What is Pennywise ransomware? And how does it carry out its attack?
Pennywise ransomware is a new and modified version of Jigsaw ransomware even when its ransom note says otherwise. It has similarities with the other Jigsaw variant, also called Pennywise, which uses the .beep extension. This time, this new variant uses .pennywise extension.
Like other Jigsaw variants, Pennywise ransomware still features the same behavior when it comes to its attack. It starts by dropping its malicious payload in the system which is the one that establishes a connection to a remote server. This remote server is controlled by the crooks behind Pennywise ransomware. It is where the other components of the crypto-virus is downloaded.
Following its infiltration, Pennywise ransomware will employ a data harvesting module. This module scans the local drive for any information that could be useful for the attackers which mostly includes machine identification metrics used to create a unique ID. It also employs another module called stealth protection which scans the computer for any presence of applications like antivirus, sandbox environment and other security programs that might interfere with the attack.
In addition, this Jigsaw variant also messes with the Windows Registry in order to automatically execute its attack each time the infected computer is turned on. Once these modifications are completed, it scans the computer for files with the following extensions:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip
After it finds its targeted files, Pennywise ransomware locks the infected computer with an image of Pennywise the clown, along with the following message:
“Your personal files are being deleted. Your photos, videos, documents, etc…
But, don’t worry! It will only happen if you don’t comply.
However I’ve already encrypted your personal files, so you cannot access them.
Every hour I select some of them to delete permanently, therefore I won’t be able to access them, either.
If you turn off your computer or try to close me, when I start next time you will get 1000 files deleted as a punishment.
Yes you will want me to start next time, since I am the only one that is capable to decrypt your personal data for you.
And remember my dear researchers…. I’M NOT A JIGSAW VARIANT!!!!!!!!!
Meanwhile….. You want a balloon? Hahahahaha_”
How is the payload file of Pennywise ransomware distributed over the web?
The payload file of Pennywise ransomware could be distributed using fake software updates, exploit kits, deceptive downloads or freeware and shareware. Moreover, crooks behind this ransomware threat could also use spam emails as a means to distributed this threat to potential victims.
To effectively kill Pennywise ransomware from your PC, make sure to follow the removal instructions below.
Step 1: Type in the code PsTqQNhR77oKJXvBWE3YZc in the field and to unlock your computer.
Step 2: Pull up the Task Manager by tapping Ctrl + Shift + Esc keys on your keyboard.
Step 3: Go to the Processes tab and look for the any suspicious-looking processes that could be related to Pennywise ransomware. Note that these kinds of processes usually take up most of the CPU resources.
Step 4: Exit the Task Manager and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 5: Look for any dubious programs that might be related to Pennywise Ransomware and then uninstall it.
Step 6: Close Control Panel and tap Win + E keys to open File Explorer.
Step 7: Navigate to the following locations and look for Pennywise ransomware’s installer and malicious components like WindowsApp22.exe and other related files and delete them all.
Step 8: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just us [product-name], this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 9: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 10: Navigate to the listed paths below and look for the registry keys and sub-keys created by Pennywise ransomware.
- HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
- HKEY_CURRENT_USER\Control Panel\Desktop
Step 11: Delete the registry keys and sub-keys created by Pennywise ransomware.
Step 12: Close the Registry Editor.
Step 13: Empty your Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Pennywise ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
Once you have finished executing the given steps above, now’s the time to ensure the complete removal of Pennywise ransomware using [product-name]. Simply follow the instructions laid out below.
Perform a full system scan using [product-code]. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot it.
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the Safe Mode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
- After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
- Once the installation process is completed, run [product-code] to perform a full system scan.
- After the scan is completed click the “Fix, Clean & Optimize Now” button.