READINSTRUCTIONS Ransomware (.READINSTRUCTIONS File) — Removal Guide

Written by Brendan Smith
The Readinstructions virus falls under the ransomware type of malicious agent. A harmful program of such sort encrypts all the data on your computer (photos, text files, excel sheets, music, videos, etc) and appends its extra extension to every file, leaving the INSTRUCTIONS.html text files in each directory which contains the encrypted files.
GridinSoft Anti-Malware Review

It is better to prevent, than repair and repent!

When we talk about the intrusion of unfamiliar programs into your computer’s work, the proverb “Forewarned is forearmed” describes the situation as accurately as possible. Gridinsoft Anti-Malware is exactly the tool that is always useful to have in your armory: fast, efficient, up-to-date. It is appropriate to use it as an emergency help at the slightest suspicion of infection.
GridinSoft Anti-Malware 6-day trial available.
EULA | Privacy Policy | GridinSoft

@topcybersecuritySubscribe to our Telegram channel to be the first to know about news and our exclusive materials on information security.

Readinstructions virus: what is known so far?

☝️ A scientifically accurate designation for the Readinstructions would be “a ransomware-type malicious agent”.

Readinstructions adds its extra .ReadInstructions extension to every file’s name. For example, a file entitled “photo.jpg” will be turned into “photo.jpg.ReadInstructions”. Likewise, the Excel file named “table.xlsx” will end up as “table.xlsx.ReadInstructions”, and so forth.

In every folder with the encoded files, a INSTRUCTIONS.html text file will be created. It is a ransom money memo. Therein you can find information on the ways of paying the ransom and some other remarks. The ransom note most probably contains a description of how to purchase the decryption tool from the racketeers. You can obtain this tool after contacting qhrghghk@protonmail.com through email. That is basically the scheme of the malefaction.

Readinstructions summary:
NameReadinstructions Virus
Extension.ReadInstructions
Ransomware noteINSTRUCTIONS.html
Contactqhrghghk@protonmail.com
Detection1Ransom:HTML/Cryptowall, Win32/Filecoder.DCryptor.A, Win32/Filecoder.Ishtar.B
SymptomsYour files (photos, videos, documents) have a .ReadInstructions extension and you can’t open them.
Fix ToolSee If Your System Has Been Affected by Readinstructions virus

The INSTRUCTIONS.html document accompanying the Readinstructions ransomware states the following:

Your files are encrypted!
What happened?
Your files are encrypted, and currently unavailable.
You can check it: all files on you computer has new expansion.
By the way, everything is possible to recover (restore), but you need to buy a unique decryptor.
Otherwise, you never cant return your data.

For purchasing a decryptor contact us by email:
qhrghghk@protonmail.com
If you will get no answer within 24 hours contact us by our alternate emails:
qhrghghk@tutanota.com

What guarantees?
Its just a business. If we do not do our work and liabilities - nobody will not cooperate with us.
To verify the possibility of the recovery of your files we can decrypted 1 file for free.
Attach 1 file to the letter (no more than 10Mb). Indicate your personal ID on the letter:
-
Attention!
? Attempts of change files by yourself will result in a loose of data.
? Our e-mail can be blocked over time. Write now, loss of contact with us will result in a loose of data.
? Use any third party software for restoring your data or antivirus solutions will result in a loose of data.
? Decryptors of other users are unique and will not fit your files and use of those will result in a loose of data.
? If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key.

In the image below, you can see what a directory with files encrypted by the Readinstructions looks like. Each filename has the “.ReadInstructions” extension added to it.

Readinstructions Virus - encrypted .ReadInstructions files

That is how encrypted “.ReadInstructions” files look.

How did my computer get infected with Readinstructions ransomware?

There are plenty of possible ways of ransomware injection.

There are currently three most exploited ways for hackers to have ransomware planted in your digital environment. These are email spam, Trojan injection and peer networks.

If you access your mailbox and see letters that look just like notifications from utility services companies, delivery agencies like FedEx, Internet providers, and whatnot, but whose “from” field is strange to you, beware of opening those emails. They are very likely to have a harmful item enclosed in them. Thus it is even riskier to download any attachments that come with emails like these.

Another thing the hackers might try is a Trojan file model2. A Trojan is a program that gets into your PC disguised as something different. Imagine, you download an installer for some program you want or an update for some service. But what is unpacked turns out to be a harmful program that encodes your data. As the installation file can have any title and any icon, you have to make sure that you can trust the resource of the things you’re downloading. The optimal way is to trust the software companies’ official websites.

As for the peer networks like torrent trackers or eMule, the danger is that they are even more trust-based than the rest of the Internet. You can never guess what you download until you get it. So you’d better be using trustworthy resources. Also, it is reasonable to scan the directory containing the downloaded files with the antivirus as soon as the downloading is complete.

How do I get rid of the Readinstructions virus?

It is crucial to inform you that besides encrypting your data, the Readinstructions virus will most likely install the Azorult Spyware on your computer to get access to credentials to various accounts (including cryptocurrency wallets). That spyware3 can extract your credentials from your browser’s auto-filling data.

Sometimes racketeers would unblock some of your files to prove that they indeed have the decryption program. Since Readinstructions virus is a relatively recent ransomware, safety measures engineers have not yet found a method to undo its work. Nevertheless, the decryption tools are frequently upgraded, so the solution may soon arrive.

Understandably, if the hackers do the job of encoding someone’s essential data, the desperate person will probably fulfill their demands. Despite that, paying to racketeers does not necessarily mean that you’re getting your blocked information back. It is still risky. After receiving the money, the racketeers may send a wrong decryption code to the injured party. There were reports about racketeers just vanishing after getting the money without even writing back.

The optimal safety measure against ransomware is to have a system restore point or the copies of your essential files in the cloud storage or at least on an external drive. Obviously, that might be not enough. Your most crucial thing could be that one you were working on when it all started. But at least it is something. It is also advisable to scan your drives with the anti-malware utility after the system restoration.

Readinstructions is not the only ransomware of its kind, since there are other specimens of ransomware out there that act in the same manner. Examples of those are Zfdv, Bbyy, Bbzz, and some others. The two main differences between them and the Readinstructions are the ransom amount and the encoding method. The rest is the same: files become encoded, their extensions changed, ransom notes are found in each folder containing encoded files.

Some lucky people were able to decrypt the arrested files with the aid of the free tools provided by anti-malware developers. Sometimes the racketeers accidentally send the decryption code to the wronged in the ransom note. Such an extraordinary fail allows the injured part to restore the files. But obviously, one should never expect such a chance. Make no mistake, ransomware is a tamperers’ instrument to lay their hands on the money of their victims.

How do I avert ransomware infection?

Readinstructions ransomware has no superpower, so as any similar malware.

You can defend yourself from its attack in several easy steps:

  • Never open any letters from unknown mailers with strange addresses, or with content that has likely no connection to something you are waiting for (how can you win in a lottery without participating in it?). If the email subject is more or less something you are waiting for, check all elements of the questionable letter with caution. A fake letter will surely have a mistake.
  • Do not use cracked or untrusted programs. Trojan viruses are often shared as an element of cracked software, most likely under the guise of “patch” preventing the license check. But dubious programs are very hard to tell from reliable software, as trojans may also have the functionality you seek. Try searching for information about this software product on the anti-malware forums, but the best solution is not to use such software.
  • And finally, to be sure about the safety of the objects you downloaded, scan them with GridinSoft Anti-Malware. This program will be a perfect armor for your system.
Reasons why I would recommend GridinSoft4

There is no better way to recognize, remove and prevent ransomware than to use an anti-malware software from GridinSoft5.

Download Removal Tool.

You can download GridinSoft Anti-Malware by clicking the button below:

Run the setup file.

When setup file has finished downloading, double-click on the setup-antimalware-fix.exe file to install GridinSoft Anti-Malware on your computer.

Run Setup.exe

An User Account Control asking you about to allow GridinSoft Anti-Malware to make changes to your device. So, you should click “Yes” to continue with the installation.

GridinSoft Anti-Malware Setup

Press “Install” button.

GridinSoft Anti-Malware Install

Once installed, Anti-Malware will automatically run.

GridinSoft Anti-Malware Splash-Screen

Wait for the Anti-Malware scan to complete.

GridinSoft Anti-Malware will automatically start scanning your computer for Readinstructions infections and other malicious programs. This process can take a 20-30 minutes, so I suggest you periodically check on the status of the scan process.

GridinSoft Anti-Malware Scanning

Click on “Clean Now”.

When the scan has finished, you will see the list of infections that GridinSoft Anti-Malware has detected. To remove them click on the “Clean Now” button in right corner.

GridinSoft Anti-Malware Scan Result

Frequently Asked Questions

🤔 How can I open “.ReadInstructions” files?Can I somehow access “.ReadInstructions” files?

There’s no way to do it, unless the files “.ReadInstructions” files are decrypted.

🤔 The encrypted files are very important to me. How can I decrypt them quickly?

It’s good if you have fаr-sightedly saved copies of these important files elsewhere. If not, there is still a function of System Restore but it needs a Restore Point to be previously saved. The rest of the methods require patience.

🤔 You have advised using GridinSoft Anti-Malware to get rid of the Readinstructions virus. Does it mean that all my files, currently encrypted, will be removed too?

Of course not. Unlike the ransomware program itself, the encrypted files do not jeopardize your system.

GridinSoft Anti-Malware will remove active malware from your computer. The virus that has attacked your system is most likely still active and it scans your system periodically to encode any new files you might create on your computer after the infection. As it has been mentioned above, the Readinstructions virus does not come alone. It installs backdoors and keyloggers that can steal your account credentials and provide hackers with easy access to your computer in the future.

🤔 What actions should I take if the Readinstructions ransomware has blocked my computer and I can’t get the activation key.

If that happened, you need to prepare a flash memory card with a previously installed Trojan Killer. Use Safe Mode to perform the procedure. The point is that the ransomware runs automatically as the system boots and encodes any new files created or brought into your computer. To stop this process – use Safe Mode, which allows only the vital programs to run automatically. Consider reading our manual on running Windows in Safe Mode.

🤔 What can I do right now?

Some of the encrypted data can be found elsewhere.

  • If you exchanged your critical files by email, you could still download them from your online mailbox.
  • You might have shared images or videos with your friends or relatives. Just ask them to send those pictures back to you.
  • If you have initially downloaded any of your files from the Web, you can try doing it again.
  • Your messengers, social media pages, and cloud disks might have all those files too.
  • Maybe you still have the needed files on your old PC, a laptop, cellphone, external storage, etc.

USEFUL TIP: You can use data recovery utilities6 to get your lost data back since ransomware blocks the copies of your files, deleting the authentic ones. In the tutorial below, you can see how to use PhotoRec for such a restoration, but remember: you won’t be able to do it before you eradicate the virus with an antivirus program.

Also, you can contact the following official fraud and scam sites to report this attack:

To report the attack, you can contact local executive boards. For instance, if you live in USA, you can have a talk with FBI Local field office, IC3 or Secret Service.

I need your help to share this article.

It is your turn to help other people. I have written this guide to help users like you. You can use the buttons below to share this on your favorite social media Facebook, Twitter, or Reddit.
Brendan Smith
How to Remove READINSTRUCTIONS Ransomware & Recover PC

Name: READINSTRUCTIONS Virus

Description: READINSTRUCTIONS Virus is a ransomware-type infections. This virus encrypts important personal files (video, photos, documents). The encrypted files can be tracked by a specific .ReadInstructions extension. So, you can't use them at all.

Operating System: Windows

Application Category: Virus

Sending
User Review
3.92 (12 votes)
Comments Rating 0 (0 reviews)

References

  1. Encyclopedia of threats.
  2. You can read more on Trojans, their use and types in the Trojan-dedicated section of GridinSoft official website.
  3. You can read more on spyware variants and nature in the respective section of GridinSoft official website.
  4. GridinSoft Anti-Malware Review from HowToFix site: https://howtofix.guide/gridinsoft-anti-malware/
  5. More information about GridinSoft products: https://gridinsoft.com/products
  6. Here’s the list of the best 10 file recovery tools of 2021.

About the author

Brendan Smith

Journalist, researcher, web content developer, grant proposal editor. Efficient and proficient on multiple platforms and in diverse media. Computer technology and security are my specialties.

Leave a Reply

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.