What is shaofao.exe? Should I remove it?

Shaofao.exe — a malicious executable related to Dharma ransomware

Shaofao.exe is a file that runs in the Task Manager of Windows computer. Typically .exe extension files are used by Windows system to execute various commands on the device, for example, launching an application. In late August 2018, researchers discovered a new variant of Dharma ransomware which runs the mentioned file after the infiltration. File locking viruses are extremely dangerous as data loss is highly likely. Even after paying ransom to cybercriminals, users might end up not receiving the decryptor they needed to recover personal files.

Name shaofao.exe
Type Ransomware executable
Main dangers Encrypts files and demands ransom for their release
File extension .id-XXXXXXXX[demassagaddison@aol.com].combo 
Distribution Spam email attachments
Elimination Clean your system thoroughly with FortectIntego

Dharma ransomware is a file locking virus that first showed up in November 2016. It uses AES encryption algorithm[1] to encrypt data and appends [email].dharma file extension, as well as drops a ransom note. The contact address and ransom note vary depending on the variant of malware. Shaofao.exe virus is one of the latest versions that showed up in late August 2018. It appends .combo file extensions to the affected data.

The malicious Shaofao.exe performs the following on the infected machine:

  • reads the active computer name;
  • spawns many  processes;
  • deletes volume snapshots/shadow volume copies;
  • modifies Windows registry

Shaofao.exe removal can be crucial for your system because ransomware encrypts your files, keeps them locked until you pay a certain amount in Bitcoin or another cryptocurrency. This is very dangerous, and you shouldn't pay cybercriminals. However, there is a possibility that your files cannot be recovered after this attack unless you have your data backed up on an external device.

In addition to shaofao.exe, you may also see a .txt file that is a ransom note for particular ransomware. In this case, if your device is affected by Dharma, you may find Info.hta and FILES ENCRYPTED.txt placed on every folder where encrypted files are. This text file contains more details about the initial ransomware attack. 

Ransom note reads as follows:

At the moment, your system is not protected.
We can fix it and restore files.
To restore the system write to this address:

Shaofao.exe virus will need to be eliminated as soon as possible if you find it running on your system. Not only that you will not be able to open any of your personal files. Therefore, remove the ransomware using a reputable anti-malware tool and then use FortectIntego to make sure Windows Registry is clean.


Ransomware executes via insecure spam email attachments 

Researchers[2] note that many malicious actors use spam email campaigns to spread malware. Phishing emails can look fake in some cases, but more often than not ransomware developers put in some effort to make messages more believable. Thus, it is crucial to spot signs of a fraudulent email before opening any attachments or clicking on links. 

A phishing email often comes from an unknown email address, but hackers mostly use one that looks almost identical to well-known retailers, such as Amazon or Airbnb.[3] Additionally, users can be redirected to spoofing sites where personal details can be obtained. 

If you open a malicious attachment and allow the Macro function to run, the virus' code will be immediately executed, and, before you know it, all your files will be locked. Nevertheless, those who use anti-malware solutions are at much lower risk of infection, as most of the security software is capable of stopping the virus from execution. 

Terminate shaofao.exe and other related files with anti-malware software

To remove shaofao.exe virus, you need to scan your system entirely using anti-malware tools like FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes. These programs perform a thorough system scan and eliminate the detected cyber threats. 

You cannot perform shaofao.exe removal manually because ransomware infection is complicated and performing the action would require an excessive IT knowledge which most regular users do not have. Thus, better leave the hard work for automatic solutions.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.
About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions