Erica Encoder ransomware (Decryption Steps Included) - Free Guide

Erica Encoder virus Removal Guide

What is Erica Encoder ransomware?

Erica Encoder ransomware – the self-named cryptovirus that requires ransom in Bitcoin after the file encryption

Erica Encoder ransomwareErica Encoder ransomware is the malware that focuses on altering files, so money can be demanded from victims directly. Erica Encoder ransomware is a threat that encodes files using the AES encryption algorithm and marks all the affected data, renames files using random characters and numbers. The appendix from random characters placed at the end of every file is needed to show the user which files got affected during the encryption. Since the main goal of criminals behind the threat is money, the ransom note HOW TO RESTORE ENCRYPTED FILES.txt is placed on the system immediately after the encryption with a message demanding for payment. That is written in Russian but also has a phrase in Ukranian. According to some researchers, it is believed that Erica Encoder is made by Ukranian hackers.

Ransom-demanding message insults users because of the short phrases placed through the text file, all state about the importance of backups, and calls the victim loser. This is a new threat, and Erica Encoder ransomware virus also gets called Erica2020 or Erica Encoder 2.0.1 ransomware because of the mentions in the same text file. Victims are encouraged to pay for virus creators because it is the only way to get back affected files, but contacting these criminals via provided, emails is not recommended.[1] You may get exposed to dangerous content and get additional malware instead of those decryption keys that hackers promise.

Name Erica Encoder ransomware
Danger The threat infects the targeted machine and makes common files useless by encrypting them. Criminals claim that the only way to bet files recovered is to pay the demanded amount in the ransom note. Additional processes running int he background affect the performance, and victims suffer from speed issues. Since many programs get disabled or differently affected, the computer may end up permanently damaged
Ransom note HOW TO RESTORE ENCRYPTED FILES.txt – a file that appears placed in various folders and on the desktop that criminals form for each victim with the unique ID that is needed for later decryption and victim identification
Email addresses,
File appendix Files affected by the threat get renamed with a long random name formed from numbers and letters and then appended with 4 or 6 character marker
Distribution Malicious advertisements, websites containing malware, and other online content can trigger payload droppers, but the main technique used for spreading such malware – file attachments injected with macro viruses. Such documents get added on various misleading emails and notifications posing as legitimate invoices or messages from companies and services
Elimination To remove Erica Encoder ransomware completely without affecting the machine further, you should employ anti-malware software with the malicious behavior-based detection[2] engine. Such tools can find and terminate crypto-malware for you
Optimization Unfortunately, all the changes made by this threat can interfere with the performance of the computer and damage the device significantly besides affecting the crucial functions. Get a PC repair tool or a cleaner like FortectIntego and make sure to run through system folders and preferences like startup or Windows registry

Erica Encoder ransomware is targeting Russian-speaking countries because the ransom message is initially written in this language with a few mentions in Ukranian. The sample of the threat got out there early January 2020 and is believed to be developed by Ukrainians because of the text note, including the traces of test encryption and some more Ukranian text. However, this threat can appear in any computer despite the country because distribution mainly involves random online content.

Erica Encoder ransomware demands money from victims in the ransom note file HOW TO RESTORE ENCRYPTED FILES.txt that displays this(translated from the original – Russian):

Erica Encoder 2.0.1

Hello again :*
I greet you again

We know that you miss Us very much and decided to give you a present

We do not work in Russia, Ukraine and Kazakhstan


If you want to restore your worthless files, then write to Our mail and we will answer you

ZXJpY2FfZmlsZXNAcHJvdG9ubWFpbC5jb20 = (Base64)

We give greetings to Fabian Sosar 1: 0 and the rest mentally retarded: *

Commonly, Russian-speakers get targeted by such malware due to political conflicts and general hate, but that doesn't mean Erica Encoder ransomware is not going to affect your machine if you are in another country of Europe or in the U.S. Cryptocurrency extortion-based threats are focusing on wide-spreading techniques and can end up on devices all over the world. You need to be cautious to avoid any infection no matter what.

The infiltration happens without any notice because the payload of the virus gets dropped directly on the system. You may notice some speed issues or affected performance of the machine, but encryption is not the process that you can spot. Also, it happens quickly since Erica Encoder ransomware developers mainly focus on this. Erica Encoder ransomware virusErica Encoder is a dangerous cryptovirus because it is developed by criminals who only care about blackmail. The scary and insulting message from developers and the initial encryption process makes Erica Encoder ransomware victims confused and concerned. That is understandable, but we cannot stress this enough – paying is not the best option. If you try to connect with threat actors and ask for more information or a straight-up decryption tool, they can provide you with a certain ransom amount that you need to pay or deliver you the malicious file that damages the computer further.

Other experts[3] all over the world and we note that it is better to remove Erica Encoder ransomware without keeping the contact with criminals. It is not an easy process, and it involves security software help, but you can clean the machine and recover your files without the intervention from malicious people. If you have file backups up to date, you should do that as soon as possible.

If not – make sure to collect those encrypted files with the hope of recovering them with a later-developed decryption tool before you terminate the malware using AV tools. When ransomware gets deleted, most of the files needed for decryption get also deleted, so keep that in mind.

The particular Erica Encoder ransomware encrypts files using the AES encryption algorithm that allows the threat actors to change the original code of the image, document, video, audio file, database, or archive. There are no tools developed for the decryption, so the best way to recover those files is to restore them using safe copies stored on your external devices – backup.

Also, if you don't have backups that could help you with these encrypted files, rely on third-party software that can restore such affected data. Only do that after the proper Erica Encoder termination because any program or file related to malicious threat can lead to repeated encryption.

Once Erica Encoder virus is eliminated, and all the programs get disabled, removed from the machine, it is time to tackle virus damage on the machine. To do that properly without causing any damage to your machine, you should use a PC optimization tool or a repair software like FortectIntego. Programs like this can be helpful because Windows registry entries or system files affected by the malware may get repaired, and virus damage eliminated without any danger. If you try to alter startup preferences or registry entries, you can cause problems with essential PC functions. Erica Encoder 2.0.1Erica Encoder ransomware - malware that alters common files and asks for payments. Do not consider paying and remove the threat as soon as you can instead.

Protecting yourself and your valuable data from crypto-extortion malware

Since there are tons of different malware types, distribution methods also go all over the place and depend on a particular virus, malicious campaigns, and malware developers. Ransomware is a category also has many ways that are commonly used to deliver the payload of such intruders.

One of the more common ones- spam email campaigns when legitimate-looking emails are received and include attachments injected with malicious scripts directly or macro malware that is designed to trigger the drop on the machine with a few clicks. You need to note that any email that is not expected can deliver malware and delete suspicious notifications as you get them.

Also, a few red flags to look out for:

  • grammar mistakes in emails;
  • shortened links in the notification itself;
  • typos or slightly altered names of well-known companies;
  • invoices, receipts, order details got from services you don't use.

Terminate Erica Encoder ransomware and clean virus damage with professional tools to avoid infection repetition

Erica Encoder ransomware virus is not a simple threat because it involves encryption, file altering functions, and blackmailing victims directly. Additionally to the primary encoding function, this threat interferes with crucial settings, disable functions helpful for virus termination, and file recovery, so the victim has fewer solutions.

These symptoms can make people frustrated and desperate to find the best way to remove Erica Encoder ransomware. Unfortunately, since security tools get blocked or disabled and programs designed to fight against malware cannot work correctly there are some steps you need to take additionally.

We have listed a few methods below, like Safe Mode and System Restore, that can help to achieve better results of Erica Encoder ransomware removal. An additional recommendation is to choose a trustworthy anti-malware tool for system scanning. FortectIntego, SpyHunter 5Combo Cleaner, Malwarebytes can also help to tackle virus damage and repair affected system parts.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Erica Encoder virus. Follow these steps

Manual removal using Safe Mode

Reboot the machine in Safe Mode with Networking and then remove Erica Encoder ransomware from the machine using AV tools

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Erica Encoder using System Restore

Rely on System Restore feature that allows recovering the machine in a previous state to terminate the threat

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Erica Encoder. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Erica Encoder removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Erica Encoder from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Erica Encoder, you can use several methods to restore them:

Data Recovery Pro is the program that can make your files useful again

To restore encrypted data or accidentally deleted files, you should get a tool that is capable to do so

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Erica Encoder ransomware;
  • Restore them.

Windows Previous Versions can help with files affected by Erica Encoder ransomware

When System Restore gets enabled, Windows Previous Versions can be used for file recovery

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer method for encrypted data

When malware like Erica Encoder ransomware is leaving Shadow Volume Copies untouched, you can rely on ShadowExplorer

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Decryption tool for Erica Encoder ransomware is not developed yet

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Erica Encoder and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.


Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 


About the author
Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions