StrawHat ransomware / virus (Removal Guide) - Improved Guide

StrawHat virus Removal Guide

What is StrawHat ransomware virus?

StrawHat malware imitates ransomware

The screenshot of StrawHat ransomware

StrawHat virus reveals its true origin – the malware tries to pretend to be ransomware[1]. It simply renames the files rather than actually encodes them and attaches a random file extension. It functions via StrawHat PDF.exe file which already foreshadows the content.

The alternative trojan names – Generic.Ransom.Hiddentear.A.64B049AA, Trojan.Ransom.StrawHat, Ransom.HiddenTear, Generic.Ransom.Hiddentear.A.64B049AA – suggest that the malware is created on the basis of HiddenTear malware. Even if the virus indeed encoded data, you may have tried using either of free HiddenTear decrypter.

Regardless of the technical specifications, the ransom message does a good job alarming the virtual community:


The files on your computer have been encrypted with a military-grade encryption algorithm. There is no way to restore your data without a special decryption program.

Now you should send us an email with your personal identifier.

This email will be as confirmation you are ready to pay for the decryption key. You have to pay for the decryption in Bitcoins.

The ransom message does not indicate any specific requirements except the Bitcoin address. It does not mention how many bitcoins victims should purchase. Fortunately, the malware will not function on most of the systems unless they have installed Visual Basic Power Packs. The latter is a legitimate product of Microsoft.

If you noticed running StrawHat PDF.exe command in your Task Manager, make a rush to remove StrawHat PDF.exe virus. You can do so with the assistance of malware elimination tool, such as FortectIntego or Malwarebytes.

Ways to evade ransomware hijack

Ransomware developers often prefer using trojans and exploit kits to expand the range of their ransomware. Spam email attachments are popular among certain ransomware authors, such as Locky or Cerber.

Alternatively, there is a high possibility to encounter ransomware by launching a fake Flash Player[2] installer. StrawHat hijack is likely to have taken place after a user downloaded a corrupted torrent file.

In order to limit the chances of ransomware encounter, keep your security and system apps updates. Pay attention to the installation wizards of new apps. Download them only from trusted and official sites. Now let us look through StrawHat removal options. The image displaying StrawHat alternative namesLuckily, StrawHat virus fails to inflict any serious damage on a victims' PC.

Eradicate StrawHat malware completely

Hopefully, StrawHat removal should not pose any problems. Close its ransom message, run malware elimination tool, update and scan it. If the malware interferes with this process, reboot the computer and run the scan again. Likewise, you should be able to remove StrawHat virus completely.

You might also scan the device after again to make sure the malware is fully deleted. It is unlikely that this single-use malware will evolve into a serious threat. On the final note, not only English but Portuguese[3] and Danish users should be cautious of the malware.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of StrawHat virus. Follow these steps

Manual removal using Safe Mode

Reboot the system in Safe Mode. Then, you should be able to fully eradicate StrawHat malware.

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove StrawHat using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of StrawHat. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that StrawHat removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove StrawHat from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by StrawHat, you can use several methods to restore them:

Data Recovery Pro solution

This program might come in handy recovering damaged files. It might be the last straw option if you have not backed up your data in advance. Though this malware does not encode anything, the program might still prove to be useful if you encounter a real file-encrypting threat.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by StrawHat ransomware;
  • Restore them.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from StrawHat and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions