ReadMe ransomware (Easy Removal Guide) - Decryption Methods Included

by Olivia Morelli - - | Type: Ransomware

ReadMe virus Removal Guide

What is ReadMe ransomware?

ReadMe ransomware is a type of malware that locks personal files

ReadMe ransomwareReadMe ransomware is an infection that decrypts all personal files in order to get money from its victims.

ReadMe ransomware is yet another cryptovirus that encrypts data in order to demand money from its victim. If the user wants to get a unique decryption key, cybercriminals behind the attack ask to pay the particular amount in cryptocurrency and contact them afterward. This infection name can be associated with variants of malicious software called BitRansomware or LolKek virus because these two threats use the particular .ReadMe extension to mark files after the encryption procedures.

ReadMe file virus encrypts all personal files with the help of a powerful encryption algorithm and appends .readme extension to each of them. For example, a picture “one.jpg” is turned into “one.jpg.readme”, making suchlike data unusable. It can affect images, video, audio files, documents, archives, databases, so there is a reason for the money demands. Once encryption is done, the malware drops a ransom note Read_Me.txt, which is placed on the desktop and all affected folders. The file contains further instructions for the victim, but paying shouldn't be considered as the best solution.

Name ReadMe ransomware
Type Cryptovirus, ransomware, files locker
Ransom note Read_Me.txt
File extension All encrypted files get .readme extension, hence the name of this threat family
contact Email address filessupport@cock.li
Symptoms After the encryption is done, the victim can't open locked files with .readme extension. The user gets a ransom message on the desktop and in affected folders that encourages to pay up
Distribution Methods Ransomware spreads through infected email attachments that contain macro viruses, malicious sites, and unsafe torrent websites, pirated programs, and files
Elimination Get rid of ReadMe virus by running a full system scan with reputable anti-malware software that detects[1] the infection
System fix If you found OS not to be working properly after malware removal, scan it with FortectIntego to fix system file damage

In some cases, the victims get a very short ransom note from the ReadMe ransomware developers. In that text file, cybercriminals only give a link to create a ticket and email address – filessupport@cock.li – if the user wants to recover files by paying these criminals.

A longer ransom note informs users about the encryption and demands money. Cybercriminals try to scare their victim by saying that the only way to recover data is to pay them with Bitcoins or another cryptocurrency.[2] They provide a URL that the victim should open in the TOR browser. According to hackers, the user will see further instructions in that link.

The full ReadMe file virus ransom note looks like that:

Attention!

All your files, documents, photos, databases and other important files are encrypted

The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files.

The server with your decryptor is in a closed network TOR. You can get there by the following ways:

——————————-

1. Download Tor browser – hxxps://www.torproject.org/
2. Install Tor browser
3. Open Tor Browser
4. Open link in TOR browser: hxxp://54fjmcwsszltlixn.onion/?VHIKWYZL
5. Follow the instructions on this page

——————————-

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.

Alternate communication channel here: hxxp://helpqvrg3cc5mvb3.onion/

According to the information provided by the developers of ReadMe ransomware, the price of the decryption tool is 0.085 BTC. It means that the victim should pay about 1000 USD in two days. If the user fails to send money in two days, the ransom will increase to 0.17 BTC – about 2000 USD according to the current exchange rate.

ReadMe file virusReadMe file virus is a serious infection that belongs to BitRansomware.

Of course, you shouldn't listen to cybercriminals. Even though they are right about the unique encryption key, paying the ransom is not the best option. You should remove ReadMe ransomware from the system and rely on backups if you want to recover important data. The easiest way to get rid of this threat is by using SpyHunter 5Combo Cleaner, Malwarebytes, or any other powerful AV tool.

Moreover, even after the successful ReadMe ransomware removal, you should fix the system issues with a repair tool because the anti-malware program only removes the threat. We recommend using FortectIntego as one of the solutions for virus damage. After that, try different methods to recover your files. We listed a few of them at the bottom.

Ways to recover .readme files after encryption

Unfortunately, ReadMe file virus encrypted files can't be decrypted when the official tool is not released yet. You can try to recover some of the data with third-party tools in some of the cases. It is only possible after the successful ransomware[3] removal process.

That's why many people start to search for the .readme files recovery solutions. Some of them even decide to pay the ransom but cybersecurity experts[4] say that you shouldn't cooperate with malicious actors. Hackers can deceive you and demand more money or run away without giving the decryption key for those .ReadMe files.

ReadMe ransomware removalRemove ReadMe ransomware from your system and try several methods to recover your files.

You should remove the .readme file virus from your computer and try alternative ways to recover data. The easiest way to retrieve important files is by relying on file backups. But even if you don't have backups, there are other solutions too. We explained all the possible methods at the bottom of this article.

If you want to avoid any viruses in the future, you should act more carefully on the internet. Ransomware is spreading through infected email attachments, malicious advertisements, torrent websites, or other unsafe sources, so you might catch ReadMe ransomware virus without even noticing.

ReadMe ransomware removal and .readme file recovery

As we already mentioned, you should remove ReadMe ransomware as soon as possible and only then try to recover your personal data. The only way to properly get rid of this infection is by using a professional security program that has a powerful scanner, virus removal possibilities, and the latest virus database. We recommend using SpyHunter 5Combo Cleaner or Malwarebytes.

If the ReadMe ransomware removal looks impossible because it infringes the antivirus program and keeps it disabled, you should restart Windows OS and reboot it in Safe Mode with Networking. We provided useful instructions above.

Only after the ReadMe ransomware virus is removed, you can try several methods to recover .readme files. Unfortunately, there is no free decryption tool for this infection. But you can recover data by using backups. Even if you don't have proper copies of your files, there are other ways to retrieve at least some of your files. We listed alternative data recovery methods at the bottom of this article. Remember to check for additional issues and virus damage with tools like FortectIntego.

Offer
do it now!
Download
Fortect Happiness
Guarantee Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Fortect review | Terms of Use | Privacy policy | Refund Policy | Uninstall guide
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Download SpyHunter 5 Review »
Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions
Malwarebytes
Download | Review | Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.
Download Combo Cleaner Review »
Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions

Getting rid of ReadMe virus. Follow these steps

Manual removal using Safe Mode

Reboot the computer in Safe Mode with Networking and remove ReadMe file virus using anti-malware software

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
    Settings
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
    Reboot
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.
    Startup

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Downloads
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

    %AppData%
    %LocalAppData%
    %ProgramData%
    %WinDir%

After you are finished, reboot the PC in normal mode.

Remove ReadMe using System Restore

System Restore might also be useful when trying to eliminate ransomware

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of ReadMe. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that ReadMe removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove ReadMe from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by ReadMe, you can use several methods to restore them:

Recover your data
Recover your data

Data Recovery Pro may help to retrieve files

You can try to recover accidentally deleted or encoded by ReadMe ransomware files with Data Recovery Pro.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by ReadMe ransomware;
  • Restore them.

Windows Previous Versions feature might be useful too

Windows Previous Versions feature allows users to restore the settings of the system to a particular date if the feature enabled before the infection.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

You should try ShadowExplorer

Sometimes ransomware fails to delete Shadow Volume Copies. In that case, the Shadow Explorer can help to retrieve files.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Unfortunately, there is no free ReadMe decryptor available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from ReadMe and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Choose a proper web browser and improve your safety with a VPN tool

Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.

 

Lost your files? Use data recovery software

While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.

To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References
Removal guides in other languages