RansomNoteCleaner - Remove Ransom Notes Left Behind

RansomNoteCleaner

 

 

RansomNoteCleaner (beta) is a program I have created to help remove pesky ransom notes left behind by known ransomware variants.

 

 

This program is powered by my service ID Ransomware, and thus is always updated with definitions on the latest known ransomwares and their ransom notes. This also allows it to be flexible in detecting the ransom notes, as it uses the exact same data ID Ransomware uses for identifying variants.

 

When RansomNoteCleaner is first launched, it will contact the website, and pull down the latest information on known ransom notes; this is the only network activity done with the program, and no information about your system is uploaded or stored at all. If you have a network issue with reaching the website, the "Refresh Network" button is available to try again.

 

Clicking the "Select Ransomware(s)" button allows for selecting the exact variant(s) to clean ransom notes from. This is recommended if you have already identified the ransomware, as it will take much less time to search for the notes.

 

 

Once the ransomware variant(s) have been confirmed, you may press the "Search for Ransom Notes" button to select a directory (or whole drive), and start the search for known ransom notes.

 

 

Once the scan has completed, the "Clean!" button will be available. A final window will display all found ransom notes before continuing with deletion. I highly recommend double-checking the file list before confirming the deletion. I am not responsible for loss of data if you confirm this step.

 

 

 

A full log of deleted ransom notes will be saved to a file "RansomNoteCleaner.log" in the same directory RansomNoteCleaner is run from.

 

Please note that this program does not decrypt data. It is simply a tool for removing the pesky ransom notes that are littered on the system after a ransomware attack.

 

Please also note that this program is in beta, and I take no responsibility for data loss. I recommend running it on a test directory before letting it loose on a whole drive. I highly advise reviewing the "Found Ransom Notes" screen before continuing with deleting files. A few false-positives may occur, as some ransomware use general filenames - one example I found, is a certain ransomware uses "README.txt", which can be a common name for a legitimate program's readme file; you can simply unselect these in the confirmation window.

 

You may download RansomNoteCleaner here: http://www.bleepingcomputer.com/download/ransomnotecleaner/

 

Please let me know if you run into any issues, or any recommendations for the program.

When I try to download the file, I get the "unsafe download" indicator. What's up with that? Why is it being seen as unsafe?

@djbillyd

It's a false-positive. Some antivirus' haven't liked my programs since I don't have the money to buy a signing certificate, and I use an obfuscator to protect my code.

So, will turning 'Defender' off allow the download? Or do I have to turn the firewall off too? I don't like either option, but the firewall seems to be the last wall of defense. I'll try turning the A/V off and see if it'll, at least, download.

Thanks....

Edited by djbillyd, 29 July 2016 - 10:19 AM.

 Allow. Download it without fear.

djbillyd

 Allow. Download it without fear.

 

Oh yeah? And who are you? A Ransomeware agent?

@djbillyd

 

It's a false-positive. Some antivirus' haven't liked my programs since I don't have the money to buy a signing certificate, and I use an obfuscator to protect my code.

Who is this guy, Amigo?

@djbillyd

Amigo-A has been assisting ransomware victims here on the BleepingComputer forums for months. He also runs an informational blog to assist Russian-speaking victims with ransomware. I have no reason to suspect he is not on our side.

All in all, if you don't trust the program, don't feel pressured to run it; I will not take offence. It is hosted and has been personally reviewed by BleepingComputer, Softpedia, and MajorGeeks, all trusted sources who thoroughly inspect a program and author for malicious intent before mirroring any software on their servers. It is good if you are cautious to run programs downloaded from the internet - that is, after all, the mindset you need to avoid running into malware in the first place.

That and by making a backup before and after you try things...

Not losing thing is the best defence you can have, for all cases.

Regards

@djbillyd

 

Amigo-A has been assisting ransomware victims here on the BleepingComputer forums for months. He also runs an informational blog to assist Russian-speaking victims with ransomware. I have no reason to suspect he is not on our side.

 

All in all, if you don't trust the program, don't feel pressured to run it; I will not take offence. It is hosted and has been personally reviewed by BleepingComputer, Softpedia, and MajorGeeks, all trusted sources who thoroughly inspect a program and author for malicious intent before mirroring any software on their servers. It is good if you are cautious to run programs downloaded from the internet - that is, after all, the mindset you need to avoid running into malware in the first place.

OK. I am really cautious now, that I have been bitten. When I clicked on the link in his post, it opened a site in Russian, I believe. Below some image on the page are the words; "You files have been...". I immediately clicked off. Have you seen the page?

I know there's no pressure. I am just more careful. I trusted enough to go to the link to download. And I trusted Amigo-A until I saw the Russian text.

OK. I am really cautious now, that I have been bitten. When I clicked on the link in his post, it opened a site in Russian, I believe. Below some image on the page are the words; "You files have been...". I immediately clicked off. Have you seen the page?
 
I know there's no pressure. I am just more careful. I trusted enough to go to the link to download. And I trusted Amigo-A until I saw the Russian text.

Lol, no worries. Indeed, having a page popup in another language can be alarming. There are probably many texts about files being encrypted, as he posts the contents of the ransom notes, then translates them for Russian-speaking visitors.

@djbillyd
 
Amigo-A has been assisting ransomware victims here on the BleepingComputer forums for months. He also runs an informational blog to assist Russian-speaking victims with ransomware. I have no reason to suspect he is not on our side.

Demonslay335, quietman7

I sincerely thank You for Your trust. 

"Duplicate Cleaner Free"  removed over 200,000 ransom notes from my xp computer's c drive....

There are several free Duplicate File Removers available which can do the job. However, RansomNoteCleaner was specifically created by Demonslay335 to deal with the numerous ransom notes left by these infections. This topic is intended to focus on that tool and we have Demonslay335 to provide support and assistance.

OK, I get it. Like I said, I'm like a deer in the headlights when I see this weird stuff come up. This "locky" thing was tough. I never dealt with anything that deep. I mean, I went through the entire registry, line by line, trying to get at it.