What is PornBlackmailer ransomware? And how does it execute its attack?
PornBlackmailer ransomware is a fake file-encoding Trojan that threatens to encrypt files. This kind of ransomware threat infects computers when a user downloads pornographic video clips from a pornographic website called xvideos. One notable thing about this ransomware and the thing that bothers a lot of security experts is that this ransomware seems to be capable of avoiding many antivirus programs commonly used these days.
The first attack of PornBlackmailer was reported by computer users on Reddit who were asking for advice on how to get rid of the ransomware. Its attack is pretty simple, as soon as it infects the system it acts like a typical police ransomware that threatens to report victims to the police where it imitates a message from the police in its ransom note that states:
“You looked through forbidden children’s porn!
Also, you are involved in its spread.
This is very very very bad!
So information about your location (ip, mac, real address) and other needed data (browser cookies, social network links, desktop screens, browser history, passwords) was collected and sent to our server.
You can see part of data was collected in “C:\Users\User\Robin\server_logs” in the files “your_information.txt” and your location on a map in “your_location.jpg”. Also, you can see more other information about you in near folders and cookies files.
All these data sent to our server on the internet and can not be deleted by you. All these data and complaints will be automatically forwarded to the special police departments (FBI, CIA, INTERPOL, MVD, FSB) exactly 24 hours after the current moment (this is not joking, automatically process). This will be enough to put you in jail for at least 1 year. Believe me, you are not the first.
HOWEVER, if you send “0.01 BTC” to the address specially generated for you, all your data will also be automatically deleted from our server and you will live peacefully, having received a lesson.
REPEAT: To forget about this incident, you need to send “0.01 BTC” to the bitcoin address (especially generated for you) below. Then all your data will also be automatically deleted from ou1. Delete all questionable recently downloaded files from the desktop and/or the Downloads folder.
- Access the directories %Userprofile%\Robin and %Userprofile%\Cerber to find and delete the folder
server_logs.
- Remove the files temps.exe and
bg_robin.jpg located in the
%APPDATA% directory.
- Delete 9 copies of the file READ_ME.txt created on the desktop.r server.”
Based on the content of its ransom note, victims are threatened about being reported to the police along with the necessary evidence that could prove that the victim is responsible for watching and distributing child pornography. Of course, if you are one of the users infected with this ransomware, then it is without a doubt clear that you’ve downloaded some pornographic video clips online, making some parts of the ransom note true and if you don’t know any better, you might even feel threatened since you’re like a deer caught in headlights. So you might be coaxed into paying the ransom. Note that, this ransomware does not have any capability of encrypting files. Meaning to say, it’s all bark and nothing else.
It’s pretty clear that the authors of this ransomware threat are hell bent on intimidating victims as it provides screenshots of victims’ active desktop as well as a copy of their browsing history. The details captured are stored in the folders that are named browser-cookies and desktop-screens. In addition, they could also add the file called your_information.txt that contains information about the infected computer as well as the IP address of a user.
How does PornBlackmailer ransomware proliferate?
Like already mentioned, PornBlackmailer ransomware proliferates on a particular pornographic website. And if you download a video clip, your computer will quickly be infected with this ransomware infection. Once again this ransomware is all bark so there is no need for you to worry and pay the ransom.
Obliterate PornBlackmailer ransomware by following the removal guide below as well as the advanced steps that follow.
Step 1: Tap the Ctrl + Alt + Delete keys to open a menu and then expand the Shutdown options which are right next to the power button.
Step 2: After that, tap and hold the Shift key and then click on Restart.
Step 3: And in the Troubleshoot menu that opens, click on the Advanced options and then go to the Startup settings.
Step 4: Click on Restart and tap F4 to select Safe Mode or tap F5 to select Safe Mode with Networking.
Step 5: After your PC has successfully rebooted, tap Ctrl + Shift + Esc to open the Task Manager.
Step 6: Go to the Processes tab and look for PornBlackmailer Ransomware or temps.exe and then end its process.
Step 7: Exit the Task Manager and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 8: Look PornBlackmailer Ransomware or temps.exe and then uninstall it.
Step 9: Close Control Panel and tap Win + E keys to open File Explorer.
Step 10: Navigate to the following locations and look for PornBlackmailer ransomware’s malicious components such as a folder named server_logs, an executable file called temps.exe, image file named bg_robin.jpg, READ_ME.txt and other related files and then delete them all.
- %TEMP%
- %APPDATA%
- %Userprofile%\Robin
- %Userprofile%\Cerber
- %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step 11: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 12: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 13: Navigate to the listed paths below and look for the registry keys and sub-keys created by PornBlackmailer ransomware.
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKCU\SOFTWARE
- HKCU\SOFTWARE\WOW6432Node
Step 14: Delete the registry keys and sub-keys created by PornBlackmailer ransomware.
Step 15: Close the Registry Editor and empty your Recycle Bin.
To make sure that PornBlackmailer ransomware is completely removed and that nothing is left behind, use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. The installation will start automatically once a download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.