XCry Ransomware

XCry Ransomware enciphers almost all files it finds on the infected device. According to our researchers, it should skip data associated with the computer’ operating system or other software. Therefore, the affected files should be pictures, photos, videos, and other data the user might hold precious. By programming the malware to encrypt such files, the hackers behind it hope the user will pay a ransom for their decryption. No matter how good the idea of getting your files back to normal may sound, we recommend against making the payment. No one can tell whether the threat’s creators will hold on to their word and will not scam you. Thus, if you do not like the possibility this scenario could come true, our specialists advise not to deal with these cybercriminals. To erase XCry Ransomware you could take a look at the instructions available below, but if you need more information about it first, we encourage you to read our full article.

There is no news on how XCry Ransomware is being spread. Nonetheless, based on our experience with such malicious applications we can tell the hackers could use Spam emails, malicious file-sharing web pages, and so on. In other words, it is likely the malware travels with unreliable attachments received with Spam or from unknown senders as well as installers and other files downloaded while visiting untrustworthy websites. This is why we highly recommend being cautious if you do not want to put your system at risk unknowingly. Every file that comes from suspicious sources should be scanned with a reliable antimalware tool first. Meaning, you should not open doubtful data if you are not one hundred percent sure of its reliability.

If the threat enters the system, it should create a Registry entry in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run location. Doing this will make the infected device launch the malware upon every restart. As a result, every time you turn on the computer XCry Ransomware may start encrypting your files again. It would not make any difference to the already enciphered data, but in case you create or download new files, this could ruin them. For this reason, it is advisable not to use the infected computer as usual before the malicious application gets erased. As said earlier, it targets various personal files and leaves program data alone. To be more precise, it seems XCry Ransomware does not target files in the %APPDATA%, %WINDIR%, %PROGRAMFILES%, and %PROGRAMFILES(x86)% directories.

Once the files are enciphered, it should be easy to separate them since they ought to have a specific second extension called .xcry7684. What’s more, next to them victims should notice documents named HOW_TO_DECRYPT_FILES.html. Each of it should contain the same message claiming the user’s files were enciphered and to decrypt them the users must contact the hackers via email and wait for the payment instructions. It is not said how much the XCry Ransomware’s victims are supposed to pay to get decryption tools. Some hackers name the price depending on how fast the user replies, while others ask for the same amount of money from everyone. Naturally, it does not matter if you do not want to risk losing your money in vain.

Since we do not think it would be wise to deal with the hackers, we recommend removing XCry Ransomware with no hesitation. As we explained earlier, it is essential to get rid of it to be able to use the computer as usual with no fear your new data could get encrypted. To eliminate it manually you should check the instructions available at the end of this text. They will explain how to delete all files associated with the malware bit by bit. Another way to make sure it gets erased is to employ a reliable antimalware tool. All the user has to do is pick a legitimate security tool, scan the computer with it, and then remove the malicious application along with other possible threats by pressing its displayed deletion button.

Remove XCry Ransomware

1. Click Ctrl+Alt+Delete.
2. Choose Task Manager and select Processes.
3. Find a process belonging to the threat.
4. Mark it and click End Task.
5. Exit Task Manager.
6. Click Win+E.
7. Find these paths:
   %TEMP%
   %USERPROFILE%\Downloads
   %USERPROFILE%\Desktop
8. Locate the malicious application’s launcher.
9. Right-click it and select Delete.
10. Find this location: %APPDATA%
11. Locate a malicious executable file, right-click it and select Delete.
12. Exit File Explorer.
13. Press Win+R.
14. Insert Regedit and click Enter.
15. Find the given directory: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
16. Locate a value name dropped by the threat, for example, 67dg7foped.
17. Right-click this value name and press Delete.
18. Exit Registry Editor.
19. Empty your Recycle Bin.
20. Restart the computer.