RansomNoteCleaner (beta) is a program I have created to help remove pesky ransom notes left behind by known ransomware variants.
This program is powered by my service ID Ransomware, and thus is always updated with definitions on the latest known ransomwares and their ransom notes. This also allows it to be flexible in detecting the ransom notes, as it uses the exact same data ID Ransomware uses for identifying variants.
When RansomNoteCleaner is first launched, it will contact the website, and pull down the latest information on known ransom notes; this is the only network activity done with the program, and no information about your system is uploaded or stored at all. If you have a network issue with reaching the website, the "Refresh Network" button is available to try again.
Clicking the "Select Ransomware(s)" button allows for selecting the exact variant(s) to clean ransom notes from. This is recommended if you have already identified the ransomware, as it will take much less time to search for the notes.
Once the ransomware variant(s) have been confirmed, you may press the "Search for Ransom Notes" button to select a directory (or whole drive), and start the search for known ransom notes.
Once the scan has completed, the "Clean!" button will be available. A final window will display all found ransom notes before continuing with deletion. I highly recommend double-checking the file list before confirming the deletion. I am not responsible for loss of data if you confirm this step.
A full log of deleted ransom notes will be saved to a file "RansomNoteCleaner.log" in the same directory RansomNoteCleaner is run from.
Please note that this program does not decrypt data. It is simply a tool for removing the pesky ransom notes that are littered on the system after a ransomware attack.
Please also note that this program is in beta, and I take no responsibility for data loss. I recommend running it on a test directory before letting it loose on a whole drive. I highly advise reviewing the "Found Ransom Notes" screen before continuing with deleting files. A few false-positives may occur, as some ransomware use general filenames - one example I found, is a certain ransomware uses "README.txt", which can be a common name for a legitimate program's readme file; you can simply unselect these in the confirmation window.
You may download RansomNoteCleaner here: http://www.bleepingcomputer.com/download/ransomnotecleaner/
Please let me know if you run into any issues, or any recommendations for the program.
When I try to download the file, I get the "unsafe download" indicator. What's up with that? Why is it being seen as unsafe?