Severity scale:  
  (95/100) ransomware. How to remove? (Uninstall guide)

removal by Lucia Danes - - | Type: Ransomware is a crypto-malware closely related to Arrow ransomware ransomware renders personal files unreadable is classified as a crypto-ransomware virus.[1] It stems from a relatively old and infamous family of ransomware, dubbed as Dharma. It shares the same behavioral traits and design with Arrow ransomware, so experts consider it to be a direct variation of Arrow ransomware. The activity of this infection has been spotted at the end of March 2018 when victims reported their files locked by file extension.

Type Ransomware
Danger level High. Locks personal files and can damage them permanently
Family Dharma ransomware, Arrow ransomware
File extensions, but can sometimes replace with .arrow, or
Symptoms The most popular file types inaccessible, ransom note generated on the desktop, antivirus blocked, random crashes
Decryptable Not confirmed yet
Removal Install Reimage security tool and set it run a deep system scan. Manual removal not possible

Ransomware researchers claim that the virus exploits AES-256[2] cipher to render the most popular file types unreadable. An example of a file encrypted by virus looks like

Before getting the chance to start data corruption, this ransomware virus has to hijack the system (compatible with 32-bit and 64-bit systems). Usually, it finds its way into the system via malspam campaigns, but the payload can also be spread via drive-by-download attacks and exploit kits.

Once installed, it launches Command Prompt with Administrative privileges, so the victim can see a black window popping up on the screen for a couple of seconds. Ransomware runs multiple scrips, one of which commands to remove Windows Volume Shadow Copies. Besides, it installs multiple files in %APPDATA%, C:\Windows\System32, C:\Windows\System64, C:\Windows\System Files.

Unauthorized system's changes are followed by data encryption. ransomware uses a complicated AES cipher, which appends the file extension to the following file formats:

.gpx, .kml, .kmz, .asp, .aspx, .cer, .cfm, .csr, .css, .htm, .html, .js, .jsp, .php, .rss, .xhtml, .doc, .docx, .log, .msg, .odt, .pages, .rtf, .tex, .txt, .wpd, .wps, .csv, .dat, .ged, .key, .keychain, .pps, .ppt, .pptx, .ini, .prf, .hqx, .mim, .uue, .7z, .cbr, .deb, .gz, .pkg, .rar, .rpm, .sitx, .tar.gz, .zip, .zipx, .bin, .cue, .dmg, .iso, .mdf, .toast, .vcd, .sdf, .tar, .tax2014, .tax2015, .vcf, .xml, .aif, .iff, .m3u, .m4a, .mid, .mp3, .mpa, .wav, .wma, .3g2, .3gp (the list is not definite).

The virus can alter the extension and, instead of the mentioned, append one of the following:


The victim is expected to notice locked files in the first place. However, a ransom note is yet another clear symptom of an attack. The note is typically disclosed in the form of a text file on the desktop or each folder that contains encoded data.
The ransom note demands a victim to pay the ransom in Bitcoin crypto coins and initiate a transaction via Bitcoin wallet via Tor browser. Before that, he or she has to email the developers via or to get personalized instruction.

If your PC has already been attacked by this crypto-extortionist, we are sorry for you. However, we alwong with partners from[3] do not recommend you to pay the ransom. Instead of that, initiate an in-depth system's scan with Reimage or Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus to remove malware with the whole pack of malicious files. removal is the only smart move that you can take in this kind of situation. Paying the ransom does not give a guarantee that cybercriminals will unlock your files. They can either vanish entirely after receiving your payment or sent you a fake decryptor that is not capable of decrypting a single file.

Therefore, to protect yourself from losing money, remove as soon as possible and decrypt data using one of the alternative data decryption methods listed at the end of this post.

NOTE: you can try to launch Dharma Decryptor right after removal. This ransomware is an offspring of Dharma so that the decryptor might work. However, note that this ransomware more than ten different versions, some of which give up for deciphering and the others don't.

Crypto-malware spreads in many tricky ways: beware of a few

Ransomware is a type of infection that can damage most if not all personal files on the targeted PC. It is capable of doing so due to complex cryptography methods employed, and multiple system's changes initiated.
However, complex performance would be a zero threat if cybersecurity experts would find a wall to stop ransomware dissemination. Currently, crooks manage to foist thousands of ransomware payloads worldwide via the following mediums:

  • Malicious email attachments;
  • Illegal websites;
  • Fake software updates;
  • Infected advertising platforms;
  • Exploit kits.

One of the precautionary measures that have to be taken to protect the system from ransomware attack is a right choice of anti-malware. Read license terms and analyze what features the tool has to ensure as strong protection as possible. Real-time protection is a must.

Besides, avoid visiting adult content, gambling, and other potentially dangerous domains. Besides, restrain from clicking on ads and links provided on web domains that you are not familiar with.

Learn how to get rid of ransomware virus

Do not try to remove manually. Not because you can lose the encrypted data permanently, but because you will not succeed no matter how you try. It's practically impossible to initiate removal since it scatters malicious files all around the system.

To get rid of this cyber infection, you will be able to decrypt files using alternative methods. As we have pointed out, is a version of Arrow and Dharma, so try a free Dharma decryptor in the first place. You can find a download link down below.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove ransomware you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall ransomware. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

To remove virus, follow these steps:

Remove using Safe Mode with Networking

Ransomware viruses are often programmed to block anti-virus. To bypass the wall, boot the system into Safe Mode with Networking:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove using System Restore

If the previous method did not work and you cannot run a security tool anyway, try these steps:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

None of the methods listed below give hundred percent guarantee of getting the files unlocked. However, each of them helped to retrieve millions of entries encrypted by various ransomware type infections. 

If your files are encrypted by, you can use several methods to restore them:

Data Recovery Pro

As soon as you get rid of virus, you can try to recover your data. One of the solutions is to install Data Recovery Pro – a professional tool for data recovery after accidental file deletion or system's crash, and launch it. 

Try previous Windows Versions

Those who are regularly setting a System Restore Point, should take advantage of the previous Windows versions. You may be able to recover separate files by following this guide:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Check for Volume Shadow Copies

There's only one way to check whether ransomware deletes Volume Shadow Copies. Install ShadowExplorer and launch it to start the scan:

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Try a free Dharma decrytor:

Download a free Dharma decryptor here and launch the tool to check if it's capable of cracking the code of the ransomware variant. 

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Lucia Danes
Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions


Removal guides in other languages