How to delete Tisc ransomware

Tisc ransomware is yet another file-encrypting malware from the infamous Djvu/STOP ransomware family. It adds .tisc to encrypted files, hence why it’s called Tisc ransomware. It drops a _readme.txt ransom note which explains that paying $980 is necessary in order to get the decryption tool to restore encrypted files. Unfortunately, there currently is no free decryptor available so the only way to recover files is via backup since paying the ransom is not recommended.

 

 

Tisc ransomware is the newest member of the Djvu/STOP ransomware family. It’s essentially identical to Rigd, Koom, Hoop, and Muuq. Tisc ransomware can be differentiated from the other versions by the .tisc extension it adds to encrypted files. For example, image.jpg would become image.jpg.tisc. The ransomware will target all personal files, including photos, videos, documents, etc. because they are the files users are usually most willing to pay to get back. While the ransomware encrypts files, it will show a fake Windows update window to distract users from what’s happening. Once files are encrypted, a _readme.txt ransom note will be dropped in all folders containing encrypted files. The note, as seen in the above image, explains that files have been encrypted and that it’s only possible to decrypt them using a special decryptor. That is, unfortunately, correct. The malicious actors operating this ransomware will offer you the decryptor but request $980 in exchange. If contact is made within the first 72 hours, the price supposedly goes down to $490.

As always, paying the ransom is not recommended, primarily because it does not guarantee file decryption. While the cyber crooks promise to send the decryptor if you pay them, there are no guarantees that they will actually do so. After all, there is nothing obligating them to do so. Many users in the past have not received decryptors, despite paying. While the decision of whether to pay is yours, you should be aware of the risks, considering that the requested sum is quite large.

There should be no issue with file recovery if you backed up your files prior to infection. However, keep in mind that you must delete Tisc ransomware from the computer before connecting to backup because otherwise, those files would become encrypted as well. Do not attempt to remove Tisc ransomware manually because you could end up causing even more damage. Instead, use anti-virus software.

If your files are encrypted with this ransomware, it’s likely that the first thing you did is look for a free decryptor. Unfortunately, a free one is not available at this time. You can find a free decryptor (developed by software company Emsisoft) for older Djvu/STOP versions but it will not work on new versions because they use online keys for file encryption. Old versions used offline keys, meaning they were the same for all users. Since Tisc ransomware uses online keys, they are unique to each user. Unless the keys are released by the cybercriminals themselves, or by law enforcement, a free universal decryptor is unlikely to be released. However, we still recommend backing up encrypted files and checking NoMoreRansom from time to time for a decryptor. We should also mention that there are fake decryptors being promoted on various questionable sites so you should be very careful about where you download decryptors from.

Ransomware infection methods

In most cases, users with bad browsing habits are often the ones with the highest risk of picking up malware. If you tend to open unsolicited email attachments, download content/software from unreliable sources, use torrents, and/or click on ads when browsing high-risk websites, it’s not surprising that your computer got infected with ransomware. Developing better browsing habits can go a long way towards preventing infections.

If you use torrents to download copyrighted content (aka pirate), you likely already know that torrent sites are notoriously badly moderated. Malicious parties take full advantage of this and constantly upload malware disguised as torrents for popular movies, video games, TV shows, software, etc. While some torrents are quite obvious, some malicious ones may be difficult to recognize. Using torrents to illegally download content is not only essentially stealing but also potentially dangerous to your computer and your files.

Malspam, or malicious spam emails, is one of the most common ways users pick up infections like ransomware. Cybercriminals purchase large amounts of email addresses from various hacking forums and then proceed to launch massive spam campaigns using them. In most cases, users’ email addresses end up on those forums after data breaches or leaks. Fortunately for those whose email addresses have leaked, malicious emails are usually quite obvious. Only when they target someone specific will they be more sophisticated. But in most cases, they are full of grammar and spelling mistakes, address users with “User”, “Member”, “Customer”, etc., and demand that users open the attached file because it’s supposedly an important document. The reason an email with an attachment addressing you with generic terms can be suspicious is that the sender should know your name. If it’s a company whose services you use that’s emailing you, it will address you by name because it would seem unprofessional otherwise. While most malicious emails will be rather obvious, it’s still recommended to scan all unsolicited email attachments with anti-virus software or VirusTotal.

How to remove Tisc ransomware

Ransomware is one of the more complex malware infections, which is why we do not recommend manual Tisc ransomware removal. Incorrectly removing it could result in the ransomware being able to recover. And if the ransomware is still present when you connect to your backup, the backed-up files would become encrypted as well. Thus, you should use reliable anti-virus software to delete Tisc ransomware, and only then access your backup.

For users without backup, the options are, unfortunately, limited. If you are not planning on paying for the decryptor, your only option is to back up encrypted files and store them safely until a free decryptor becomes available. While you will not find one at this moment, it could be released sometime in the future. Check NoMoreRansom for safe decryptors.