What is Pennywise ransomware? And how does it carry out its attack?

Pennywise ransomware is a new and modified version of Jigsaw ransomware even when its ransom note says otherwise. It has similarities with the other Jigsaw variant, also called Pennywise, which uses the .beep extension. This time, this new variant uses .pennywise extension.

Pennywise Ransomware

Like other Jigsaw variants, Pennywise ransomware still features the same behavior when it comes to its attack. It starts by dropping its malicious payload in the system which is the one that establishes a connection to a remote server. This remote server is controlled by the crooks behind Pennywise ransomware. It is where the other components of the crypto-virus are downloaded.
Following its infiltration, Pennywise ransomware will employ a data harvesting module.

This module scans the local drive for any information that could be useful for the attackers which mostly includes machine identification metrics used to create a unique ID. It also employs another module called stealth protection which scans the computer for any presence of applications like antivirus, a sandbox environment, and other security programs that might interfere with the attack.

In addition, this Jigsaw variant also messes with the Windows Registry in order to automatically execute its attack each time the infected computer is turned on. Once these modifications are completed, it scans the computer for files with the following extensions:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip

After it finds its targeted files, Pennywise ransomware locks the infected computer with an image of Pennywise the clown, along with the following message:

“Your personal files are being deleted. Your photos, videos, documents, etc…
But, don’t worry! It will only happen if you don’t comply.
However I’ve already encrypted your personal files, so you cannot access them.
Every hour I select some of them to delete permanently, therefore I won’t be able to access them, either.
If you turn off your computer or try to close me when I start next time you will get 1000 files deleted as of punishment.
Yes, you will want me to start next time since I am the only one that is capable to decrypt your personal data for you.
And remember my dear researchers…. I’M NOT A JIGSAW VARIANT!!!!!!!!!
Meanwhile….. Do you want a balloon? Hahahahaha_”

How is the payload file of Pennywise ransomware distributed over the web?

The payload file of Pennywise ransomware could be distributed using fake software updates, exploit kits, deceptive downloads, or freeware and shareware. Moreover, crooks behind this ransomware threat could also use spam emails as a means to distribute this threat to potential victims.

To effectively kill Pennywise ransomware from your PC, make sure to follow the removal instructions below.

Step_1: Type in the code PsTqQNhR77oKJXvBWE3YZc in the field and unlock your computer.

Step_2: Pull up the Task Manager by tapping Ctrl + Shift + Esc keys on your keyboard.

Step_3: Go to the Processes tab and look for any suspicious-looking processes that could be related to Pennywise ransomware. Note that these kinds of processes usually take up most of the CPU resources.

Step_4: Exit the Task Manager and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.

Step_5: Look for any dubious programs that might be related to Pennywise Ransomware and then uninstall it.

Step_6: Close the Control Panel and tap Win + E keys to open File Explorer.

Step_7: Navigate to the following locations and look for Pennywise ransomware’s installer and malicious components like WindowsApp22.exe and other related files and delete them all.

  • %TEMP%
  • %USERPROFILE%\Downloads
  • %USERPROFILE%\Desktop

Step_8: Close the File Explorer.

Before you proceed to the next steps below, make sure that you are tech-savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you trouble and time, you can just use Restoro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.

Step_9: Tap Win + R to open Run and then type in Regedit in the field and tap enter to pull up Windows Registry.

Step_10: Navigate to the listed paths below and look for the registry keys and sub-keys created by Pennywise ransomware.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization
  • HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
  • HKEY_CURRENT_USER\Control Panel\Desktop

Step_11: Delete the registry keys and sub-keys created by Pennywise ransomware.

Step_12: Close the Registry Editor.

Step_13: Empty your Recycle Bin.

Try to recover your encrypted files using the Shadow Volume copies

Restoring your encrypted files using Windows Previous Versions feature will only be effective if Pennywise ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.

To restore the encrypted file, right-click on it and select Properties, a new window will pop up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.

Congratulations, you have just removed Pennywise Ransomware in Windows 10 all by yourself. If you would like to read more helpful articles and tips about various software and hardware visit daily.

Now that’s how you remove Pennywise Ransomware in Windows 10 on a computer. On the other hand, if your computer is going through some system-related issues that have to get fixed, there is a one-click solution known as Restoro you could check out to resolve them.

This program is a useful tool that could repair corrupted registries and optimize your PC’s overall performance. Aside from that, it also cleans out your computer for any junk or corrupted files that help you eliminate any unwanted files from your system. This is basically a solution that’s within your grasp with just a click. It’s easy to use as it is user-friendly. For a complete set of instructions in downloading and using it, refer to the steps below

Perform a full system scan using Restoro. To do so, follow the instructions below.

  1. Download and install Restoro from the official site.
  2. Once the installation process is completed, run Restoro to perform a full system scan.
    restoro laptop1
  3. After the scan is completed click the “Start Repair” button.
    restoro laptop2
logo main menu

Copyright © 2023, FixMyPcFree. All Rights Reserved Trademarks: Microsoft Windows logos are registered trademarks of Microsoft. Disclaimer: is not affiliated with Microsoft, nor claim direct affiliation. The information on this page is provided for information purposes only. Protection Status

Log in with your credentials

Forgot your details?