RansomAES – ransomware targeting Korean PC users
RansomAES is a ransomware virus that has been developed to encrypt people's files and then urge them to pay a ransom. It uses AES cryptography algorithm and targets Korean PC users. The data encrypted by RansomAES can be easily recognized by a .RansomAES file extension, as well as READ ME.txt ransom note. The victims are supposed to email hackers to firstname.lastname@example.org or email@example.com for payment instructions. At the moment of writing, victims are expected to transfer 100,000 KRW in Bitcoins.
|Related files||RansomAES.exe, READ ME.txt|
|Email firstname.lastname@example.org or email@example.com|
|Decryption method||AES cipher|
|Main dangers||It locks files and renders them useless unless the victim pays the ransom. Thus, the two main dangers are the loss of data and money. Besides, it may open backdoor to other malicious programs.|
|Elimination process||Manual removal is not possible. Download ReimageIntego and run a full system scan with it to get rid of ransomware infection.|
The crooks behind RansomAES virus rely on diverse ransomware distribution strategies, including but not limited to malicious spam email attachments and rogue software downloads. If the victim executes the payload (RansomAES.exe), the virus unravels and targets Windows GUI with Intel 386 or later chipset. Earlier version won't be attacked.
It uses AES cipher to render people's files useless. It locks them with a hard code and generates a unique victim's identifier and corresponding file decryptor. In the meantime, the user of the compromised PC is presented with files locked with .RansomAES file extension and the READ ME.txt ransom note, which is written in the Korean language.
The note does not contain much information, except that it informs the victim about an attack and provides contact information. Currently, RansomAES ransomware virus developers can be intercommunicated via the following email addresses:
According to ransomware researchers, it demands a ransom in Bitcoins. At the moment of writing, the sum ranges from 100,000 to 500,000 KRW, which is equal to 0.010 to 0.051 Bitcoin.
Despite the size of the redemption, we would not recommend you to pay it. Supporting hackers is not a good idea, is it? Besides, transferring your money to crooks does not prove to ensure that you'll be provided with a RansomAES decryptor so that you can be left without both data and money.
In case of attack, we would strongly recommend you to download ReimageIntego, SpyHunter 5Combo Cleaner, Malwarebytes or another reputable anti-virus, run a full system scan with it, and perform a complete RansomAES removal.
It's very likely that you won't be allowed to remove RansomAES virus easily. The malicious software can use malicious processes to block anti-virus and evade easy removal. Therefore, you may need to restart your PC into Safe Mode with Networking.
As soon as you get rid of the malware, try to retrieve your files using alternative methods. Most of them require the installation of third-party data recovery programs. Our top selections are provided at the end of this article.
RansomAES uses AES cipher to lock people's files. It asks to pay a ransom and transfer them in Bitcoin.
Computers get infected after opening malicious spam email attachments
Malicious spam email messages with ransomware-infected attachments are the most popular virus distribution technique for more than a decade. Less tech-savvy people lack knowledge about cyber security and quickly fall for opening emails that camouflage IRS, Amazon, Microsoft, and other well-known companies.
The ransomware is executed as soon as the potential victim opens a Word, PDF or Zip file. However, NoVirus.uk specialists indicate the following techniques that are commonly used to spread ransomware as well:
- Exploit Kits;
- Fake software updates;
- Illegal or obfuscated program in file-sharing sites or networks;
- Malicious advertisements;
- Hacked Remote Desktop Services (RDS).
Therefore, you should be careful with content you click or download online. Besides, make sure to keep your anti-virus and OS up-to-date.
RansomAES removal options
Manual ransomware removal is practically impossible. Any attempt to restart your PC, change registry entries or rename encrypted files can lead to permanent data loss. Therefore, we would strongly recommend you to perform automatic RansomAES removal with ReimageIntego or another robust security tool.
The guide given below will explain you in details how to remove RansomAES if malicious processes keep your anti-virus disabled. Besides, you will find a list of data recovery possibilities down below. However, make sure that the ransomware is entirely deleted before any attempts to decrypt your files.
To remove RansomAES virus, follow these steps:
Manual RansomAES removal using Safe Mode
The following instructions explain how to bypass restrictions to launch anti-virus scanner:
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Remove RansomAES using System Restore
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of RansomAES. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your dataGuide which is presented above is supposed to help you remove RansomAES from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.
If your files are encrypted by RansomAES, you can use several methods to restore them:
We highly recommend using Data Recovery Pro
Data Recovery Pro is a powerful tool for retrieving data lost due to various circumstances, so it's worth given a try.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by RansomAES ransomware;
- Restore them.
Recover individual files from Previous Windows Version
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
Windows creates Volume Shadow Copies by default. If RansomAES did not remove them, you will get each of your files back by following these steps:
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
No RansomAES decryptor developed yet.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from RansomAES and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes
Access your website securely from any location
When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.
If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.
Recover files after data-affecting malware attacks
While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.
Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection.