How to Remove Pewcrypt Ransomware
Pewcrypt ransomware is a file locking malware that is not created for money extortion purposes, unlike most of the other crypto-viruses are. The author, who is most likely a fan of a popular YouTuber PewDiePie, asks users to subscribe to his channel in order to surpass the sub count of an Indian channel that uploads Bollywood movie trailers. Allegedly, the hacker claims that decryptor will be released as soon as the favorite YouTuber gets 100 million subscribers. Pewcrypt ransomware is written in Java programming language and uses AES-256 to encrypt data, and then RSA-2048 encryption for the key. Once the process is complete, all pictures, music, databases, documents and other data receives an extension .PewCrypt and becomes inaccessible for victims. Victims of malware are also introduced with a pop-up window which explains what happened to users’ data and also displays T-Series and PewDiePie sub count. However, ransomware author, who goes by the name __JustMe__ on Twitter, has released the decryption tool for everybody to use for free.
Considering the immense popularity of this YouTuber (he has been the most subscribed blogger on the platform for over five years), it is not surprising that hackers are creating malware like Pewcrypt or PewDiePie ransomware. However, while in most cases cybercriminals use malicious actions to extort money from users, these viruses do not ask for that. Instead, they want victims to subscribe to
Being a fan of somebody is OK, but corrupting users’ personal files for the sake of the popularity of the YouTuber is purely malicious, and should still be treated negatively. We must give the author credit for releasing the decryptor for free, however. Nevertheless, you need to remove Pewcrypt ransomware before you can use the tool, as all the data will be encrypted repeatedly.
Once the Pewcrypt virus settles, it heavily modifies various Windows settings, spawns multiple processes, attempts to shut down security applications, writes to Windows registry, injects new processes, etc. This ensures that malware will be launched with every system startup.
As soon as file encryption is complete and .Pewcrypt extension is added to most of the files (note that malware skips files larger than 20MB, as well as .exe, .jar and .dll extensions) users can see a ransom note in a pop-up window, which states:
It is up to you whether or not you want to subscribe to the channel, as it will not change to your personally. For the moment, you need to focus on Pewcrypt ransomware removal. In the early stages of the discovery, researchers warned that only 2 AV engines detected the threat. However, Virus Total results currently show that the malicious file is detected by 30 vendors under names like
Trojan.GenericKD.41039316, Ransom_Agent.R002C0OBP19, PUA: Win32/Presenoker, Java/Filecoder.AF!tr., Win32:Trojan-gen, etc.
Once you eliminate Pewcrypt ransomware from your PC, make sure you scan it with Reimage. It will be able to fix damaged Windows Registry and revert all the damage done to the operating system. Finally, you can use the decryptor released by the author to recover files, although backups and third-party tools are also available for PewCrypt ransomware decryption.
Avoid Malware by having careful Internet browsing habits.
Quite often, users do not take cybersecurity seriously, as they are mostly not aware of the consequences that various malware infection can induce to not only computer but also the user. Simply put, in case of ransomware infection you might lose your files permanently, which can be non-impactful to some but devastating to others (for example, several businesses that suffered ransomware attacks hard to rebuild the infrastructure from scratch, an operation which costs millions.
Finally, such items like photos can bring a lot of memories and are invaluable. Thus, many people risk losing hundreds of dollars and pay ransom to crooks. As usually it is not recommended, as the chance of getting scammed is very high. Instead, try not to get infected in the first place:
- Use trusted security software with real-time protection feature;
- Keep your system updated and patched;
- Do not run Flash Player and Java plugins, or set it to click-to-play;
- Beware of bundled software, as it can sometimes include malware;
- Stay away from high-risk sites (gambling, porn, torrents).;
- Do not click on links or attachments from unknown emails.
Remove Pewcrypt ransomware
- As we already mentioned, you need to make sure that Pewcrypt ransomware removal is performed before you attempt to recover your personal data like pictures, music, videos, databases, documents, etc. For that, you will have to use a security application that can detect and eliminate the threat.
- As Pewcrypt virus uses obfuscation and evasion techniques, it is highly recommended entering Safe Mode with networking first. The safe environment will ensure that malware is not running in the background and it will not interfere with anti-virus application.
- Once you remove Pewcrypt ransomware, use backups to restore your files safely. In case you never prepared any – take advantage of decryptor released by malware author. Finally, you can try third-party tools if nothing else helps.
Julia Sowells960 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.