headache. Unfortunately, the encrypting algorithm it uses is very complicated. This infection shares many traits with Cerber, Bart, the Juicy Lemon Ransomware, etc. Crooks make sure to inform you that the payment must be made within 120 hours. That’s only 5 days. Hackers give you a rather short deadline because they mostly rely on your panic. Of course, paying the money guarantees you nothing. More often than not, crooks simply ignore victims’ attempts to negotiate. Yes, you could pay 575 USD and still be unable to access your files.

How did I get infected with?

Don’t be too harsh on yourself. Your machine did in fact get compromised but hackers are masters in the art of deceit. Next time you surf the Web, be careful. For example, avoid suspicious-looking emails or messages. Those are among the most popular infiltration techniques out there. They are still very effective so keep that in mind. Spam email-attachments might bring to you all kinds of cyber infections. Also, ransomware travels the Web via Trojans, corrupted links, malicious websites, illegitimate torrents. There is a rich variety of distribution methods online. You need to protect yourself from all of them. In addition, the virus might have been bundled with unverified programs. Ransomware also gets spread via fake software updates. Long story short, you have to be extremely cautious when browsing the Internet. Preventing installation is a much easier option than having to delete a virus.

remove Alma

Why is Alma dangerous?

Ransomware is made to deny you access to your own data. It then displays a highly aggravating ransom note because hackers are aiming for profit. As mentioned, Alma Ransomware  encrypts all personal files it locates on your PC system. Crooks are trying to play mind games with you; that is why the virus holds you files hostage. What needs to be done is an immediate deletion of the parasite. Alma Ransomware is a nasty attempt for a cyber fraud. If you pay the ransom demanded, you fall right into hackers’ trap. Do not let crooks scam you. Furthermore, do not become a sponsor of their malicious business. Giving your money away is not going to solve the problem. Hackers aren’t particularly honorable people so they have no reason to keep their end of the bargain. Keep your Bitcoin and don’t be gullible. To delete Alma Ransomware manually, please follow our comprehensive removal guide. You’ll find it down below.

Alma Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Alma Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

  • Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
  • Locate the process of the ransomware. Have in mind that this is usually a random generated file.
  • Before you kill the process, type the name on a text document for later reference.


  • Locate any suspicious processes associated with Alma encryption Virus.
  • Right click on the process
  • Open File Location
  • End Process
  • Delete the directories with the suspicious files.
  • Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

  • Open any folder
  • Click on “Organize” button
  • Choose “Folder and Search Options”
  • Select the “View” tab
  • Select “Show hidden files and folders” option
  • Uncheck “Hide protected operating system files”
  • Click “Apply” and “OK” button

STEP 3: Locate Alma encryption Virus startup location

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.


Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or

  • and delete the display Name: [RANDOM]

delete backgroundcontainer

  • Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

  • Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

windows system restore

  • Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
  • Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.

Leave a Comment