How to remove Exorcist ransomware

Discovered by MalwareHunterTeam, the Exorcist ransomware is file-encrypting malware that purposely does not infect computers in countries that belong to the Commonwealth of Independent States (CIS).


Exorcist ransomware noteExorcist ransomware is file-encrypting malware that takes files for hostage. Depending on whether or not users have backup for files, ransomware can be very dangerous. Exorcist ransomware encrypts important files like photos and documents, adds a random file extension to all affected files, and drops a ransom note declaring that victims will need to pay for a decryptor to recover files. While users may consider paying to be the best option, it’s necessary to warn them that paying does not necessarily mean a decryptor will be sent. It’s not uncommon for cyber criminals to just take the money and not send anything in return, as there’s nothing stopping them from doing so. Whether users decide to pay the ransom is their decision, but many specialists discourage users from doing so.

What is interesting about this ransomware is that before it actually does anything, it checks the locale. If it finds that the infected device is located in a country that is part of the CIS, it exits without encrypting files. This isn’t particularly unusual but most ransomware do not care about the location.

Ransomware is one of the reasons why backing up files on a regular basis is so important. Users who do have backup can start recovering files only after they remove Exorcist ransomware. If the ransomware is still present when backup is accessed, those files may become encrypted as well.

Ransomware is distributed via means such as spam email

In many cases, users allow malware to enter their computers by doing something as harmless as opening an email attachment. Spam emails, fake update notifications, torrents and exploit kits are the most common ways regular users pick up infections like Exorcist ransomware.

Spam emails may seem harmless most of the time, but it’s possible to pick up a serious infection by merely opening a malicious attachment. Emails carrying malware are usually fairly obvious but users still need to be very careful when they receive an unsolicited email with an attachment. The biggest clue is the sender’s email address. If the email is supposed to be some kind of official correspondence from a legitimate company, goverment agency, etc., the sender’s email address will look professional. Users can immediately dismiss emails sent from email addresses that are made up of random numbers and letters. Another clue is an abundance of grammar and spelling errors. For some reason, spam emails, whether carrying malware or not, are always full of mistakes. However, in rare cases, malicious emails may look sophisticated enough to be convincing. Thus, it’s a good idea to scam the attached file with anti-malware software or VirusTotal.

Users also pick up ransomware via torrents. It’s no secret that torrent sites are not regulated platforms, thus malware operators can easily disguise their malicious software as a popular movie, an episode of a TV series, game, or software. Users who pirate content via torrents are not only stealing but are also putting their devices in potential danger.

Installing updates on a regular basis is also important because they patch known vulnerabilities that could be used by malware to enter a device. Enabling automatic updates is recommended to ensure the system is always up-to-date.

Exorcist ransomware encrypts files

When the ransomware enters a computer, it first checks the locale. If the infected computer is located in an CIS country, the ransomware will terminate itself without doing anything. Otherwise, it will modify the Windows registry, establish background HTTP connections, and will then start encrypting files. It will focus on files like documents, videos, photos, etc. These are the usual ransomware targets because users are often willing to pay for their decryption. Once it’s done encrypting files, users will notice that affected ones will have a random file extension added to them. It also then drops a ransom note [extension name] – decrypt.hta.

Here is the ransom note dropped on infected computers:

[random] Decrypt

All your data has been encrypted with Exorcist Ransomware.
Do not worry: you have some hours to contact us and decrypt your data by paying a ransom.
To do this, follow instructions on this web site:
Also, you can install Tor Browser and use this web site: http://4dnd3utjsmm2zcsb.onion/pay

IMPORTANT: Do not modify this file, otherwise you will not be able to recover your data!

Your authorization key:

In many cases, malware operators ask that victims contact them by email, but Exorcist Ransomware wants them to download the Tor browser and access the site displayed in the note. The site shows a window that requires users to put in their authorization key in order sign in. Victims are then informed about how they can recover files, aka by paying. The ransom sum may vary, though it will likely be somewhere between $100 and $1000. Most specialists will advise against paying whatever the ransom is, as it does not mean cyber criminals will send a decryptor. There have been numerous cases before where the malware operators simply took the money.

Unfortunately, if no back up is available, the only option is to hope for malware researchers to develop a decryptor and release it for free. It does happen occasionally, though it depends on a lot of factors.

How to remove Exorcist Ransomware

The only way to delete Exorcist Ransomware safely is to use anti-malware software. Ransomware is a complex infection to get rid of so we cannot recommend users do it manually, as they could end up causing even more damage. Thus, using anti-malware software to uninstall Exorcist Ransomware should be the first choice.

Only after the ransomware is no longer present should users access their backup. Incomplete removal before connecting to backup could result in file copies becoming encrypted as well.