Ambrosia ransomware removal

Ambrosia ransomware is file-encrypting malware part of the notorious Scarab ransomware family. Encrypted files will be renamed and the file extension .ambrosia will be added.


Screenshot (71)

Because it encrypts files, Ambrosia is classified as ransomware. It’s a serious infection, a version part of the Scarab ransomware family active since 2017. Ambrosia ransomware was first detected by xiaopao, and seems to be a new version. It targets photos, videos, documents, encrypts them, renames and adds the .ambrosia file extension. Once files are encrypted, users will be unable to open them unless they decrypt them with special software first. Cyber crooks behind this ransomware will try to sell victims the ransom, though the sum is not specified in the ransom note (HOW TO RECOVER ENCRYPTED FILES.TXT) dropped once the encryption process is complete.

Paying the ransom is generally not recommended because it does not guarantee file decryption. It’s not uncommon for users to be sent not working decryptors, if one is sent at all. However, currently the only possible way to recover Ambrosia ransomware encrypted files is via backup. If victims have backups made prior to infection, they can easily recover files once they delete Ambrosia ransomware. For all other users, the only option is to back up the encrypted files and wait for a decryptor to be released.

How does ransomware spread?

Most ransomware use the same distribution methods, like spam emails, fake updates, torrents, and software cracks.

Malware can often be encountered on torrent websites, especially disguised as popular movies, episodes of TV series, games, software, etc. Torrent sites are largely unregulated and often lack even the most basic security features, which means that anyone can upload anything, even malware. Users who pirate copyrighted content via torrents are putting their computers in danger, in addition to essentially stealing.

Vulnerabilities in system can also allow malware to enter a computer. Updates patch known vulnerabilities so it is important to install them on a regular basis. Enabling automatic updates is a good idea for users who find installing updates manually bothersome.

The most common way users can pick up ransomware is via spam emails. Cyber crooks purchase leaked email addresses and use them to launch a spam email campaign that distributes their ransomware. The emails usually claim that users need to open the attachment because it’s an important file that needs to be reviewed. If such emails contain any kind of text, it’s usually full of grammar and spelling mistakes, which are often an obvious sign that users are dealing with spam emails. They’re also usually sent from nonsense email addresses while the senders pretend to be from legitimate companies/organizations. Finally, as a precaution, users should scan all unsolicited email attachments with anti-malware software or VirusTotal to make sure they’re safe to open.

Is it possible to decrypt Ambrosia ransomware files

The ransomware will start file encryption as soon as it is initiated. It targets files users would be most willing to pay for, including photos, videos, and documents. The names of encrypted files will be scrambled and the extension .ambrosia added. A ransom note HOW TO RECOVER ENCRYPTED FILES.TXT will be dropped once the encryption process is complete.

Below is the full ransom note:

All your files have been encrypted

Your ID:

All your files have been encrypted
If you want to restore them, write us to the e-mail: or

You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.

Before paying you can send to us up to 1 files for free decryption.
Please note that files must NOT contain valuable information
and their total size must be less than 1Mb

Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss
If you not write on e-mail in 2 days – your key has been deleted and you cant decrypt your files

Via the note, cyber criminals explain that in order to recover the files, victims need to contact them by sending an email to or The ransom sum is not specified in the note, and supposedly depends on how quickly victims contact them.

Victims who are considering paying the ransom should consider the situation carefully. There is a risk that the cyber criminals behind this ransomware will not send a decryptor once payment is made, or the decryption tool will not work as it should. Countless users have been left with encrypted files and wasted money in the past.

Ransomware infections are one the most important reasons why regularly backing up files is necessary. If victims do have backup, they can start recovering files as soon as they remove Ambrosia ransomware.

Ambrosia ransomware removal

We can only recommend using anti-malware software to delete Ambrosia ransomware, as it is a complex infection. Unfortunately, removing the ransomware does not mean files will become decrypted, that can only be done with the specific decryption tool.