What is DECRYPT_INSTRUCTIONS.html? Should I remove it?

by - - | Extension: html

What does DECRYPT_INSTRUCTIONS.html file suggest?

Encountering DECRYPT_INSTRUCTIONS.html file is certainly not good news. It signals that your computer and personal files have been victimized by CryptoWall, alternatively known as CryptoLocker, file-encrypting threat. This threat rose in 2013. Along with such threats as Locky and Cerber, emerging in later years, it has managed to spread terror globally. Due to the usage of elaborate asymmetric and symmetric, specifically, AES-256 and RSA-2048, encryption technology, it managed to encode personal files of natural and legal persons. Likewise, throughout its existence, it has made over $325 million profit. Luckily, its activity fell in the past months which triggered speculations that the authors decided to end the project. However, such naive thoughts should not persuade you into thinking that CryptoWall is no longer in the cyber space. Unfortunately, it gave inspiration for other hackers. So is it possible to terminate CryptoWall simply by deleting DECRYPT_INSTRUCTIONS.html file?

The malware contains a complex source code and initiates commands which modify registry entries. While the malware is present on the system, it also launches the command to delete shadow volume copies which makes matters much worse. Since there are multiple versions of CryptoWall, you might notice that your data contains different file extensions: if it is Crypt0L0cker, then it appends .enc file extension, while the original version attached .locked file extension. After completing the encryption process, it redirects users to DECRYPT_INSTRUCTIONS.html web page. In order to terrify victims even more, the analogous, DECRYPT_INSTRUCTIONS.txt, file is placed on the desktop to remind of the hopeless situation they are in. In these instructions, the authors provide a brief FAQ guide for users who have been struck with crypto-malware for the first time. The guide also contains instructions how to purchase bitcoins and transfer them to a respective address controlled by racketeers. The file also contains an incorporated clock which counts expiration time. After the indicated time period ends, the files are said to be deleted. Since Cryptowall has shape-shifted into multiple versions throughout its existence, Crypt0L0cker and Torrentlocker have also been using the same file for instructing victims.

Distributing CryptoWall and DECRYPT_INSTRUCTIONS.html

All versions up to CryptoWall 5.1 have been using similar hijack techniques. Unfortunately, most profitable of them remains the transmission of the infection via spam emails. The malware is disguised as a .doc file in a .zip folder. Specifically, the virus asks a victim to enable macro settings. This functionality is expressed as a set of codes and ciphers presented in a .doc file. If a user accidentally grants the permission, he or she activates CryptoWall. Then, the virus starts its data hunt. Within a couple of minutes, the mentioned DECRYPT_INSTRUCTIONS.txt and DECRYPT_INSTRUCTIONS.html files will appear on the device. In addition, the late versions of CryptoLocker might have been relying on trojans and exploit kits to multiple the range of the attack. In that case, you will need to arm up with proper cyber security programs.


If you remove DECRYPT_INSTRUCTIONS.html file, the malware will keep rampaging on your computer. Banish the malware and all its components with the reliable anti-spyware application, e.g. Reimage or Malwarebytes Anti Malware. Do not forget to update the program for it to fully complete DECRYPT_INSTRUCTIONS.html removal and the elimination of the file-encrypting threat. After eliminating the infection, you can consider alternative methods to recover your data.

Verdict - status of the file:

dangerous file
2-spyware.com research center gathers and checks all information related to DECRYPT_INSTRUCTIONS.html. We ask ourselves the questions like: Do this file pose a threat? Does the filename is exploited by Malware? and other. The final status of the file is purely our opinion.
DANGEROUS FILE status means that this file poses a threat to your system. Use the Advice below:


If your Computer seems Sluggish, or you see some unwanted Advertisements, redirects to the strange websites, then we recommend you to scan the system with reputable anti-spyware program. Do some FREE scan tests and you will see if there are some unwanted applications, whitch might be responsible for the tab stability of the system.
It might be that we are affiliated with any of our recommended products. Full disclosure can be found in our Agreement of Use. By downloading any of provided Anti-spyware software you agree with our Privacy Policy and Agreement of Use.
Do it now!
What to do if failed?
If you failed to remove infection using Reimage Reimage, submit a question to our support team and provide as much details as possible.
Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.
Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.
Not using OS X? Download a remover for Windows.
Press Mentions on Reimage
Alternate Software
Alternate Software
Malwarebytes Anti Malware
Hitman Pro
Webroot SecureAnywhere AntiVirus

Removal guides in other languages

Information updated:


Post a comment

Attention: Use this form only if you have additional information about a parasite, its removal instructions, additional resources or behavior. By clicking "post comment" button you agree not to post any copyrighted, unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, profane, hateful, racially, ethnically or otherwise objectionable material of any kind.

Home page Name


(All fields are required)