Usam ransomware (Virus Removal Instructions) - Decryption Methods Included

Usam virus Removal Guide

What is Usam ransomware?

Usam ransomware is a cryptovirus that belongs to the STOP / Djvu ransomware family

Usam ransomware virusUsam is the latest version of the Djvu ransomware, which encrypts files, compromises the system, and blackmail victims to earn the money

Usam ransomware – a highly-malicious malware that locks the data on the Windows machine and blackmails victims to extort the money. The criminals behind this file-encrypting virus[1] are infamous hackers that have launched STOP / Djvu ransomware a couple of years back and managed to release 233 new versions of the same virus.

The Usam virus is the latest Djvu version, which stands 233 on the list. First spotted in the middle of June 2020, the malware is actively distributed via software cracks, keygens, and unprotected RDPs. If the unsuspecting victim launches the ransomware payload, the virus immediately encrypts most of the non-personal files (music, videos, photos, documents, etc.) with the .usam extension, thus completely restricting the user’s access to them.

Unfortunately, .usam files cannot be decrypted for free. Even though there’s an official STOPdecryptor available for anyone, it is fully functional with the old Djvu versions that have been launched before the autumn of 2019. Based on the information provided on the _readme.txt file, the victims of this virus are supposed to transfer $490 in Bitcoins within 72 hours after having a conversation with criminals via or email.

Name Usam
Lineage STOP / Djvu
Classification Ransomware
Extension .usam files is a distinctive feature of this new Djvu strain
Emails victims have to contact hackers via, email, or @datarestore telegram account
Encryption/decryption The virus uses an RSA encryption algorithm that generates unique online IDs that cannot be extracted. Cybersecurity experts keep looking for the flaws that would allow them to crack and leak IDs to help people decrypt .usam files. Note that the only reliable way to retrieve the locked files is to use backups.
Ransom Criminals demand people pay $490 or $980 ransom in Bitcoin cryptocurrency
Effect on the OS The ransomware-type viruses cause harm not only to personal files. This type of threat is programmed to cause multiple system infringements on Windows registries, bootup processes, and others. Consequently, the system may start crashing, displaying errors, running into BSODs, etc. To prevent this from happening, take advantage of the FortectIntego repair utility
Elimination Ransomware files cannot be eliminated manually since it’s not possible to understand which of the running files are malicious. This process can be initiated with a robust anti-virus program only

Usam ransomware virus belongs to the Djvu family – this fact tells almost everything about the virus for the users who are interested in cybersecurity. In fact, all the variants that belong to this gang released after August 2019 are identical. Thus, taking a glance at its siblings, such as .kkll, .nlah, .pezi, .covm, .zwer, and many others are more or less the same, except file extensions and (in some cases) email addresses of the criminals differ.

If the Usam ransomware gets installed on the machine, first of all, it performs various changes on the Windows system with an intention to evade detection, ensure the successful launch of the encryption software, and grand persistence. For that, it may create malicious entries within %AppData%, %User% or %Temp% directories, run the PowerShell commands under administrative privileges to remove Shadow Volume Copies, disable AV program, and can download data-stealing Trojan Azorult as a secondary payload. These changes are not definite, thus dealing with ransomware means many problems with the system’s performance if Usam ransomware removal is not performed immediately.

The successful Usam ransomware infiltration is followed by a complete lockdown of personal files and the informational note dubbed as _readme.txt presentation on the desktop and other system folders. The note says:


Don’t worry, you can return all your files!

All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:

Reserve e-mail address to contact us:

Your personal ID:

Seeing .usam files on the machine and have no access to personal files is a frustrating experience. However, paying the ransom is highly not recommended as you can unconsciously uncover personal details to criminals or experience another phony if criminals decide not to provide you with a functional Usam ransomware decryptor.

If you have file backups, there’s no reason for you to worry. Remove Usam virus from the system using updated anti-virus software. Do not try to eliminate malicious entries manually as you can accidentally delete some core Windows entries and, subsequently, trigger more Windows malfunctions.

Usam ransomware removal is a process that can only be performed with professional security software with an updated virus database. You can attempt to recover your encrypted files only after a full elimination of file-encrypting viruses. Our team has submitted a tutorial on how to decrypt .usam files without paying the ransom (at the end of the article).

Usam crypto-ransomwareUsam is the name of the file-encrypting ransomware, which is the 233 variant of the STOP/Djvu gang

Alternative methods to unlock inaccessible .usam files

The main trait allowing to stand the Usam ransomware virus from the crowd is its distinctive file extension. Thus, if you have noticed that the icons of your files became all the same (plain white icon) with a unified .usam extension appendix, there’s no doubt that the file-encrypting Djvu family member has hacked your machine.

Unfortunately, .usam file decryption is not possible without paying the ransom or using original file backups. If you have no backups or money to pay the criminals, there are very few changes that important work, documents, or family photos will be recovered.

As we have pointed out, one of the ways to decrypt Djvu files, including .usam encrypted files is to use a free Emsisoft’s decryption software. However, don’t give a lot of traction to this software as it can only unlock files for the versions using offline IDs. If you don’t want to be dejected by the unsuccessful decryption process, you can check whether your files have been encrypted using offline or online IDs by opening C: drive and accessing SystemID.txt. This directory contains all encrypted data. If you see some entries with the names ending with “t1,” then the free Emsisoft’s decryptor might work.

Otherwise, the .usam file virus can be eliminated using third-party data recovery tools like Data Recovery Pro, Shadow Volume Copies or System Restore feature. You can find a full guide for the decryption methods at the end of this article.

IMPORTANT: criminals have launched a fake DJVU decryptor which may be found on various discussion forums, torrenting sites, or other sites. This decryptor not only fails to unlock files. In fact, it’s another ransomware that drops a malicious crab.exe file, which downloads new Zorab ransomware[2] and encrypts already encrypted files with .ZRB file extension.

The most common ransomware distribution methods listed

Hackers are using sophisticated methods to trick people into downloading malicious ransomware viruses. That’s a commonly known fact. However, millions of less tech-savvy people are still paying no attention to the websites they land on, to the content they download, to the ads they click, to the updates they download, and so on.

Therefore, we keep trying to increase people’s consciousness and grow their perception of cybersecurity by publishing the news on how hackers spread their newborn viruses or what new means have been invented to distribute good-old cyber infections. The team of cybersecurity experts from[3] has provided us with a list of most widely used Djvu ransomware distribution techniques, which is the following:

  • Djvu ransomware family is most frequently distributed via cracks, keygens, loaders, and similar tools. If you are about to download a software crack to hack the license of Windows, Adobe Acrobat, Adobe Photoshop, game keygens, etc.
  • Fake software updates. If the machine is infected by a rather aggressive adware-type malware, web browsers can redirect to sites infected with malicious scripts or display infected ads that once clicked download ransomware payload.
  • Malicious spam email attachments. People can receive catchy email messages that contain ZIP, PDF, Microsoft Word attachments that ask people to enable Macros to view the content. DO NOT enable the supposed macros to open questionable attachments sent by unreliable senders. That’s a scheme used by hackers to spread ransomware, trojans, spyware, and other cyber threats.

To protect yourself from ransomware attacks, you should rely on a reputable AV security suite, which has in-built real-time protection, email filter, and other additional features.

Usam virus detectionUsam virus files can be detected by some AV tool while others do not recognize them as malicious

Usam ransomware removal options: no manual removal possibilities

There is no option to remove Usam ransomware virus manually. Victims should understand that the virus initiates too many changes on the system and runs too many malicious processes to be detected and eliminated without the help of professionals.

Although you can find some malicious entries as they may suck up CPU resources or display errors, there are very few chances that you will be allowed to disable any of them manually. Usam virus grants itself administrative privileges and, therefore, all related files are run “legally.”

Having this in mind, we strongly recommend you make a cold copy of the .usam files using a USB stick, external hard drive, or cloud and then perform a full Usam removal using an automated anti-virus program. For this purpose, you should use Malwarebytes, SpyHunter 5Combo Cleaner, or another reputable anti-malware suite.

Upon ransomware elimination, try to recover Windows system to the previous state by restoring Windows registry entries, startup files, and core processes. For that, take advantage of the FortectIntego recover tool. Finally, you can try to retrieve the locked files using alternative methods listed below.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Usam virus. Follow these steps

Manual removal using Safe Mode

If Usam virus prevents your AV engine from being launched, access Safe Mode with Networking to disable malicious executables:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Usam using System Restore

If the previous method failed to work, try eliminating the ransomware using System Restore point.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Usam. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Usam removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Usam from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

The methods listed below can be safely tried, though there’s no guarantee that any of them work. Nevertheless, if you don’t have backups and have no intentions to pay the criminals for a Usam decryption software, the following tips may help you to get back at least some of your files. 

If your files are encrypted by Usam, you can use several methods to restore them:

Download Data Recovery Pro and run a scan to see if the software is capable of recovering any of the .usam file virus entries

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Usam ransomware;
  • Restore them.

If you have enabled System Restore prior to the ransomware attack, try to get your files back with the help of the Windows Previous Versions feature

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Shadow Volume Copies are not likely to help in this case since Djvu family is programmed to command Windows to delete these copies.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No free Usam decryptor available

The latest versions of STOP/Djvu cannot be decrypted using the Emsisoft’s decryptor as it works with offline keys only. If, however, you want to give this tool a try, you can download it from the official website

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Usam and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Stream videos without limitations, no matter where you are

There are multiple parties that could find out almost anything about you by checking your online activity. While this is highly unlikely, advertisers and tech companies are constantly tracking you online. The first step to privacy should be a secure browser that focuses on tracker reduction to a minimum.

Even if you employ a secure browser, you will not be able to access websites that are restricted due to local government laws or other reasons. In other words, you may not be able to stream Disney+ or US-based Netflix in some countries. To bypass these restrictions, you can employ a powerful Private Internet Access VPN, which provides dedicated servers for torrenting and streaming, not slowing you down in the process.

Data backups are important – recover your lost files

Ransomware is one of the biggest threats to personal data. Once it is executed on a machine, it launches a sophisticated encryption algorithm that locks all your files, although it does not destroy them. The most common misconception is that anti-malware software can return files to their previous states. This is not true, however, and data remains locked after the malicious payload is deleted.

While regular data backups are the only secure method to recover your files after a ransomware attack, tools such as Data Recovery Pro can also be effective and restore at least some of your lost data.

About the author
Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions

Removal guides in other languages