Depth-Analysis on Rensenware Ransomware
Rensenware Ransomware is a noxious file-encrypting virus which was uploaded to the platform reported as Github.com. The developers of this malware uses the alias “0x00000FF” and then claims to have generated this threat as a joke for the system gamers on “Touhou 12 – Undefined Fantastic Object” produced by Team Shanghai Alice. Although, it is not a typical ransomware virus, because it does not ask the victimized users to pay ransom money in the form of Bitcoins or any type of other digital crypto-currency. Instead demanding the ransom fee, the cyber criminals encode the user's data with AES-128 ciphers and then invites the victims of Rensenware Ransomware to play “Touhou 12” game and generate 12 billion points. However, it is not an easy task and most of the victimized PC users may fail to fulfill the demands of this malware.
Rensenware Ransomware is not a Joke
Cyber security experts reported that the malware uses “rensenware.exe” file to run on the affected machine. Also, it uses 256-bit long unique key to encipher the data stored onto the system. Rensenware Ransomware may encode audio, images, presentations, videos, media projects, spreadsheets and other type of crucial files after successfully invading your PC. According to the malware researchers, the threat adds “.rensenware” file extension to the files enciphered by this ransomware. Hence, the affected system files can be easily recognized. Once it encrypts the computer files, it displays a program window named as “Rensenware WARNING!” onto your system's screen. Moreover, in this program window, there is no close and minimize button are presented.
Rensenware Ransomware Provides a Decryption Tool
Most importantly, the computer users who get infected with this malware are suggested not to close the program window and then download a free decryptor known as “rensenWare_forcer.csproj” from the “github.com/0x00000FF/rensenware_force” which is provided by its developers. This decryptor can be exported as “decryptor.exe” by loading it onto the MS Visual Studio 2008 and its later versions. The decryptor displays an apology note for encoding your files and developing Rensenware Ransomware. However, it is very important to leave the program window opened because if the apps is closed, the decryption tool would not be able to decode the files as it is saved on the memory. Besides, this ransomware is also detected as:
- W32/Trojan.ORYW-8764
- Win32/Trojan.Ransom.786
- Gen:Heur.Ransom.HiddenTears.1
- MSIL/Filecoder_RensenWare.A!tr
- Trojan ( 0050ad671 )
- Trojan.Ransom.RensenWare
Free Scan your Windows PC to detect Rensenware Ransomware
Remove Rensenware Ransomware From Your PC
Step 1: Remove Rensenware Ransomware in Safe Mode with Command Prompt
- First of all disconnect your PC with network connection.
- Click restart button and keep pressing F8 key regularly while system restart.
- You will see “Windows Advanced Options Menu” on your computer screen.
- Select “Safe Mode with Command Prompt” and press Enter key.
- You must login your computer with Administrator account for full privilege.
- Once the Command Prompt appears then type rstrui.exe and press Enter
- Now follow the prompts on your screen to complete system restore.
Step 2: Remove Rensenware Ransomware using MSConfig in Safe Mode:
- Power off your computer and restart again.
- While booting press the “F8 key” continuously to open “Windows Advanced Options Menu”.
- Use the arrow keys to select “Safe Mode” option and press Enter key.
- Once system get started go to Start menu. Type “msconfig” in the search box and launch the application.
- Go to the Startup tab and look for files from %AppData% or %Temp% folders using rundll32.exe. See an example below:
C:\Windows\System32\rundll32.exe C:\Users\username\appdata\local\temp\regepqzf.dll,H1N1
- Disable all the malicious entries and save the changes.
- Now restart your computer normally.
Step 3 : Kill Malicious Process Related To Rensenware Ransomware
- Press Alt+Ctrl+Del buttons together.
- It will open the Task manager on your screen.
- Go to Process Tab and find Rensenware Ransomware related process.
- Click the End Process Now button to stop the running process.
Step 4 : Remove Rensenware Ransomware Virus From Registry Entry
- Press “Windows + R” key together to open Run Box.
- Type “regedit” and click OK button.
- Find and remove Rensenware Ransomware related entries.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Now hopefully you have completely removed the Rensenware Ransomware virus from your computer. If you are still get ransom message from the threat or unable to access your files, then it means that virus still remain into your computer. In such situation you don’t have any other option except removing this virus using any powerful malware removal tool.
Whereas if you have any backup of your infected or encrypted files, then you can also reinstall your Windows OS. This will erase all your files and data as along with the Rensenware Ransomware infection. You will get a completely empty computer system with no files. Now you can use your backup to get your files. If you don’t have any backup then using malware removal tool is a better option for you.
If you have any query or question regarding your computer, then you can easily ask your problem to our experts. Go to the Ask Any Question page and get the answer for your query directly from out experts.