Security researcher Michael Gillespie, one of the people responsible for creating several free ransomware decrypters, along with the awesome ID Ransomware service, has put together a new tool that automatically scans and deletes ransom notes from your PC.
When any type of ransomware malware infects your computer, it usually leaves ransom notes in the forms of text, HTML, or image files behind.
A tool to automate the ransomware clean-up operation
While some ransomware variants leave ransom notes in just a few folders, like your Desktop, because it’s easier to spot, others are configured to spam your computer.
These latter versions will leave a copy of their ransom notes in absolutely every folder where they encrypt files. If they encrypt data in 100,000 folders, and the ransomware drops text and HTML ransom notes, then you, the lucky user, are now 200,000 useless files richer.
Removing 200,000 files by hand is probably as annoying and impossible as trying to solve the ransomware’s encryption algorithm using pen and paper.
RansomNoteCleaner works with data from the ID Ransomware service
For these cases, Gillespie has created RansomNoteCleaner, a Windows application that will search for ransom notes on your hard drives and remove any files that match against its database.
This database is created when the app launches for the first time, but also when the user pushes the “Refresh Network” button.
The app retrieves the data from the ID Ransomware service, a website that contains a database of ransom notes from most of today’s known and active ransomware families. Currently, at the time of writing, the service detects 126 different ransomware families and their ransom notes.
RansomNoteCleaner doesn’t decrypt or delete ransomware files
If users are sure with what type of ransomware they were infected, they can easily click the “Select Ransomware(s)” button and narrow down the ransom note files RansomNoteCleaner will look for.
Additionally, users can select the hard drives or the folders where the tool will scan for the ransom notes via the “Search for Ransom Notes” button.
Once everything is identified, users can press the “Clean!” button. A log is available to make sure the app hasn’t identified and deleted the wrong files by accident, even if this seems highly unlikely.
The application is up for download from here, and a support topic is available via Bleeping Computer if users are having problems using the app or can’t delete ransom notes for a specific ransomware variant.
RansomNoteCleaner only removes the ransom note spam files. RansomNoteCleaner will not decrypt files locked by ransomware. For that, you need tools called decrypters. The app won’t delete ransomware binaries, which are left behind after the ransom note is paid or the ransomware decrypted. For these, malware clean-up tools or antivirus software can identify and clean the files from your PC.