How to remove Philadelphia Ransomware virus and restore encrypted files

Philadelphia is a common example of malicious software that is called ransomware. This means that Philadelphia penetrates user’s PC, encrypts his files and demands a ransom for their decryption. Philadelphia ransomware was first discovered in the middle of 2016 and from that time became a serious threat to all users around the world. It can affect all most popular file extensions in which text, video, sound and image files could be stored. The encrypted files get .locked extension and the name of long string of random characters, to scare the user and to make the files even more inaccessible then they are. The current amount of ransom is 0.5 BTC which is approximately $500.


Philadelphia  ransomware virus


This virus has almost no difference from other common representatives of ransomware family: it uses AES and RSA encryption algorithms, is distributed via e-mail spam. The only distinctive feature is “Russian Roulette”. The window that is shown to victim has a field to enter the secret key (which can be bought on scammers website) and two timers. The “deadline” timer counts the time until total file deletion and the “Russian Roulette” timer counts the time until next random file deletion. Scammers encourage victims to pay in time with these methods. If you will pay immediately you will probably get all your files back, but if the “Russian Roulette” timer will reach zero – the virus will delete the random amount of files. This method is very effective and most of users paid.



Philadelphia  ransomware virus


How to remove Philadelphia Ransomware Virus

If you are a victim of Philadelphia Ransomware, the first thing you should do is to delete the virus itself. It is the first step in all cases, even if you have backups of all important files. The best way to perform ransomware deletion is automatic, with help of decent anti-viral tool. Of course, you can try to remove Philadelphia Ransomware manually, but this requires much experience and might call some other issues that will be much harder to resolve. Contrariwise, to remove Philadelphia Ransomware with help of AV-tool you should just enter the Safe mode and launch the scanning. We advise you to use Spyhunter AntiMalware for this purpose, because it has many advantages over other competitors: it is fast, lightweight, not expensive and compatible with other anti-viral programs. If you’re interested in purchasing Spyhunter – just click the link above this paragraph.


Special Offer

Download Spyhunter - Anti-malware scanner

We advise downloading SpyHunter to see, if it can detect malware for you.

Spyhunter has a biggest malware database

It protects the system against all kinds of threats: Trojans, adware and hijackers

24/7 Free Support Team

SpyHunter scanner detects threats and malware for free, but to remove infected elements you need to purchase a full version of program for 39.99$. More information about Spyhunter, EULA and Privacy policy.

Removal instruction




Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode


Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok


Step 3. Remove virus files


Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%


Step 4. Fix hosts file

  • Go to %SystemRoot%\System32\drivers\etc\ folder



  • Open hosts file using Notepad or other text editor
  • Delete suspicious elements
  • Basic hosts file looks like this:



Step 5. Clean registry (for experienced users)

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup registry keys
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Step 6. Scan computer with antivirus


Step 7. Disable Safe Mode and restart computer

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Remove the check near Safe boot

How to restore files encrypted by Philadelphia Ransomware

Usually, the decryption of files is the most complicated part, but in this case we have a quick and safe answer: EmsiSoft decryption tool. This tool was developed in September 2016 and can completely decrypt all files, corrupted by Philadelphia Ransomware. All you should do is to pass this link and follow the given instructions.

How to protect the system against ransomware

All species of ransomware use one simple method of distribution: the e-mail spam. Scammers create hundreds of fake mailboxes on free services and write few templates that night interest different types of victims. If scammers want to affect an average user, the template is made like a letter from large on-line store or delivery service. For businessmen it is written like an employee resume, invoice or a notification about some changes in legislation etc. Here are three simple advices that will help you to avoid any ransomware in future:


  • Always do backups of the important files and store them on an external hard drive, disconnected from thee PC.
  • Never open e-mails from unknown senders, especially if they contain links or additional files.
  • If you often use e-mails – install the “sandbox” program that will help you to open any file without letting it in the system. it may be a separate program or a part of anti-virus suite.


If you will listen to these advices, your computer won’t be infected again, and even if ransomware will manage top sneak on it somehow – it won’t cause any damage, because all files will be copied and stored in safe place.




Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 5.00 [2 Votes]

Add comment

Security code



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience