What is Invincible ransomware?
Invincible ransomware is another ransomware Trojan that looks like a dangerous threat but it turns out that it does not encrypt any files at all. It seems to be closely related to the Sage 2.0 ransomware considering the fact that they both run a program named WindowsApplication1.exe and leads their victims to the Dark Web named “Sage 2.0 User Area” which they require their victims to access using a TOR browser. This malicious program merely displays a lock screen that prevents you from accessing your computer. and apart from not being able to access your computer, you can’t see whether your files are actually encrypted or not and the crooks takes advantage of this by letting you think that your important files are encrypted and that you have to pay the ransom to recover them.
Security experts have discovered to malicious files created by the Invincible ransomware – WindowsApplication1.exe and %24RMJD6YY.SCR. These corrupted files are typically delivered to your computer in the guise of a Windows theme. This kind of distribution is quite different and it looks like this ransomware is the only who used it and it’s the first time that such technique is reported in the context of ransomware distribution.
During its attack, the ransomware will make changes to the visual theme of older Windows versions (from Windows XP to Windows 7), changing the desktop background, the Folder view, the Taskbar and other system settings. It then displays its ransom note in a program window containing the following text:
“***ATTENTION! ALL YOUR FILES WERE ENCRYPTED! ***
*** PLEASE READ THIS MESSAGE CAREFULLY ***
All your important and critical files, databases, images, and videos were encrypted by “SAGE 2.2 Ransomware”! “SAGE 2.2 Ransomware” uses military grade elliptic curve cryptography, so you have no chances restoring your files without our help! But if you follow our instructions we guarantee that you can restore all your files quickly and safely!
*** Please be sure to copy instruction text and links to your notepad to avoid losing it ***
bitcoin address: [RANDOM CHARACTERS] (200$)
===== Your personal key =====
If can’t open any of those, you can use “TOR Browser”
TOR Browser is available on the official website: hxxps://www.torproject.org/
Just open this site, click on the \”Download Tor\” button and follow the installation instructions Once “TOR Browser” in installed, use it to access hxxp://7gie6ffnkrjykggd.onion/”
How does this ransomware spread online?
As pointed out early on, the Invincible ransomware spreads using a malicious program named WindowsApplication1.exe and %24RMJD6YY.SCR which are sent out to your computer disguised as Windows theme. These infected files may be sent out using spam emails. The email may be something that would make you want to open and download its attachment which you shouldn’t do. If you receive emails that are somewhat to-good-to-be-true, you have to check the sender first or better yet delete it right away.
Aside from that, this ransomware also distributed its infection on software bundles found on free sharing sites, peer-to-peer networks or hosted on malicious websites that often displays pop-ups or download buttons.
To eliminate Invincible ransomware, follow the removal instructions below.
Step 1: Reboot your computer into Safe Mode
- Reboot your computer.
- Tap F8 when you see the BIOS screen.
- Select Safe Mode from the Advanced Boot Options menu using the arrow keys on your keyboard.
- Press Enter.
- And then proceed to remove the Invincible ransomware.
- Tap two buttons: the Windows key and C on your keyboard and click Settings (if you use Windows 8/8.1) or click on the Start button (if you use Windows 10).
- Click Power.
- Hold the Shift key and click Restart.
- Click Troubleshoot.
- Click Advanced options.
- Click Startup Settings.
- Click on the Restart button.
- Tap F4.
- Proceed removing the Invincible ransomware when your PC starts in Safe Mode.
Step 2: Open Windows Task Manager by pressing Ctrl + Shift + Esc at the same time.
Step 3: Go to the Processes tab and look for Invincible ransomware’s process or any suspicious processes for that matter and then kill them.
Step 4: Open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 5: Look for Invincible Ransomware or any suspicious program and then Uninstall.
Step 6: Hold down Windows + E keys simultaneously to open File Explorer.
Step 7: Go to the directories listed below and look for WindowsApplication1.exe and %24RMJD6YY.SCR which are both directly associated with the ransomware.
Step 8: Look for @decrypt_your_files.txt and rnsmwre.exe and any malicious file that might be related to the malware.
The next step below is not recommended for you if you don’t know how to navigate the Registry Editor. Making registry changes can highly impact your computer. So it is highly advised to use PC Cleaner Pro instead to get rid of the entries that Invincible ransomware created. So if you are not familiar with the Windows Registry skip to Step 13 onwards.
However, if you are well-versed in making registry adjustments, then you can proceed to step 9.
Step 9: Open the Registry Editor, to do so, tap Win + R and type in regedit and then press enter.
Step 10: Navigate to the path below:
Step 11: Delete the any suspicious registry value.
Step 12: Close the Registry Editor.
Step 13: Empty the Recycle Bin.
Follow the continued advanced steps below to ensure the removal of the Invincible Ransomware:
Perform a full system scan using SpyRemover Pro.
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the Safe Mode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading SpyRemover Pro. Installation will start automatically once download is done.
- After all the infections are identified, click REMOVE ALL.
- Register SpyRemover Pro to protect your computer from future threats.