Severity scale:  

Remove Exotic ransomware / virus (Nov 2016 update) - Improved Instructions

removal by Olivia Morelli - - | Type: Ransomware

Exotic ransomware wants $50 from you

Questions about Exotic ransomware virus

Exotic virus, which is developed by German coder EvilTwin, is actually a ransomware-type computer infection that encrypts files and demands payment in exchange for the decryption software. Its authors have released even three different versions of this ransomware. Once installed, it terminates cmd, taskmgr, procexp, procexp64, regedit, msconfig, and CCleaner64 processes, and then checks Desktop, My Music, My Videos, Personal, Contacts, Downloads, My Pictures folders, which are located in %USERPROFILE%. The virus then encrypts all files, including .exe files, with an undefeatable encryption (it uses AES-128 cipher), and adds .exotic file extension to every file it touches. It is worth noting that malware double-checks these folders for new files, and encrypts them as well. Then it displays a pop-up message called “Crypto,” which says:

Windows are infected, by the EXOTIC virus!
Try to Kill or Delete me I will kill your PC!
Have a nice day =)

The pop-up message provides the OK button, and once the victim clicks on it, the ransom note appears on the screen. It seems that authors of this filthy ransomware really do not watch their mouths because they include many vulgar words in this note. The ransom note launches in a new window which is called “You got fu*ked by EXOTIC SQUAD!,” and displays the following information:

All your files have been encrypted!
Hello, all your Computer files have been encrypted. But, don’t worry! I haven’t deleted them all. So you have 7 2 hours to pay 50 USD in Bitcoins to my Bitcoin Address to get your files back! Every 5 hours files will be deleted. After 72 hours all that are left will be deleted! We will format your hard-drive when you restart your computer! The Timer starts now! Don’t fu*k with EXOTIC SQUAD!

As you can see, the ransomware virus demands 50 USD within 72 hours, otherwise, the decryption key needed for data restoration will be deleted. Besides, just like the infamous JigSaw ransomware, Exotic Squad virus promises to remove some files every 5 hours of non-payment, and in case the victim does not pay the ransom within 72 hours, the rest of the encrypted data gets erased all at once. When the counter reaches 0, the ransomware reboots the computer automatically, but here’s where the ransomware author failed. Ransomware copies itself to Startup directory to start itself automatically as soon as the computer prepares itself to function, but “unfortunately” this virus is designed to encrypt .exe files, so it encrypts the ransomware’s executive file as well and it becomes useless. 

If you have been infected with this nasty ransomware, we recommend you to remove Exotic virus with the anti-malware tool like Reimage Reimage Cleaner Intego, and not pay the ransom for the criminals. Speaking from experience, we can say that viruses which look scary and display frightening messages usually are not that dangerous, because their authors typically lack professional coding skills, because it is much easier to write some text in a pop-up window than to code a program that can strongly encrypt files. This virus looks like one of those who are likely to be cracked soon, so we suggest you backup the encrypted data and be patient. For Exotic removal, use instructions presented below. Delete the virus as soon as you can to prevent it from deleting your files.

Ransom note by Exotic Squad virus

The developer of this ransomware attempts to reach out to malware researchers

This case of ransomware is rather interesting because while typical ransomware authors tend to stay as anonymous as possible, the developer of this one, known as EvilTwin, wants to communicate with malware researchers and has even provided them with an example of Exotic 2.0 ransomware virus and possibly with Exotic 3.0 ransomware virus. The e-mail of the author is According to the EvilTwin, malware researchers got his “test ransomware” and his final is a “bada*s.” This is clearly a threat, and it is likely that another example of this virus is going to show up shortly. Therefore, we advise computer users to stay alerted and protect their computers from ransomware by installing an anti-malware program and creating a data backup.

Exotic versions released by EvilTwin

So far two different versions have been discovered, although there might be more shortly. At the moment, known Exotic malware versions are these:

Exotic 2.0 ransomware. The second version of this ransomware project asks for $50 as a ransom and is based on traditional pay-the-ransom-get-files-back strategy. It encrypts files with a tricky algorithm, supplements them with .exotic file extensions, leaves How-to-restore.txt ransom note on the desktop, and launches a program entitled “You got fu*cked by EVILTWIN!,” which types the ransom note on the screen and showcases a countdown clock. It threatens the victim to delete some files every 5 hours of non-payment and finally erase the rest of them after 72 hours. The ransomware should be erased with anti-malware tool since it has no uninstaller. Inexperienced computer users should not attempt to remove the virus manually because in order to entirely delete the virus, victims should delete numerous files that are entitled with trustworthy filenames and also alter Windows Registry, which is a difficult thing to do.

Exotic 3.0 ransomware. The third version no longer threatens the victim to erase the files, but demands for the same $50 ransom, which should be paid in Bitcoins to the same Bitcoin address. Exotic 3.0 virus appends .exotic extensions to encrypted files to make them recognizable, and sadly it seems that encryption that this virus applies to target files is nearly impossible to crack. It means that files cannot be decrypted without a special decryption key, but we do not recommend you to pass your money to victims because according to recent researchers, even 20% of victims who paid the ransom never got the decryption software. We believe that it is a reasonable basis not to pay the ransom.

Distribution techniques

Malware can infect your PC using various techniques. Probably the most popular ways are these:

  • Sending malicious email attachments to victims or including infectious links in email messages;
  • Using exploit kits placed on harmful websites;
  • Pushing fake software updates;
  • Malvertising.

Although ransomware authors try to apply new methods of malware distribution, the most efficient one remains the same. Victims still open malicious emails without even inspecting who the sender is. Criminals are so advanced that they can insert a malicious script into a safe-looking Word or JS file, while in the past the only way to infect computers was to make the victim open a .exe file.

Remove Exotic virus entirely

Please do not listen what this malicious Exotic virus says. It attempts to frighten you and make you believe that restarting the computer will “kill it.” You have to start your computer in a Safe Mode with Networking, so please carefully read the instructions presented below or ask someone else to start your PC in a Safe Mode with Networking if you do not know how to do it. Then, you will be able to install an anti-malware tool and complete Exotic removal then. We highly recommend you to employ an automatic virus removal software and not to remove Exotic virus manually as this can result in failure, and then the virus might actually delete all files by formatting the hard drive. Be careful!

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.
Exotic ransomware virus snapshot
Ransom note by Exotic 2.0 ransomware virusRansom note by Exotic 3.0 ransomware virus
Ransom note by Exotic 2.0 ransomware virus

To remove Exotic virus, follow these steps:

Remove Exotic using Safe Mode with Networking

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Exotic

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Exotic removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Exotic using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Exotic. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that Exotic removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Exotic from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Exotic, you can use several methods to restore them:

Recover .exotic files with Data Recovery Pro

Although this is not the official decryption tool, you can try to run Data Recovery Pro and give it a chance to fix your files. We strongly recommend you to create a data backup before applying this technique.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Exotic ransomware;
  • Restore them.

Explore Volume Shadow Copies with ShadowExplorer

If Exotic Squad virus authors were not attentive enough, they could miss one important step when creating this ransomware. Sometimes, ransomware authors forget to insert a function that deletes Volume Shadow Copies, which can be used to restore encrypted data.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Exotic and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

  1. Tod says:
    October 14th, 2016 at 5:21 am

    Theres a version 2 already

  2. Rizzle says:
    October 14th, 2016 at 5:21 am

    Ridiculous virus. Are the developers of it trying to sound gangsta or what? Just funny. Not gonna pay.

  3. mandy says:
    October 14th, 2016 at 5:22 am

    Recovered my files from backup…. stupid virus if i met its authors I would laugh at his/hers face.

  4. Eliiott says:
    October 14th, 2016 at 5:23 am

    i KNOW RIGHT! I have also been attacked but removed the Exotic virus with antivirus program quickly. I dont care about files – didnt keep anything important in my computer

Your opinion regarding Exotic ransomware virus