The characteristics of a brand new Potato ransomware virus
Potato virus may sound like a joke; however, it’s a serious cyber threat that encrypts files stored on the attacked computer. Once it managed to get inside the computer, it starts encrypting files using the AES-256[1] cipher, which is known as military grade encryption. Therefore, when data encryption is over users cannot access any of their files that have .potato file extension. Though, victims are not left in obscurity. Potato ransomware drops two files right after data encryption. README.png and README.html files are the ransom notes where victims are asked to pay the ransom if they do not want to lose their files. Hackers provide detailed instructions how the transaction has to be made. The scenario barely differs from other ransomware developers orders. People have to download TOR[2] browser and using it access the payment website where they have to enter their unique ID number, hit “GET KEY” button and follow further instructions. People who are willing to trust the words of cyber criminals have to contact them via email potatoransom@sigaint.org. However, we recommend neither messaging them nor paying the ransom. First of all, you might be fooled and do not get the chance to decrypt your files even though the payment has been made. Secondly, Potato malware does not delete Shadow Volume Copies[3] of the targeted files. Therefore, if you do not backup files, you still have a chance to restore your files from shadow copies.
Apart from the ransom note, Potato virus also creates the folder on the affected computer’s desktop that includes three files. The first one is called “ID_number.txt” that includes a unique number of the targeted computer. Previously we have mentioned that this ID is necessary for decryption process. The second file is called “encrypted.txt” and provides the full list of files that had been touched by the ransomware. The third one is called “decryptor.exe (including MSVCR100.dll) which is supposed to be a decryption software. After paying the ransom, victims are supposed to receive the decryption key to use it. As we already mentioned, you should not follow these instructions. Instead of risking your money[4] and redeeming your personal documents, remove Potato virus from the computer. When your PC is virus-free, you can try additional data recovery methods that we presented below this article. Bear in mind that hesitation does not lead to anything good. After the attack, your computer and your privacy are in danger because you can expect other malware attacks as well. Therefore, start automatic Potato removal with FortectIntego or other strong malware elimination software.

How does ransomware infiltrate the computer?
Potato ransomware is still under investigation; however, hackers are suspected of using DarkComet RAT to get remote access to the computers. Then they download malware executable “potato.exe” and execute it. Once the malicious file is executed, malware starts data encryption and drops ransom notes to the system. However, we want to remind that ransomware might be spreading in many different ways. For example, malicious spam emails stay the main ransomware distribution technique. Furthermore, exploit kits also helps to infiltrate a vulnerable computer, and misleading ads might trick to click and install malware executable. Therefore, if you want to avoid ransomware[5], you have to watch your behavior online and protect your PC with security software.
Instructions for automatic Potato removal
Even though data recovery seems the priority for the majority of ransomware victims, Potato removal is the more important task. While malware resides on the computer, all data encryption methods are just a waste of time because malware can encrypt restored files again. What is more, if you do not follow our advice and pay the ransom, you might waste your money as well. After receiving your money hackers may ask for more and do not provide a decryption software. Therefore, remove Potato ransomware from the computer by scanning the computer with FortectIntego or SpyHunterCombo Cleaner. If ransomware prevents from accessing security tools, follow the instructions below.
Was this guide helpful?
3 comments