Worm ransomware (Removal Guide) - Free Instructions

Worm virus Removal Guide

What is Worm ransomware?

Worm ransomware is a file locking virus that uses extortion tactics after locking all the data on the host machine

Worm ransomwareWorm ransomware is a file locking virus that belongs to one of the most prominent families - Paradise

Worm ransomware is a new variant of Paradise virus – a relatively old strain that is also used as a Ransomware-as-a-Service (RaaS). This version was analyzed by a security researcher Michael Gillespie at the end of October 2019.[1] Just like its predecessors, malware is designed for money extortion after locking all personal files on the infected machine.

Worm ransomware enters computers by using one of the multiple distribution methods (such as spam email attachments, software vulnerabilities,[2] fake updates, software cracks, etc.) and starts a scan that looks for pictures, videos, documents, databases, and other personal data. After that, Worm virus encrypts each of the files by using RSA cipher and marks them with [id]-[victim ID].[corpseworm@protonmail.com].worm appendix.

Victims can also spot a ransom note #_ABOUT_YOUR_FILES_#$=$$.html, which is dropped on the desktop and all the affected folders. The content of the message states that users have to pay a ransom in Bitcoins if they want their data back. While there is no Worm ransomware decryptor developed yet, victims are advised staying away from file locking malware developers.

Name Worm ransowmare
Type Cryptovirus
Malware family Worm virus is a variant of Paradise ransomware
File extension All pictures, videos, photos, music and other files are appended with .worm extension. An example of an encrypted file: picture.jpg[id-GYMXkaDq].[corpseworm@protonmail.com].worm
Ransom note #_ABOUT_YOUR_FILES_#$=$$.html ransom note is dropped on the desktop and all the folders where the locked files are located
Contact corpseworm@protonmail.com or telegram @helprestore
  • Gen:Heur.Ransom.REntS.Gen.1 (B)
  • FileRepMalware
  • Ransom.Paradise
  • Trojan:Win32/Tiggre!rfn
  • HEUR:Trojan-Ransom.MSIL.Crypren.gen
  • Trojan.Encoder.26770
  • A Variant Of MSIL/Filecoder.Paradise.H

44 engines detect the dropper as malicious on Virus Total (10/30/2019)

Infiltration means Hackers typically use several distribution methods, including spam emails, exploits, software cracks, repacked installers, fake updates, unprotected RDP connections, etc.
File decryption Only possible via backups or third-party recovery software
Removal Scan your machine in Safe Mode with reputable anti-malware software in order to terminate all malicious entries made by malware
Recovery To fix virus damage and avoid possible reinstallation of Windows OS, use FortectIntego to recover from ransomware infection

As soon as users interact with a malicious dropper if Worm ransomware, several files are dropped into %AppData%, %UserProfile%, and Desktop folders. From there, several processes are launched, the Windows registry is modified, and all automated Windows backups are deleted with the help of vssadmin.exe Delete Shadows /All /Quiet command. The changes to the system are made for the file encryption process to be performed uninterrupted and to complicate encrypted file recovery after Worm ransomware removal.

Soon after that, the Worm virus scans the computer's hard drive and all the connected drives, looking for files to encrypt. In most of the cases, the most commonly-used file types are targeted, such as .pdf, MS Office files, videos, and others. Users then cannot open the data anymore, although system files are spared for malware to operate (the goal or Worm ransomware authors is not to corrupt victims' machines but rather lock data so that they would pay the ransom). The ransom note, which is dropped into several locations on the computer, states the following:

All your files was encrypted!
«Paradise» R Team!
Ur unique ID
Your personal KEY

All your personal data that was stored on this computer have been crypted due a security problem.
To restore them, write to us by е-mail,.
You have to pay in Bitcoins.
After payment we will send you the special decryption tool that will restore all your files.
Before payment you can send us 1-3 files , and we decrypt it for free.
File size should not exceed 1MB.
Please note that files must NOT contain valuable information.
We accept payments in bitcoins, but you do not need to be able to use bitcoins.
You do not need a bitcoin account.
I will explain how you can pay using ANY currency in any way convenient to you.
Our mails
telegram @helprestore
Do not rename files
Do not try to restore your data using third-party software, it may cause permanent data loss(If you do not believe us, and still try to – make copies of all files so that we can help you if third-party software harms them)
As evidence, we can for free restore one file
Decoders of other users is not suitable to restore your files – encryption key is created on your computer when the program is launched – it is unique.

Even though the attackers claim that no other decryption method is possible, you should not listen to them. It is in their best interest for you to pay the ransom, that is why they are even providing a test decryption service – they are trying to create a false sense of security. However, please remember that they are cybercriminals and might not send you Worm ransomware decryptor as promised.

Worm ransomware virusWorm ransomware is a type of malware that focuses on locking pictures, music, database, document, and other files on the host machine and then demands ransom for their release

Instead, remove Worm ransomware and try alternative file recovery methods we provide at the bottom section of this post. While there is no decryptor currently available, you might be successful in restoring at least some of your files using recovery software or other methods. However, remember that you have to terminate the infection first with anti-malware. After that, we also advise you use FortectIntego to fix crippled Windows system files.

Protect your machine from future ransomware infections

Paradise ransomware is one of many file-locking virus families that are dominant currently. For example, Djvu, Phobos, Scarab, and many others are lurking in the wild, actively trying to infect unsuspecting users. The truth is, most of the infections with ransomware happen due to negligence from users' side – they are not careful enough when browsing the internet, updating their software, opening emails, and doing other daily tasks.

The main precautionary measure against ransomware and other malware is caution, as most distribution methods rely on some sort of social engineering.[3] Here are a few tips from security experts from novirus.uk[4] – these will help you to keep your computer away from ransomware:

  • Update your OS and all the installed software regularly – do not postpone the updates infinitely;
  • Equip your computer with anti-malware and anti-virus software with real-time protection feature;
  • Never use a default RDP port and disable the connection as soon as it is not required anymore;
  • Treat each unsolicited email as a threat – never open attachments that ask you to enable macro function;
  • Enable ad-blocker, firewall, and other additional protection features;
  • Use robust passwords for RDP and all other accounts or employ a password manager;
  • Watch out for website spoofing: making a copy of a legitimate website is easy, and crooks often do so in order to make users download a malicious executable disguised a legitimate program;
  • Never visit torrent or warez sites that host pirated applications or software cracks/keygens.

Be aware that no protection means can guarantee full protection, so you should always ensure that personal files are stored on a remote server or external drive as a backup.

Worm ransomware encrypted filesWorm ransomware appends a long extension to files and then they become inaccessible

Remove Worm ransomware and then attempt data recovery using third-party tools or other methods

Be aware that, as long as Worm virus is present on your machine, all the incoming files and those on external storage will be encrypted as well. Therefore, make sure you never connect USB Flash drives, external HDDs, or other devices to your computer until you remove Worm ransomware. Unfortunately, the process might sometimes be a little bit complicated, as malware is often set to intercept anti-virus software to prevent its elimination.

However, you can bypass those measures by accessing Safe Mode with Networking – check out the instructions on how to enter it below. Once there, employ a powerful anti-malware program and thoroughly scan the infected computer – successful Worm ransomware removal is almost guaranteed this way. After that, you should employ PC repair so software FortectIntego to fix the damage done by the virus. Finally, you can attempt to recover data as per methods described below. In unsuccessful, make a copy of all compromised files and wait till security experts deploy a working Worm ransomware decryptor.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Worm virus. Follow these steps

Manual removal using Safe Mode

Worm ransomware may interfere with your security software. Access Safe Mode with Networking to bypass this functionality:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Worm using System Restore

System Restore might sometimes work when trying to eliminate the virus:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Worm. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Worm removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Worm from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Worm, you can use several methods to restore them:

Try Data Recovery Pro method

Recovery software like Data Recovery Pro might sometimes be able to retrieve some copies of your files pre-contamination.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Worm ransomware;
  • Restore them.

Windows Previous Versions feature might work in some cases

If you had System Restore enabled, sometimes it might be possible to recover files one-by-one.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might sometimes recover all the affected data

If Worm virus failed to delete Shadow Volume copies, your best bet is to try ShadowExplorer.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryptor is currently available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Worm and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Choose a proper web browser and improve your safety with a VPN tool

Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.


Lost your files? Use data recovery software

While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.

To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions