Tips & Tricks To Remove PyCL ransomware Safely From Affected Systems


Detailed Information on PyCL ransomware

PyCL ransomware is a newly detected file-encrypting virus which is programmed in a Python programming language, whereas other ransomware threats are built in C++ programming language. It is distributed in the form of NSIS installer and the same technique is known to be used by the criminal hackers for the distribution of noxious Cerber ransomware. Once it invades the targeted machine, it will extract few .txt files onto the folder identified as %AppData%\Roaming\How_Decrypt_My_Files\. The files extracted by this ransomware are reported as style.css, index.html, read_me.txt, pay_creditcard.html and send_btc.html.

According to the research report, we can say that all these extracted files will be worked as ransom note for PyCL ransomware. Furthermore, it connects the victim’s machine to Command and Control server and then launch “cl.exe” files. This file is known to carry the malicious payload of this ransomware which starts encoding the files stored on the infected system. During its encryption procedure, it enciphers music files, archives, images, documents, videos and various other type of files. Although, it cannot encode the files stored on system folders. After the successful encryption of files, PyCL ransomware deletes the Shadow Volume Copies from the computer, but only if the affected user has admin privileges onto the compromised machine.

How Does PyCL ransomware Work?

The ransomware again connects the affected machine to C&C server to make a post request to However, the indicated requests deliver some useful information about the user and affected system. The malicious server then transfer RSA-2048 encryption key, ransom amount and Bitcoin wallet address back to the system. Any kind of information received from this server will be stored on %AppData%\Roaming\cl folder. Besides, each file gets encoded using AES-256 key which is generated for each file. Above all, you should never try pay ransom money demanded by the developers of PyCL ransomware. Instead, eliminate the malware from your PC as quickly as possible and then use alternative method to restore some of your important system files. To remove the ransomware the easy way is to use a reliable anti-malware scanner.

Follow Steps to Delete PyCL ransomware from PC

Step A: Know How to Reboot Windows PC in Safe Mode (This guide is meant for novice users)

Step B: PyCL ransomware removal Using System Restore

Still, if you are facing problem in rebooting PC in Safe mode, opt for System Restore. Follow the steps given below.

Prss F8 continously until you get Windows Advanced Options Menu on Computer Monitor. Now Choose Safe Mode with Command Prompt Option and Tap enter


In the Command Prompt Windows, you need to type this command : cd restore and Select Enter



Now type rstrui.exe as command and press on Enter


This will open a new window to Restore System Files and Settings. Click on Next to proceed.


Restore Point is to be selected from the date you want to restore back your system as it was earlier to PyCL ransomware attack


Step C Another method for recovering your decrypted files are file recovery software

If above methods are not successful you can go for file recovery software. It can be helpful in recovering your encrypted files as PyCL ransomware first makes a copy of original files and then encrypt it. After encryption it deletes the original files. So there is high probability that these file recovery software can help you in recovering your original files.

Step: D Know How to Restore Shadow Copies of Encrypted Data

In certain cases, if PyCL ransomware has not deleted the Shadow Copies of the data then it can be easily restored using ShadowExplorer. (Know how to install and use ShadowExplorer)