How to Remove Ramsey Ransomware

How to Remove Ramsey Ransomware?

The Internet is bursting with dangerous parasites. Ransomware type of infections are undoubtedly the most dangerous type. The newest member of the ransomware family is a variant of the infamous Jigsaw Ransomware named Ramsey Ransomware. Ramsey is a typical parasite. It uses advanced encryption algorithms to lock your files. Security experts believe that the virus is based in Turkey. Yet, the Internet has no boundaries. Infections caused by Ramsey Ransomware can occur all around the world. You can recognize the virus by its ransom note which is in Turkish, or by its executable file: Ramsey_Ransomware.exe. The ransomware also adds the .ram suffix at the end of all encrypted files. This virus is not very imaginative, yet, it is deadly. Unlike many other similar infections, Ramsey deletes all System Shadow Copies and Restore Points. This, basically, makes the file decryption impossible without the crooks’ key. This virus is quite typical. It sneaks into your computer. It is working behind your back. You will not notice it. Not until it is too late. The ransomware scans your HDD for target files. Your documents, videos, and pictures will be encrypted first. Such data is considered most “precious” to the user, hence, it is of first importance to the virus. Users are much more likely to pay for their memories than for anything else. Of course, the virus demands a ransom paid in Bitcoin. The demanded sum is only 88 Turkish Lira (about 25USD) which is less than the usual ransom in such cases. This makes us believe that Ramsey hopes to get more people pay the ransom. We recommend against such actions. It is never a good idea to negotiate with criminals. And the people behind this ransomware are exactly criminals. Interesting fact about the ransomware is that it only gives its victims 72 hours to pay the ransom. This is a physiological trick meant to make you act impulsively. Don’t fall for it. Be rational and make an informed choice.

How did I get infected with?

Ramsey Ransomware is using not one but several methods to spread itself. It may have arrived via spam message, fake software update or malvertising. All these techniques rely on one same thing – your negligence. If you receive a message or email from a stranger, check the sender’s contacts before you even open it. Scammers tend to write on behalf of well-known organizations. If you receive such a letter, go to the organization’s official website. You can find their authorized email addresses there. Compare them with the one you have received a message from. If they don’t match, delete the imposter immediately. Hackers not only will attach corrupted files to emails, they can also embed malicious code in the body of the message. Therefore, it is important not to open questionable emails. Be vigilant. Only you can prevent infections. If you see a pop-up message stating that some program of yours needs to be updated, don’t immediately follow the alert. Such messages are often frauds. They lead to shady websites. If you need to update some program, use the tool’s built-in update system or go to its vendor’s official website and download the newest version from there. It is also essential to keep your anti-virus up to date. It is, after all, your last defense wall.

remove Ramsey

Why is Ramsey dangerous?

Ramsey Ransomware has entered your machine and locked your files. You can see the icons of your pictures and documents but you can’t open or use them. This invasion is unforgivable. We know that the demanded ransom is somewhat affordable. Yet, the cost is greater than you think. The crooks will use your money to further develop their malicious programs. Don’t sponsor them. Besides, no one can guarantee you that they will contact you back. Practice shows that crooks often ignore their victims. You may lose your money and time. Even if you receive a key, it may not function properly. Don’t negotiate with criminals. When you use your computer to pay the ransom, the virus can record your credit card details. The hackers can use this information to steal more money from you. Furthermore, the decryption process does not remove the virus itself. Whatever you decide to do, you must delete the virus. Otherwise, your newly restored files will be re-encrypted. Use a trustworthy anti-virus program to track Ramsey Ransomware down. You can do it manually, of course, but, we recommend you to use an automated solution. This parasite is quite complicated. It has infected your entire system. To delete it completely, you need to remove each and every component of the virus. If you miss one, the ransomware will restore itself.

Ramsey Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Ramsey Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

  • Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
  • Locate the process of the ransomware. Have in mind that this is usually a random generated file.
  • Before you kill the process, type the name on a text document for later reference.

end-malicious-process

  • Locate any suspicious processes associated with Ramsey encryption Virus.
  • Right click on the process
  • Open File Location
  • End Process
  • Delete the directories with the suspicious files.
  • Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

  • Open any folder
  • Click on “Organize” button
  • Choose “Folder and Search Options”
  • Select the “View” tab
  • Select “Show hidden files and folders” option
  • Uncheck “Hide protected operating system files”
  • Click “Apply” and “OK” button

STEP 3: Locate Ramsey encryption Virus startup location

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.

win-plus-r

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

  • and delete the display Name: [RANDOM]

delete backgroundcontainer

  • Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

  • Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

windows system restore

  • Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
  • Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.

Leave a Comment