Home » Blog » Cybersecurity » How to remove How_To_Decrypt (Ransomware Removal Guide)

How to remove How_To_Decrypt (Ransomware Removal Guide)

How_To_Decrypt Ransomware

How_To_Decrypt ransomware is a dangerous computer virus that encrypts the files on your computer and adds .How_To_Decrypt to the file extension name. The virus also leaves a ransom note on the computer named How_To_Decrypt.txt (or other) that demands a payment in order to decrypt and recover files.

The ransom note contains information and instructions about how to obtain a individual private key to decrypt your files. However, in order to do so the malicious program wants you to purchase the key and a special decryptor for an excessive price via Bitcoin.

When .How_To_Decrypt ransomware infects a computer it will scan all the local drives for certain file types. Once it locates a specific file with the right file extension it will encrypt the file and add a .How_To_Decrypt extension to the encrypted file name. For example, botcrawl.png will be encrypted to the filename botcrawl.png.How_To_Decrypt. Here are the types of files that .How_To_Decrypt ransomware encrypts:

.c, .h, .m, .ai, .cs, .db, .nd, .pl, .ps, .py, .rm, .3dm, .3ds, .3fr, .3g2, .3gp, .ach, .arw, .asf, .asx, .avi, .bak, .bay, .cdr, .cer, .cpp, .cr2, .crt, .crw, .dbf, .dcr, .dds, .der, .des, .dng, .doc, .dtd, .dwg, .dxf, .dxg, .eml, .eps, .erf, .fla, .flvv, .hpp, .iif, .jpe, .jpg, .kdc, .key, .lua, .m4v, .max, .mdb, .mdf, .mef, .mov, .mp3, .mp4, .mpg, .mrw, .msg, .nef, .nk2, .nrw, .oab, .obj, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .ost, .p12, .p7b, .p7c, .pab, .pas, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .pps, .ppt, .prf, .psd, .pst, .ptx, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .r3d, .raf, .raw, .rtf, .rw2, .rwl, .sql, .sr2, .srf, .srt, .srw, .svg, .swf, .tex, .tga, .thm, .tlg, .txt, .vob, .wav, .wb2, .wmv, .wpd, .wps, .no, .xlk, .xlr, .xls, .yuv, .back, .docm, .docx, .flac, .indd, .java, .jpeg, .pptm, .pptx, .xlsb, .xlsm, .xlsx

.How_To_Decrypt ransomware will also a ransom note in the Documents and Desktop folders. The ransom notes contain information about what happened to the files, links to the TOR payment sites, and a unique ID that must be used to login to the payment site.

The ransomware will also create an autorun for the malware executable file so that it will run every time Windows starts. The autorun is called MSEstl and the executable file can be found here: %UserProfile%\AppData\Roaming\Microsoft\Essential\msestl32.exe.

To make matters much worse, .How_To_Decrypt ransomware will delete the Shadow Volume Copies on your computer in order to make it impossible to recover unencrypted files this way.

It is not recommended to pay ransomware authors to decrypt your files. Instead you can try to use programs like Shadow Explorer or Recuva to restore encrypted or deleted files. There is also decryption software detailed in the instructions below that can decrypt your files that have been encrypted by this virus.

How to remove .How_To_Decrypt ransomware

  1. Decrypt your encrypted files with Apocalypse Decryptor
  2. Remove .How_To_Decrypt with Malwarebytes
  3. Perform a second-opinion scan with HitmanPro
  4. Cleanup junk and repair your settings with CCleaner

Decrypt your encrypted files Apocalypse Decryptor

1. Download and Install Apocalypse Decryptor.


2. Run the program and follow the instructions to recover your files.

Remove .How_To_Decrypt with Malwarebytes

1. Download and Install Malwarebytes Anti-Malware software.


2. Open Malwarebytes and click the Scan Now button – or go to the Scan tab and click the Start Scan button.

3. Once the Malwarebytes scan is complete click the Remove Selected button.

4. To finish the Malwarebytes scan and remove detected threats click the Finish button and restart your computer if promoted to do so.

Perform a second-opinion scan with HitmanPro

1. Download and Install HitmanPro by Surfright.


2. Open HitmanPro and click Next to start scanning your computer. *If you are using the free version you may chose to create a copy or perform a one-time scan.

3. Once the HitmanPro scan is complete click the Next button.

4. To activate the free version of HitmanPro: enter your email address twice and click the Activate button.

5. Click the Reboot button.

Cleanup junk and repair your settings with CCleaner

1. Download and Install CCleaner by Piriform.


2. Open CCleaner and go to the main Cleaner screen. Click the Analyze button. When the process is complete, click the Run Cleaner button on the bottom right of the program interface.

3. Go to Tools > Startup and search for suspicious entries in each tab starting from Windows all the way to Content Menu. If you find anything suspicious click it and click the Delete button to remove it.

4. Go to the Registry window and click the Scan for Issues button. When the scan is complete click the Fix selected issues… button and click Fix All Selected Issues.

How to stay protected against future infections

The key to staying protected against future infections is to follow common online guidelines and take advantage of reputable Antivirus and Anti-Malware security software with real-time protection.

Real-time security software

Security software like Malwarebytes and Norton Security have real-time features that can block malicious files before they spread across your computer. These programs bundled together can establish a wall between your computer and cyber criminals.

Common Online Guidelines

  • Backup your computer and personal files to an external drive or online backup service
  • Create a restore point on your computer in case you need to restore your computer to a date before infection
  • Avoid downloading and installing apps, browser extensions, and programs you are not familiar with
  • Avoid downloading and installing apps, browser extensions, and programs from websites you are not familiar with – some websites use their own download manager to bundle additional programs with the initial download
  • If you plan to download and install freeware, open source software, or shareware make sure to be alert when you install the object and read all the instructions presented by the download manager
  • Avoid torrents and P2P clients
  • Do not open email messages from senders you do not know

Helpful Links

Lead Editor

Jared Harrison is an accomplished tech author and entrepreneur, bringing forth over 20 years of extensive expertise in cybersecurity, privacy, malware, Google Analytics, online marketing, and various other tech domains. He has made significant contributions to the industry and has been featured in multiple esteemed publications. Jared is widely recognized for his keen intellect and innovative insights, earning him a reputation as a respected figure in the tech community.

More Reading

Post navigation

Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

How to remove CryptXXX ransomware

How to remove HDDCryptor (Virus Removal Guide)

What is CryptConsole-3 and how do I remove it?