I wrote this article to help you remove PyCL Ransomware. This PyCL Ransomware removal guide works for all Windows versions.

Ransomware infections are the worst cyber threat of the century. And they are multiplying like sponges. A new one was recently detected by security experts. PyCL ransomware is a cross-platform virus. This means that it can infect different operating systems and server networks. The ransomware is named after the encryption engine it employs: the “cl.py” file which can be found in the CL folder under the AppData directory.

PyCL ransomware is known to be spread via massive spam email campaigns and malvertising. The scheme is simple. The crooks write on behalf of well-known organizations and companies. They will not hesitate to steal official logos and fabricate stamps to lure you into downloading an attached file. Before even opening an email, make sure you know who the sender is. Check their contacts by entering their email address in some search engine. If the email was used for a scam, there is a chance that someone complained about it online. If you receive a letter from an organization, visit their official website. In the contact section, you will be able to find their authorized email address. Compare it with the one you have received a message from. If they don’t match, you can be sure that this is a scam.

The Trojan that was used for PyCL ransomware installation is written in the Python programming language. The ransomware also uses this language for file encryption. PyCL creates a unique key for every encrypted file and stores them in a folder. Once the encryption process is over, the %AppData\Roaming\How_Decrypt_My_Files folder, which contains all decryption keys, will be encrypted with the strong RSA-2048 cryptic algorithm.

PyCL ransomware uses a classic scheme. It sneaks into its victim’s computer unnoticed. Then, it will scan the hard drive. In complete silence, the pest will destroy the shadow copies of your system and encrypt your files. Once the operation is complete, PyCL ransomware will notify you about its presence.

PyCL adds the “.crypted” suffix at the end of all encrypted files. It can lock all kinds of files. Its most common targets are documents, images, e-books, presentations and archives. PyCL ransomware uses a lock-screen message to notify the user. It explains what happened to their files and gives them four days to pay the ransom. The ransomware threatens that the decryption keys will be permanently deleted after that time is over. We don’t advise you to send money to the crooks. There are cases where the victims paid but did not receive a working decryption key.

Maybe there is no need to pay the ransom in the first place. There are flaws in some of the procedures the pest employs. The ransomware successfully encrypts files. However, it keeps the original copies intact. That allows the users to restore their documents using a trustworthy anti-malware program. However, evidence points out that PyCL ransomware is actively communicating with the Command and Control server. This means only one thing: the hackers are working on a debugging and are releasing new versions of the virus. Nevertheless, it is worth the shot. Check your hard drive.
Hopefully, your files are still there.

There are more reasons why you should not pay the ransom. Even if the crooks contact you back with the decryption keys, there is a chance that those keys are not working properly. Some of your files may remain encrypted. Furthermore, the keys won’t remove the infection. They will only restore your files. The encrypting program may lock your files anew. How many times are you willing to pay for your files. Don’t become a sponsor of cyber criminals.

Ransomware viruses are lurking everywhere on the Internet. File-sharing networks and social media can be used to distribute the dangerous PyCL ransomware or other infections. Only your vigilance can spare you the trouble. Do not follow links blindly, even if they are sent by a friend. As strange as it may sound, trust your instincts. If you think that something, email or ad, looks suspicious, there probably is a reason for that. In addition, your anti-virus program is your last defense wall. Keep it up to date!

PyCL Ransomware Removal

Method 1: Restore your encrypted files using ShadowExplorer
Usually, PyCL Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

1. Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
2. Install ShadowExplorer
3. Open ShadowExplorer and select C: drive on the left panel
4. Choose at least a month ago date from the date field
5. Navigate to the folder with encrypted files
6. Right-click on the encrypted file
7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

1. Go to Start –> All programs –> Accessories –> System tools –> System restore
2. Click “Next“
3. Choose a restore point, at least a month ago
4. Click “Next“
5. Choose Disk C: (should be selected by default)
6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since PyCL Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

1. Recuva
2. Puran File Recovery
3. Disk Drill
4. Glary Undelete