What is Ramsey Ransomware?
Ramsey Ransomware is a variant and a Turkish version of the well-known Jigsaw Ransomware which is a Trojan ransomware that is defined by its pop culture references in the ransom note. This file-encrypting virus uses RSA 2048 and RSA 256 algorithms to encrypt its victim’s files. It aims at various audios, videos, images, document, text files and other kinds of files in your computer. After looking for these files, the Ramsey Ransomware appends the .ram file extension to each of the encrypted files. After it completes the encryption process, it displays a ransom note written in Turkish language as you can see below.
The Ramsey Ransomware gets in your computer as an obfuscated executable file, Ramsey_Ransomware.exe. Once it infiltrates your system, it starts to complete its task which is to look for your important files and then encrypt them. This ransomware can also make modifications in your system to run on your system startup like installing other malicious files and making Registry entries to make it difficult for you to remove it. As you can tell, this ransomware does not only damage your files but it also makes your system vulnerable to other threats because of these modifications on your system. That’s why as soon as you notice the threat, have it removed immediately to prevent further distraction.
In the ransom note, you can see several information about data encryption, the data encryption conditions and instructions, provides the Bitcoin wallet address as well as the contact email address, [email protected] and has the “View encrypted files” button together with a timer that counts the time left for you to pay the demanded ransom until the files are deleted. The Ramsey Ransomware demands you to pay a 100 Turkish Lira or at least $25. And if you fail to pay the ransom on the given time, your files will be deleted. And even though the demanded ransom is not huge, that does not mean that you can go ahead and pay it thinking it would be the easiest way to retrieve your. That’s where you are wrong. Paying the ransom does not mean you can get your files back at all. These cyber criminals keep on making this kind of malware for a reason. So no, it won’t help your case at all even if you pay them since there is no guarantee that they will decrypt your files once the payment has been made. That’s why instead of doing that, you can look for solutions to get rid of this ransomware and decrypt your files without spending a cent.
Like all ransomware, Ramsey Ransomware is either distributed through malicious spam emails and their corrupted attachment, malvertising, exploit kits, fake software updates and error messages, software bundles and downloads. Cyber criminals are getting creative when it comes to spreading this threat through spam emails. They disguise it as an email from a well-known company or organization and other ways to make it look like an important email to trick users into opening it and downloading the infected attachment, namely, Ramsey_Ransomware.exe.
We’ve provided several methods you can try to remove Ramsey Ransomware. Follow them religiously for you to get rid of this pesky ransomware fast.
Step 1: Open the Windows Task Manager by pressing Ctrl + Shift + Esc at the same time. Proceed to the Processes tab and look for the any suspicious processes that can be related to the Ramseyr Ransomware.
Right-click on the processes, then click Open File Location and scan them using a powerful and trusted antivirus like SpyRemover Pro. After opening their folders, end their processes and delete their folders. If the virus scanner fails to detect something that you know is suspicious, don’t hesitate to delete it.
Step 2: Open Control Panel by pressing Start key + R to launch Run and type appwiz.cpl in the search box and click OK.
Locate Ramsey ransomware or any suspicious program and then Uninstall.
Step 3: Open System Configuration by clicking the Windows button and typing in msconfig and pressing Enter. Go to Startup and unmark items with unknown manufacturer.
Step 4: Open the File Explorer by pressing the Windows key + E.
Step 5: Go to the directories listed below and delete everything in it. Or other directories you might have saved the file related to the Ramsey ransomware.
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
- %TEMP%
Step 6: Look for the malicious executable file (Ramsey_Ransomware.exe)
Step 7: Right-click on it and click Delete.
Step 8: Empty the Recycle bin.
Step 9: Reboot your computer into Safe Mode with Command Prompt by pressing F8 a couple of times until the Advanced Options menu appears.
Navigate to Safe Mode with Command Prompt using the arrow keys on your keyboard. After selecting Safe Mode with Command Prompt, hit Enter.
Step 10: After loading the Command Prompt type cd restore and hit Enter.
Step 11: After cd restore, type in rstrui.exe and hit Enter.
Step 12: A new window will appear, and then click Next.
Step 13: Select any of the Restore Points on the list and click Next. This will restore your computer to its previous state before being infected with the Ramsey Ransomware.
Step 14: A dialog box will appear, and then click Next.
Step 15: After the system restore process, download SpyRemover Pro to remove any remaining files or residues of the Ramsey Ransomware.
Restoring your encrypted files:
You can restore the encrypted files without resorting to paying the ransom with the help of Window Previous Versions feature. Keep in mind that this method is only effective if the System Restore function was enabled in your computer’s operating system and that using this method of file recovery may not work for everyone because some variants of the Ramsey Ransomware removes the shadow volume copies of the files. Nevertheless, it is still very much worth the try one of the best methods available.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.