Serpent ransomware / virus (Removal Guide) - Jul 2017 update

Serpent virus Removal Guide

What is Serpent ransomware virus?

Serpent ransomware virus resurfaces in 2017

Picture of Serpent ransomware virusSerpent ransomware virus infiltrates computers with a help of infected MS Office document.

Serpent virus is a malicious file-encoding virus that works as an virtual extortion tool. Once installed, it corrupts all victim's files in order to make a ransom demand. It is a new family member of the Hades Locker and Wildfire ransomware family, which was spotted attacking Danish computer users.

The ransomware encrypts files using AES-256 and RSA-2048 encryption algorithms, adding .serpent, .serp or .srpx file extensions to them. The virus creates a ransom note called HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars] in .html and .txt variants.

This file-encrypting malware variant uses a traditional infiltration method – malicious spam emails[1]. The infected email pretends to be an invoice and includes a download link to the MS Office document. If people agree to enable Macros[2] in this document, Serpent ransomware gets inside the system and locates itself in the newly created folder under %AppData% directory.

Then, the malware checks whether the victim is from the targeted country or not. If victim’s IP address reveals that he or she is from Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, or Tajikistan, malware simply exists and does not encrypt your files. Sadly, computer users from other countries will have to deal with unpleasant features of the ransomware.

After checking the PC, Serpent malware connects to its Command & Control server[3] and sends details about the victim: the IP address and country, unique hardware ID and campaign ID. Then, the Server generates RSA key to encrypt 876 file types (included in virus' target list). During data encryption, all files are secured by both RSA-2048 and AES-256 algorithms and get a .serpent file extension.

Unfortunately, data recovery without necessary decryption key is nearly impossible if a victim does not have data backups. Not only ransomware deletes Shadow Volume Copies[4] but also overwrite deleted data using Cipher.exe process.

Following successful data encryption, the virus drops two files on the desktop – HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].html and HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].txt. These files are ransom notes where victims are informed that they need a specific Serpent Decrypter to restore their files. Hackers offer them a chance to use it in exchange of 0.75 Bitcoins. However, if victims won’t transfer the money in 7 days, the price will rise to 2.25 Bitcoins.

In the payment website, developers provide detailed instructions how the transaction has to be made. However, we want to discourage you from having business with cyber criminals. Nevertheless, you do not have data backups, remove Serpent from the PC. Paying the ransom may not bring back your files; hence you may lose lots of money[5].

You can always try additional data recovery methods and wait while malware researchers create a free decryption software. Take our advice and scan the computer with FortectIntego and start Serpent removal immediately.

Serpent ransomwareThe researcher shows three Serpent ransomware versions - the ones that append .serpent, .serp and .srpx file extensions to encrypted data.

The list of Serpent ransomware variants

.Serp file extension virus. It seems that developers of the new ransomware rushed to release an updated version of it, and at the beginning of April 2017 researchers spotted a brand new copy of it that adds different file extensions to encrypted files. This time, the malware appends .Serp file extensions to encrypted records. After a successful onslaught, the malware creates and saves README_TO_RESTORE_FILES(random characters).txt file, which carries the message from the cyber criminals.

The message contains links that point to a website created for a specific victim, and usually the only way to access it is to enter it via Tor browser. The new version still demands 0.75 BTC in exchange for the decrypter. Unfortunately, attempts to crack this virus and create a free decryption tool were unsuccessful, so files can be restored from a backup only.

.SRPX file extension ransomware. SRPX ransomware version emerged in July 2017. So far, it seems that the ransomware uses similar ransom notes as the previous version – README_TO_RESTORE_FILES_[3 characters].html, README_TO_RESTORE_FILES_[3 characters].txt. However, instead of using .serp file extensions, the malware now marks each encrypted file with .srpx file extension.

The ransom note contains a traditional explanation on how to access the darknet page with instructions on how to recover data. The victim has to install Tor browser first. The payment website presents Serpent Decrypter, which costs 0.25 Bitcoin within seven days from the day of the attack and triples after a week to 0.75 Bitcoin.

Currently, there aren't any antidotes to this ransomware variants, so we suggest you create data backups and increase the strength of your computer's security by installing an anti-malware software.

Ways to get infected with this ransom-demanding virus

We must say that this virus surprisingly reminds us of Cerber ransomware – the design of the payment page looks almost identical, and what is more, they are distributed using very similar methods. Serpent ransomware spreads via malicious spam emails and their attachments.

Danish computer users received an email which has a subject line “Sidste påmindelse for udestående faktura 1603750”, which informs about last remind for the outstanding invoice. As we already mentioned, the message includes a download link from where victims are asked to download the Word document. Malware is executed as soon as victim activate Macros by clicking “Enable content” button in the infected document.

In order to avoid Serpent or other ransomware viruses, you should be careful with received emails. Do not open provided links or download attached documents. As you can see, even safe looking files might include a dangerous virus.

Remove Serpent virus to continue using your PC safely

After ransomware attack, lots of computer users think about data recovery. However, it's just a second step. First, you need to remove Serpent virus. While malware is inside your device, all attempts to restore your files are the waist of time.

For Serpent removal, you need to use strong antivirus program. Install one of the tools listed below, update it and run a full system scan. If malware blocks access to the program or prevent from installing it, scroll down to the instructions below.

There you will find two methods that will help to access security tools and remove Serpent automatically. Sadly, virus elimination won't recover your files. However, our team has prepared few suggestions that may help to restore at least some of your files.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Serpent virus. Follow these steps

Manual removal using Safe Mode

If malware prevents from installing or scanning the system with antivirus or anti-malware software, please follow the instructions to reboot your device to the Safe Mode. Then, initiate automatic removal again.

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Serpent using System Restore

If the previous method did not work, follow this method below:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Serpent. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Serpent removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Serpent from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

Nevertheless, there's no free decryption tool created at the moment, you should not pay the ransom! Cyber criminals may leave you with nothing!

If your files are encrypted by Serpent, you can use several methods to restore them:

Data Recovery Pro might help to restore files encrypted by Serpent virus

This professional tool may help to restore at least some of the damaged files. It was created to help people retrieve deleted, corrupted or encrypted files. Follow the steps:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Serpent ransomware;
  • Restore them.

Try to restore files encrypted by Serpent ransomware using Windows Previous Versions feature

If System Restore function has been enabled before ransomware attack, you can try to recover individual files by following these steps:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Unfortunately, there's no tool that can decrypt files encrypted by Serpent ransomware virus

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Serpent and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Choose a proper web browser and improve your safety with a VPN tool

Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.


Lost your files? Use data recovery software

While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.

To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.

About the author
Alice Woods
Alice Woods - Likes to teach users about virus prevention

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Alice Woods
About the company Esolutions

Removal guides in other languages