How to remove PSCrypt virus and restore encrypted files

PSCrypt is a ransomware that was first discovered June 22, 2017. The virus has not yet been sufficiently researched to claim anything about its structure and characteristics. At the moment we can say that all the victims of the virus who reported the infection live on the territory of Ukraine. To decrypt files, scammers require about $100 in Bitcoins, and threaten to destroy all data in case of attempts to remove the virus or install an antivirus program. Encrypted files are assigned the .pscrypt extension. The virus does not have its own site, and all interaction with scammers occurs via e-mail. Analyzing the available data as well as the ransom message itself, it can be concluded that this virus was most likely acquired at an illegal auction, and its owners do not have the necessary knowledge to make it more efficient, or do not want to invest in it. The virus does not use any exploits and, most likely, gets on the computer in traditional ways, via e-mail spam or Trojan viruses. At the moment, users in Europe and America are not in danger, but over time the virus can spread all over the world. We will monitor the situation and publish the latest news in this article. Here's an exact text of ransom message:


To recover data you need decryptor.
To get the decryptor you should pay for decrypt.
site for buy bitcoin:
bitcoin adress for pay:
Contact us by email : This email address is being protected from spambots. You need JavaScript enabled to view it.. In the letter include your personal ID (look at the beginning of this document)
After answering your inquiry, our operator will give you further instructions, which will be shown what to do next (the answer you get as soon as possible)
In the letter include your personal ID (look at the beginning of this document)
After you will receive a decryptor and instructions
We can decrypt one file in quality the evidence that we have the decoder.


No Payment = No decryption
You really get the decryptor after payment
Do not attempt to remove the program or run the anti-virus tools
Attempts to self-decrypting files will result in the loss of your data
Decoders other users are not compatible with your data, because each user's unique encryption key


If you know what ransomware is and how to deal with it - you do not need to read this section and you should go straight to the removal. So, ransomware is a special kind of virus that penetrates users' computers and encrypts their data for extortion purposes. The emergence of such viruses became possible at the dawn of the Internet, when the most sophisticated encryption algorithms AES and RSA were published. These algorithms are among the most complex in the world, and are currently used by most law enforcement agencies, government organizations and large corporations to protect sensitive data. The complexity of these algorithms is such that an ordinary user can not decrypt them without having a key, even having the most powerful computing equipment and dozens of years of time for this. Such viruses are massively sold at illegal auctions in the Dark Web, and anyone can buy them. Thanks to this, new ransomware appears constantly, but only some viruses become really effective and spread quickly enough to become a real threat. From the point of view of PSCrypt victims, the more victims there are, the better, as if the virus becomes massive, it is more likely to attract the attention of major specialists in this field, and it will be deciphered sooner.

It should be noted that there is no question of direct decryption of encrypted files. The only way to encrypt files is to somehow get the encryption keys stored in the scam database, or a single master key (if it exists). This can be achieved by hacking a scam site, or by finding flaws in the code of the virus itself, which will allow you to get the keys.

How to delete PSCrypt Virus

The removal of such viruses is not difficult and can be done without problems if you use our instructions. Scammers always threaten the victims of the virus, saying that when they try to decrypt or delete the virus, the files will be deleted. In fact, to avoid this, you only need to enter the safe mode, and perform the deletion. In the safe mode, ransomware will not be able to function, and therefore will not be able to delete the files. For removal, we recommend using the anti-virus program, since you will need to completely clean the computer of all files associated with the virus, and they can be very well hidden.


Special Offer

Download Spyhunter - Anti-malware scanner

We advise downloading SpyHunter to see, if it can detect malware for you.

Spyhunter has a biggest malware database

It protects the system against all kinds of threats: Trojans, adware and hijackers

24/7 Free Support Team

SpyHunter scanner detects threats and malware for free, but to remove infected elements you need to purchase a full version of program for 39.99$. More information about Spyhunter, EULA and Privacy policy.

Removal instruction




Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode


Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok


Step 3. Remove virus files


Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%


Step 4. Fix hosts file

  • Go to %SystemRoot%\System32\drivers\etc\ folder



  • Open hosts file using Notepad or other text editor
  • Delete suspicious elements
  • Basic hosts file looks like this:



Step 5. Clean registry (for experienced users)

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup registry keys
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Step 6. Scan computer with antivirus


Step 7. Disable Safe Mode and restart computer

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Remove the check near Safe boot

How to restore files encrypted by PSCrypt

There is only one totally safe way to get back the files: to use the backup. All other techniques which are described below can't guarantee the efficient recovery. The significant strength of backup copies is that they are stored on an external drive, and aren't sensitive for viral exposure.

  • Click Start
  • Click Control Panel

Decrypt files. Step 1


  • Click System and Security

Decrypt files. Step 2


  • Select Backup and Restore

Decrypt files. Step 3


  • Select Restore files from backup
  • Select checkpoint to restore


Other techniques are based on the OS functionality, and their success depends on the virus itself and the absense of practice. We can suggest you two supplementary decryption methods. You may use the shadow copy service, or a special tool to restore the data. Decryption via special decryptor is quite efficient, but unfortunately, this tool does not yet exist. But you can inspect the websites of the famous anti-viral program vendors who could make such tool. Manual recovery with use of shadow copies may be made right now. You may use the basic functionality of Windows OS, but, we advise you new programs, which will significantly facilitate your task. These tools are called Recuva and ShadowExplorer. Both tools are free, you may download them on the official sites, with close instructions for their use.




Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 5.00 [1 Vote]

Add comment

Security code



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience