Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Oct 2021

How to remove Poison ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Jake Doevan · Computer technology expert

Poison ransomware is a type of malware designed to extort money from you

Poison ransomware

Locking personal files on the computer is bad enough, but asking for money to unlock them became a familiar phenomenon all over the world. Poison ransomware is another addition to an ever-expanding list of new cryptomalware strains which first showed up in the middle of October of 2021.

After the virus manages to break into a Windows machine, it immediately begins its malicious activities, infecting the whole system or even network, if the PC is connected to one, immediately. These modifications are required in order for malware to fulfill its main goal – to lock all pictures, documents, videos, and other types of files. This process can be a bit longer than the infection one, as it highly depends on the size of the files susceptible to encryption.

At this time, malware renders all files useless, stripping them off their original icons and locking them with a secure algorithm. While data can no longer be accessed or modified, it does not mean that it is corrupted. Poison ransomware creates a complex, unique key that is sent to the attackers' servers immediately. This key is then used to blackmail users into paying money for file retrieval.

To make victims aware of what just happened, malware authors leave a ransom note ___RECOVER__FILES__.poison.txt, which is placed on the desktop and any other folders where locked files are located. The ransom note is brief but informative; it claims that users need to process payment of 0.01 BTC into the 1EHXj2AvyeCAKTzBdqbDmmceswJEciE7kj Bitcoin wallet and then an email with the transaction ID sent to ankinter.promo@protonmail.com.

Name Poison ransomware
Type Ransomware, file-locking malware, cryptovirus
File extension .poison is appended at the end of each file name
Ransom note ___RECOVER__FILES__.poison.txt and a pop-up window titled “!Ups”
Contact bankinter.promo@protonmail.com
Ransom size 0.01 BTC, to be transferred to 1EHXj2AvyeCAKTzBdqbDmmceswJEciE7kj Bitcoin wallet
File Recovery If no backups are available, recovering data is almost impossible. Nonetheless, we suggest you try the alternative methods that could help you in some cases – we list them below
Malware elimination Manual virus removal is not recommended, as it might be difficult for regular users. Instead, SpyHunterCombo Cleaner or other anti-malware tools should be used
System fix Malware can seriously tamper with Windows systems, causing errors, crashes, lag, and other stability issues after it is terminated. To remediate the system and avoid its complete corruption, we recommend scanning it with the FortectIntego repair tool

Poison virus is a new ransomware strain, and no connections have been found with other ransomware families. Nonetheless, man new and experimental ransomware shows up after some members leave a larger cybercriminals group to increase profits from the illegal activities. Likewise, new people within the cybercriminal world can also be starting their own businesses.

In the case of the latter, there are no established principles that the group works by, hence there could be bugs within the ransomware encryption codes or the returned decrytpion tools might fail to work. This is why it is not advised by experts[1] to trust hackers behind ransomware and send them the money they require. The full ransom note reads:

!Your files have been encrypted.

To get back all them, send0.01 bitcoin(s) to BTC address: 1EHXj2AvyeCAKTzBdqbDmmceswJEciE7kj
So, email your transaction ID to: bankinter.promo@protonmail.com

Thanks for cooperate and good luck next time!

Encryption Log:

Looking at it, it seems like crooks are trying to be approachable and “nice” within the last sentence. This is one of the tactics employed by ransomware authors; as we observed in other malware strains, ransom notes are threatening and even put up a timer before the decryption key is allegedly deleted from the crooks' server.

In any case, it is up to you whether you want to risk your money and pay the required Bitcoin, although be warned – you might lose your files and money. While it is true that there is no working decryption tool that would guarantee a file recovery, you could try several alternative methods we list below. But before that, you need to remove Poison ransomware from your device.

Delete malware from your system

After the ransomware is done with encrypting all files, its main job is done. Hence, some infections simply self-delete as soon as the data-locking process is complete, although this is not a rule, and some malware continues running in the background due to various reasons. For example, it might continue locking all the incoming data (if such is placed on the infected PC), or stealing personal information in the background. Besides, malware is commonly spread in bulks, so there might be a dangerous virus installed as well.

Poison ransomware virus

Thus, it is vital to use security software to remove the Poison virus from your system, along with any other additional threats. Download SpyHunterCombo Cleaner, MalwarebytesMalwarebytes, or another reputable anti-malware and perform a full system scan to eliminate all the malicious components at once. In fact, security software is your number one weapon against ransomware infections, as it can stop it before it manages to encrypt files. According to Virus Total, this virus can be detected under the following names:[2]

  • Gen:Heur.Ransom.REntS.Gen.1
  • Trojan.Ransom.Filecoder
  • A Variant Of MSIL/Filecoder.AEN
  • Ransom:MSIL/Cryptolocker.PDH!MTB
  • Msil.Trojan.Gen.Ejex
  • Ransom.FileCryptor, etc.

Note: ransomware might tamper with security software and prevent it from working. If that happens, ever to the instructions at the bottom of this post to access Safe Mode and scan the system from there to bypass malware's malicious features.

Attempt to recover .poison files with these methods

As previously mentioned, sending money to ransomware creators can be risky. It also motivates them to infect more victims to acquire more money, hence the illegal business prospers. Instead of doing that, you should try using the following methods to recover the locked files. There are two things you should make sure of before proceeding:

  1. You scanned your PC with security software and malware is no longer present on it
  2. You made backups of locked files.

During the recovery process listed below, encrypted files might get corrupted permanently, so it is vital to keep them on a separate medium. You can use a USB flash drive or similar external storage device; also, using remote cloud services can also be very convenient – we provide instructions on how to backup files on OneDrive and Google Drive below.

Use recovery software

  • Download Data Recovery Pro.
  • Double-click the installer to launch it.
  • Follow on-screen instructions to install the software.
  • As soon as you press Finish, you can use the app.
  • Select Everything or pick individual folders where you want the files to be recovered from.Select what to recover
  • Press Next.
  • At the bottom, enable Deep scan and pick which Disks you want to be scanned.Select Deep scan
  • Press Scan and wait till it is complete.Scan
  • You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
  • Press Recover to retrieve your files.

Wait for a decryptor

Most fully-working ransomware use encryption algorithms such as AES or RSA to lock up data securely. This means that the decryption key can only be retrieved from cybercriminals' servers, although, obviously, they are not willing to give it up for free and ask for money in exchange for it.

Luckily, some ransomware is far from perfect and has bugs[3] within their encryption process, which allows security experts to create a working decryption tool, providing it for victims for free. Alternatively, law enforcement has previously seized the servers of malware authors, which allowed them to release keys to the public. Thus, use the following links to find a decryption tool, although you should keep in mind that it might take time before a working one is available, if at all.

No More Ransom Project

Take care of your system health

Regardless of whether the above methods helped you to restore files or not, you should not neglect your Windows system. After malware infection, it might start malfunctioning – crashing, lagging, fail to launch applications, returning errors, and much more. Thus, we strongly recommend you follow the below instructions to repair your system instead of reinstalling it altogether.

  • Download FortectIntego
  • Click on the ReimageRepair.exe
    Reimage download
  • If User Account Control (UAC) shows up, select Yes
  • Press Install and wait till the program finishes the installation processReimage installation
  • The analysis of your machine will begin immediatelyReimage scan
  • Once complete, check the results – they will be listed in the Summary
  • You can now click on each of the issues and fix them manually
  • If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.Reimage results

By employing this tool, you would not have to worry about future computer issues, as most of them could be fixed quickly by performing a full system scan at any time. Most importantly, you could avoid the tedious process of Windows reinstallation in case things go very wrong due to one reason or another.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.