Potato ransomware / virus (Free Guide) - Decryption Methods Included

Potato virus Removal Guide

What is Potato ransomware virus?

The characteristics of a brand new Potato ransomware virus

Potato virus may sound like a joke; however, it’s a serious cyber threat that encrypts files stored on the attacked computer. Once it managed to get inside the computer, it starts encrypting files using the AES-256[1] cipher, which is known as military grade encryption. Therefore, when data encryption is over users cannot access any of their files that have .potato file extension. Though, victims are not left in obscurity. Potato ransomware drops two files right after data encryption. README.png and README.html files are the ransom notes where victims are asked to pay the ransom if they do not want to lose their files. Hackers provide detailed instructions how the transaction has to be made. The scenario barely differs from other ransomware developers orders. People have to download TOR[2] browser and using it access the payment website where they have to enter their unique ID number, hit “GET KEY” button and follow further instructions. People who are willing to trust the words of cyber criminals have to contact them via email potatoransom@sigaint.org. However, we recommend neither messaging them nor paying the ransom. First of all, you might be fooled and do not get the chance to decrypt your files even though the payment has been made. Secondly, Potato malware does not delete Shadow Volume Copies[3] of the targeted files. Therefore, if you do not backup files, you still have a chance to restore your files from shadow copies.

Apart from the ransom note, Potato virus also creates the folder on the affected computer’s desktop that includes three files. The first one is called “ID_number.txt” that includes a unique number of the targeted computer. Previously we have mentioned that this ID is necessary for decryption process. The second file is called “encrypted.txt” and provides the full list of files that had been touched by the ransomware. The third one is called “decryptor.exe (including MSVCR100.dll) which is supposed to be a decryption software. After paying the ransom, victims are supposed to receive the decryption key to use it. As we already mentioned, you should not follow these instructions. Instead of risking your money[4] and redeeming your personal documents, remove Potato virus from the computer. When your PC is virus-free, you can try additional data recovery methods that we presented below this article. Bear in mind that hesitation does not lead to anything good. After the attack, your computer and your privacy are in danger because you can expect other malware attacks as well. Therefore, start automatic Potato removal with FortectIntego or other strong malware elimination software.

Potato ransomware virusThe picture shows a fragment of the ransom note delivered by the Potato ransomware virus and a screenshot of the payment website.

How does ransomware infiltrate the computer?

Potato ransomware is still under investigation; however, hackers are suspected of using DarkComet RAT to get remote access to the computers. Then they download malware executable “potato.exe” and execute it. Once the malicious file is executed, malware starts data encryption and drops ransom notes to the system. However, we want to remind that ransomware might be spreading in many different ways. For example, malicious spam emails stay the main ransomware distribution technique. Furthermore, exploit kits also helps to infiltrate a vulnerable computer, and misleading ads might trick to click and install malware executable. Therefore, if you want to avoid ransomware[5], you have to watch your behavior online and protect your PC with security software.

Instructions for automatic Potato removal

Even though data recovery seems the priority for the majority of ransomware victims, Potato removal is the more important task. While malware resides on the computer, all data encryption methods are just a waste of time because malware can encrypt restored files again. What is more, if you do not follow our advice and pay the ransom, you might waste your money as well. After receiving your money hackers may ask for more and do not provide a decryption software. Therefore, remove Potato ransomware from the computer by scanning the computer with FortectIntego or SpyHunter 5Combo Cleaner. If ransomware prevents from accessing security tools, follow the instructions below.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Potato virus. Follow these steps

Manual removal using Safe Mode

If Potato malware prevents from accessing security tools necessary for automatic removal, reboot your PC to the Safe Mode as shown below.

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Potato using System Restore

If you cannot start automatic removal, follow the steps below.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Potato. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Potato removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Potato from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

At the moment there’s no free decryption tool created yet that can decrypt files encoded by Potato virus; however, you should try these additional data recovery methods.

If your files are encrypted by Potato, you can use several methods to restore them:

Data Recovery Pro – automatic data recovery option

Data Recovery Pro is a professional tool that helps to restore corrupted, lost or encrypted files. Follow these steps to use this tool:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Potato ransomware;
  • Restore them.

Take advantage of Windows Previous Versions feature

If System Restore function was activated on the computer before Potato hijack, you could retrieve individual copies of the lost files by following these steps:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer – another way to restore files encrypted by the ransomware

Potato ransomware does not delete Shadow Volume Copies of the targeted files. Hence, ShadowExplorer can help you to restore encrypted files. Follow these steps:

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Potato and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.


Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 


About the author
Jake Doevan
Jake Doevan - Computer technology expert

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions