What is Ender Ransomware?
The Malwarebytes research team has determined that Ender Ransomware is a screen-locker. These programs try to trick you into paying a ransom to release your computer.
How do I know if my computer is affected by Ender Ransomware?
You will see this screen as soon as the file is executed:
How did Ender Ransomware get on my computer?
Tech Support Scammers use different methods for distributing themselves. The origin of this one is unknown.
How do I remove Ender Ransomware?
Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection this will require a few extra steps.
- You can use Ctr-Alt-Del to access Taskmanager.
- End the process called EnderRansomware.exe. Then, if necessary use Taskmanager to Run explorer.
- Note that one of the passwords for the prompt is EnderISTheBEST, but you will have to click through several prompts to terminate the lockscreen program after entering this code and clicking the (hardly visible) button behind the text field.
- Then continue with the instructions below.
- Please download Malwarebytes to your desktop.
- Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
- Then click Finish.
- Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
- If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer when prompted to do so.
- No, Malwarebytes removes Ender Ransomware completely.
We hope our application and this guide have helped you eradicate this hijacker.
As you can see below the full version of Malwarebytes would have protected you against the Tech Support Scam.
Technical details for experts
You may see these entries in FRST logs:
() C:\EnderRansomware.exe HKLM-x32\...\Winlogon: [Shell] C:\EnderRansom.exe [ ] () <=== ATTENTIONAlterations made by the installer:
Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell" = REG_SZ, "C:\EnderRansom.exe"Malwarebytes scan log:
Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/3/17 Scan Time: 11:07 AM Log File: bd132ad3-c07e-11e7-9381-080027750297.json Administrator: Yes -Software Information- Version: 3.2.2.2018 Components Version: 1.0.212 Update Package Version: 1.0.3164 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 332405 Threats Detected: 4 Threats Quarantined: 4 Time Elapsed: 1 min, 47 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 Ransom.Winlock, C:\ENDERRANSOMWARE.EXE, Quarantined, [756], [453134],1.0.3164 Module: 1 Ransom.Winlock, C:\ENDERRANSOMWARE.EXE, Quarantined, [756], [453134],1.0.3164 Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Ransom.Winlock, C:\ENDERRANSOMWARE.EXE, Quarantined, [756], [453134],1.0.3164 Physical Sector: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention