RansomAES ransomware (Virus Removal Instructions) - Decryption Steps Included

RansomAES virus Removal Guide

What is RansomAES ransomware?

RansomAES – ransomware targeting Korean PC users

RansomAES virus

RansomAES is a ransomware[1] virus that has been developed to encrypt people's files and then urge them to pay a ransom. It uses AES cryptography algorithm and targets Korean PC users. The data encrypted by RansomAES can be easily recognized by a .RansomAES file extension, as well as READ ME.txt ransom note. The victims are supposed to email hackers to fbgwls245@naver.com or powerhacker03@hotmail.com for payment instructions. At the moment of writing, victims are expected to transfer 100,000 KRW in Bitcoins.

Classification Ransomware
Related files RansomAES.exe, READ ME.txt
File extension .RansomAES
Email address fbgwls245@naver.com or powerhacker03@hotmail.com
Decryption method AES cipher
Main dangers It locks files and renders them useless unless the victim pays the ransom. Thus, the two main dangers are the loss of data and money. Besides, it may open backdoor to other malicious programs.
Elimination process Manual removal is not possible. Download FortectIntego and run a full system scan with it to get rid of ransomware infection.

The crooks behind RansomAES virus rely on diverse ransomware distribution strategies, including but not limited to malicious spam email attachments and rogue software downloads. If the victim executes the payload (RansomAES.exe), the virus unravels and targets Windows GUI with Intel 386 or later chipset.[2] Earlier version won't be attacked.

It uses AES cipher to render people's files useless. It locks them with a hard code and generates a unique victim's identifier and corresponding file decryptor. In the meantime, the user of the compromised PC is presented with files locked with .RansomAES file extension and the READ ME.txt ransom note, which is written in the Korean language.

The note does not contain much information, except that it informs the victim about an attack and provides contact information. Currently, RansomAES ransomware virus developers can be intercommunicated via the following email addresses:

  • fbgwls245@naver.com
  • powerhacker03@hotmail.com

According to ransomware researchers, it demands a ransom in Bitcoins. At the moment of writing, the sum ranges from 100,000 to 500,000 KRW, which is equal to 0.010 to 0.051 Bitcoin.

Despite the size of the redemption, we would not recommend you to pay it. Supporting hackers is not a good idea, is it? Besides, transferring your money to crooks does not prove to ensure that you'll be provided with a RansomAES decryptor so that you can be left without both data and money.

In case of attack, we would strongly recommend you to download FortectIntego, SpyHunter 5Combo Cleaner, Malwarebytes or another reputable anti-virus, run a full system scan with it, and perform a complete RansomAES removal.

It's very likely that you won't be allowed to remove RansomAES virus easily. The malicious software can use malicious processes to block anti-virus and evade easy removal. Therefore, you may need to restart your PC into Safe Mode with Networking.

As soon as you get rid of the malware, try to retrieve your files using alternative methods. Most of them require the installation of third-party data recovery programs. Our top selections are provided at the end of this article.

RansomAES virus target Korean PC usersRansomAES uses AES cipher to lock people's files. It asks to pay a ransom and transfer them in Bitcoin.

Computers get infected after opening malicious spam email attachments

Malicious spam email messages with ransomware-infected attachments are the most popular virus distribution technique for more than a decade. Less tech-savvy people lack knowledge about cyber security and quickly fall for opening emails that camouflage IRS, Amazon, Microsoft, and other well-known companies.

The ransomware is executed as soon as the potential victim opens a Word, PDF or Zip file. However, NoVirus.uk[3] specialists indicate the following techniques that are commonly used to spread ransomware as well:

  • Exploit Kits;
  • Fake software updates;
  • Illegal or obfuscated program in file-sharing sites or networks;
  • Malicious advertisements;
  • Hacked Remote Desktop Services (RDS).

Therefore, you should be careful with content you click or download online. Besides, make sure to keep your anti-virus and OS up-to-date.

RansomAES removal options

Manual ransomware removal is practically impossible. Any attempt to restart your PC, change registry entries or rename encrypted files can lead to permanent data loss. Therefore, we would strongly recommend you to perform automatic RansomAES removal with FortectIntego or another robust security tool.

The guide given below will explain you in details how to remove RansomAES if malicious processes keep your anti-virus disabled. Besides, you will find a list of data recovery possibilities down below. However, make sure that the ransomware is entirely deleted before any attempts to decrypt your files.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of RansomAES virus. Follow these steps

Manual removal using Safe Mode

The following instructions explain how to bypass restrictions to launch anti-virus scanner:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove RansomAES using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of RansomAES. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that RansomAES removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove RansomAES from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by RansomAES, you can use several methods to restore them:

We highly recommend using Data Recovery Pro

Data Recovery Pro is a powerful tool for retrieving data lost due to various circumstances, so it's worth given a try. 

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by RansomAES ransomware;
  • Restore them.

Recover individual files from Previous Windows Version

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Try ShadowExplorer

Windows creates Volume Shadow Copies by default. If RansomAES did not remove them, you will get each of your files back by following these steps:

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No RansomAES decryptor developed yet.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from RansomAES and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.


Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 


About the author
Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions