Potato is a ransomware that’s made to encrypt files and bring money to its developers. It uses AES-256 encryption algorithm to do so and appends the “.potato” extension to each piece of affected data. Once your files are overtaken, Potato creates “README.png” and “README.html” files and puts them on your Desktop. Those are ransom notes and they have the following information inside of them –
‘YOUR FILES WERE ENCRYPTED using military-grade encryption (AES-256). The encrypted files have the additional extension .potato. You won’t be able to retrieve your data unless you make a payment by following the steps below:
1. Download the TOR browser.
2. Access the following address through TOR browser for further instructions hxxp://tzakpakp6v5vwqqh.onion.
3. Enter your ID (see below) and hit “GET KEY” for further instructions.NOTICE: There’s a folder on your desktop named POTATO which contains the following files:
ID_number.txt – an unique number that identified your computer, which is mandatory for the payment process.
encrypted.exe – a list of files that were encrypted; if you decide to have them back, DO NOT DELETE IT
decryptor.exe (including MSVCR100.dll) – the program you’ll use for decryption once the payment is made and the decryption key is transmitted to you.’
Regaining access to the files is not possible without the decryption key, and there’s currently no program that can help you do so for free. Security researchers try their best to develop tools that can help deal with ransomware, but this takes time and their attempts are not always successful. Potato targets important files – .jpg, .xls, .pdf, and .doc are among them – so you may be tempted to just pay the money and get on with your life. This is where the surprise comes in – you may not receive a decryption key in return. Cybercriminals are not bound by a contract, so they can take the payment and just vanish. Tracking them down is virtually impossible, as they use various methods to stay anonymous. The situation may seem very dim – losing important documents is something that can cause a lot of damage – but there is a way out of it.
You need to install a special program that can delete Potato from the PC. Plumbytes Anti-Malware is one of those programs and it’s perfect for this task. You need to know how to use it, though, and that’s where we come in – our site has a manual with all the necessary information, so there’s nothing to be afraid of. Restore the files from backup once your computer is returned to normal, and delete all the spam emails going forward. This is the primary way to distribute ransomware, so even if you get the message that says you’ve just won a car and need to open the attached file to claim your prize, don’t believe it – this file actually installs a threat on the PC and creates all kinds of unnecessary problems.
Common symptoms of Potato ransomware
- You are not able to access any of the files you try to open.
- Affected files have odd extensions (like .crypted, .locky, .sage, etc.).
- You may find .txt or .html ransomware instruction files in system folders.
- Your desktop screen might be locked, so you can’t access your PC.
- Pop-up messages that ask you to pay “a ransom” to get access to your PC or files again.
- Ransomware may delete important system files
- Sluggish PC performance.
- Your anti-virus software stops working.
Sources of Potato ransomware infection
- Spam emails that contain malicious attachments or hyperlinks.
- Compromised websites that have exploit code injected in their web pages.
- Vulnerabilities in unpatched Windows operating system.
- Vulnerabilities in outdated web browsers.
- Drive-by downloads.
- Fake Flash Player update websites.
- Installing pirated software or operating systems.
- Facebook spam messages that contain malicious attachments or links.
- Malicious SMS messages (ransomware may target mobile devices).
- Malvertising campaigns (pop-up and banner ads).
- Self-propagation (spreading from one infected PC to another via LAN networks).
- Infected game servers.
- Botnets.
- Peer-to-peer networks.
My PC is infected with Potato! What should I do?
Step 1. Create an image of your system and back up encrypted files
Some ransomware viruses have hidden scripts that may remove or overwrite all encrypted files after a certain amount of time has passed after infiltration. We strongly recommend to create a backup of all of your encrypted files before trying to decrypt or restore them. You should find all the encrypted files that end with ransomware file extension and copy them to an external hard drive or USB flash drive.
Step 2. Scan your computer with anti-malware software and block the ransomware activity
Install one of the recommended anti-malware tools listed below and scan your computer for viruses. Anti-malware program will detect all malicious files and move them to quarantine in order to block ransomware activity on your computer. Do NOT delete any of quarantined files! They can be helpful to identify which encryption method was used in your case and if any features match known types of ransomware.
Remove Ransomware with Plumbytes Anti-Malware
1. You should download Plumbytes Anti-Malware installer to scan your computer for any ransomware and other malware that might infected your computer. Plumbytes Anti-Malware is a trusted software that can detect and remove most of security threats, including adware, ransomware, PUPs, trojans, worms and rootkits.
DOWNLOAD PLUMBYTES ANTI-MALWARE
2. Double-click the downloaded “antimalwaresetup.exe” installation file to launch it.
3. Click “Install” button to start the installation process. The setup wizard will automatically start to download necessary program files to your computer. Once download completed, Plumbytes Anti-Malware will be automatically installed on your computer. The entire installation process takes only 2-3 minutes.
4. Once installed, Plumbytes Anti-Malware will automatically update its antivirus signatures database and then start smart system scan to detect all malware, adware, spyware and other security threats.
5. You will see the detailed list of security threats and potentially unwanted applications detected on your PC. Click “Remove Selected” button to clear your PC from malicious files, adware and potentially unwanted applications.
Double-Check your PC with SpyHunter 4 Anti-Malware
6. You can double-check your computer with SpyHunter Anti-Malware in order to remove any leftover malware and ransomware traces. SpyHunter 4 is considered as one of the best and most effective anti-ransomware tools today. Click the following link to download SpyHunter installation package or just click the download button below.
DOWNLOAD SPYHUNTER ANTI-MALWARE
7. Double-click the downloaded “SpyHunter-Installer.exe” file to start the installation process.
8. When the installation starts, the Setup Wizard will offer a few options and settings that you may want to configure. We recommend just clicking “Next” button to accept the default application settings. You can check out our detailed SpyHunter 4 Anti-Malware Setup & User Guide which can help you to go through the installation process and provide important information about malware scans and program settings.
9. Once the installation completed, SpyHunter 4 will automatically update antivirus database and latest virus definitions. Next, SpyHunter 4 Quick Scan will automatically check your computer for any malware, adware, spyware and other security threats.
10. You will see the detailed list of viruses and potentially unwanted applications detected on your PC. Click “Next” button to clear your PC from malicious files, adware and PUPs.
Alternate Recommended Anti-Malware Tools
The following awesome full-scale anti-malware products also have proved their effectiveness against all types of malware and adware. However, some of these anti-malware programs don’t provide a free trial version, and you’ll have to purchase a license key in order to clean your computer from the detected malware and PUPs.
1. HitmanPro.Alert – Download | Our Review – 30-Day Free Trial
2. Malwarebytes Anti-Malware – Download | Our Review – 14-Day Free Trial
3. Emsisoft Anti-Malware – Download | Our Review – 30-Day Free Trial
4. WiperSoft Antispyware – Download | Our Review
5. OSHI Defender AntiMalware – Download | Our Review
Step 3. Identify the type of ransomware virus
If you don’t know what type of ransomware has infected your PC, you should try ID Ransomware free online service. Visit ID Ransomware website and upload a ransom note or a sample encrypted file to identify the ransomware strain.
You can also give a try to the VirusTotal.com free service the same way in order to determine which ransomware family you are dealing with.
Step 4. Find out if there is a decryption tool
Once you’ve identified the exact type of ransomware, you should try to find if there is an effective decrypter available for your encrypted files. In this case, you’ll be lucky to recover your important data withour spending your money on paying the ransom.
You can find the most complete list of current ransomware decryption tools in our “10 Free Tools to Defeat Ransomware in 2017” review.
No More Ransom! Project
Nomoreransom.org website was launched in 2016 and is backed by reputable top security companies and security institutions in many countries. Visit the Crypto Sheriff https://www.nomoreransom.org/crypto-sheriff.php page at Nomoreransom.org, upload one of your encrypted files, and you will find out if there is a solution available to decrypt all of your files for free.
EmsiSoft Decrypter
EmsiSoft’s team continiously works on development of free decrypters for different types of ransomware. Check out Decrypter.emsisoft.com web page for the ransomware decryptor you need. Currently there are more than 40 working decryptors for different crypto-ransomware families.
Kaspersky NoRansom
Russian cyber security firm Kaspersky Lab has launched https://noransom.kaspersky.com website where you can download free ransomware decryptors and removal tools.
Avast Free Ransomware Decryption Tools
At Avast Free Ransomware Decryption Tools web page you can download decryption tools which can help to unclock files encrypted by various forms of ransomware.
Trend Micro Ransomware File Decryptor
Trend Micro Ransomware File Decryptor tool is able to decrypt files encypted by different types of ransomware. Visit TrendMicro website to find detailed instructions and video guide for this decryptor tool.
Step 5. No Decrypter available? We’re still here to help you
Unfortunately, most recent file-encrypting ransomware don’t have a working decryption solution. Loosely speaking, if you don’t pay attackers for a copy of the private decryption key, you can get stuck with blocked important files for a long time. However, in many cases, even after paying large sum of ransom victims still don’t receive the key to unblock their files. According to statistics, one in five victims who paid the ransom never got their files back. Remember: if you pay the ransom, you directly contribute to the financial success of cyber criminality. Before you decide to pay the ransomware demand, you should better try to gather all available information about the particular type of crypto-ransomware that infected your system.
1. Check out our manual removal guide below. If the ransomware that infected your computer doesn’t delete shadow volume copies from local hard drive, you can try to use System Restore feature to roll Windows operating system back in time or to recover your files from system snapshots.
Malwareless.com website’s team strives to provide all actual and valuable information about ransomware viruses. We continuously monitor latest decryptor tools and add them to the removal instructions.
2. Bleepingcomputer.com website has a great Ransomware Help & Tech Support forum section with quite active ransomware discussions that may save you a lot of money and time. Check the particular forum topics about the type of ransomware that infected your computer and follow the provided instructions.
3. You can also ask for help using EmsiSoft’s Malware Research Center. Their ransomware first aid service is free for both customers and non-customers.
Remove Potato Ransomware Manually (Removal Guide)
Notice: Manual removal guide is recommended to experienced PC users only. Incorrect modifications introduced into Windows operating system settings, Windows Registry or browser settings may result in system fails or software errors.
We’ve created this detailed removal guide to help you manually remove Potato and any other ransomware threats from your computer. Please carefully follow all the steps listed in the instruction. We’ve attached detailed screenshots, video guides and descriptions for your convenience. If you have any questions or issues, please contact us via email, public forum or online contact form. You can also add your comments to this guide below.
Windows 10
Removal Instructions for Windows 10 Users
Potato removal using Safe Mode with Networking
Why choose this reboot method instead of the common Safe Mode? Safe Mode with Networking option allows to access Internet in order to download necessary tools that can help you to remove Potato ransomware from your PC.
You can start Windows 10 in Safe Mode with Networking using one of the easy methods below. Depending on the type of ransomware, one of the described start methods may not work properly.
Method 1: Using the Start Menu
If you have a new computer with UEFI BIOS and SSD hard drive, pressing both F8 and Shift+F8 keys may not work for you to get into safe mode.
The easiest method for booting into Safe Mode with Networking is to use the Advanced options settings.
Click Windows button in the bottom-left corner and select Power option, then hold Shift key and click Restart.
You computer will be rebooted once again. You will see the following window with a few options. Select Troubleshoot option.
Next, select Advanced options.
Go to Startup Settings in the Advanced options window.
Click Restart button.
You computer will be rebooted once again. You will see Startup Settings window with different advanced troubleshooting modes.
Select Enable Safe Mode with Networking and press F5 to activate this mode. Safe Mode with Networking option allows to access Internet in order to download necessary tools that can help you to remove ransomware from your PC.
Desktop screenshot of the Safe Mode with Networking
Method 2: Using Windows 10 search engine
You can use Windows 10 search system for booting into Safe Mode with Networking.
Click Windows start 
button to open Start screen. Type Advanced and select View advanced startup options.
Choose Recovery option in the left navigation bar. Click Restart now button.
Once your computer restarts successfully, you will see a window with three options available. Select Troubleshoot option.
Next, select Advanced options.
Next, go to Startup Settings.
Click Restart button in the Startup Settings window.
You computer will be rebooted once again. You will see Startup Settings window with different advanced troubleshooting modes.
Select Enable Safe Mode with Networking and press F5 to activate this mode. Safe Mode with Networking option allows to access Internet in order to download necessary tools that can help you to remove ransomware from your PC.
Desktop screenshot of the Safe Mode with Networking
Method 3: Using Lock Screen
If other start methods don’t work on your computer, you can try to reboot into Safe Mode with Networking using the following manual.
Note that you must have access to Windows lock screen with password field.
Click Power 
icon in the bottom-right corner, then hold Shift key and click Restart.
Select Troubleshoot in the Choose an options window.
Next, choose Advanced options.
Choose Startup Settings in the Advanced options.
Click Restart button to reboot your PC.
You computer will be restarted once again. You will see Startup Settings window with different advanced troubleshooting modes.
Select Enable Safe Mode with Networking and press F5 to activate this mode.
Desktop screenshot of the Safe Mode with Networking
Method 4: Using Run (msconfig.exe) utility
This is the quickest method to start Windows in Safe Mode with Networking. However, in some cases this start method may not work properly on your computer due to ransomware activity.
Press Windows + R keys. Type msconfig or msconfig.exe in the Open field. Click OK button or hit Enter key.
Go to Boot tab. Check mark in Safe boot checkbox and in Network checkbox. Click OK button.
Click Restart button in the confirmation window.
Your computer will boot up in safe mode with a black blank screen and with the words “Safe Mode” in all four corners.
Desktop screenshot of the Safe Mode with Networking
Turn off Safe Mode with Networking
If you used Method 4 (through Windows + R –> Run –> msconfig) to start Windows in Safe Mode with Networking, you need to turn this safe mode off in order to return your PC to a Normal startup mode. Otherwise, your PC will continue to automatically boot into Safe Mode with Networking.
Press Windows + R and type msconfig or msconfig.exe in the Open: field. Click OK button or hit Enter.
Go to General tab and check Normal startup checkbox.
Go to Boot tab and check whether all checkboxes are unchecked. Click OK button.
Click Restart button in the confirmation window.
Your computer will restart in a Normal startup mode with all drivers, applications and other components running.
Once you are in Safe Mode with Networking, launch your web browser and download a trusted anti-virus or anti-malware software to scan your PC for Potato malicious files and processes. If you don’t want to purchase an anti-malware software license, you can simply scan your system for viruses, and then manually remove the detected malicious files.
You may need to see hidden files and folders to delete all the malicious files. Follow the steps below to display hidden files, folders and file extensions.
Right-click Start button and go to Control Panel.
Select Appearance and Personalization settings in the Control Panel (view by: Category).
Next, go to File Explorer Options –> Show hidden files and folders.
Click View tab, and then select Show hidden files, folders, or drives in the list. Scroll down and un-check the Hide extensions for known file types box. Click OK button.
Don’t forget to restore previous system settings once you get rid of ransomware threat.
Remove malicious files installed by ransomware
Once an exploit kit infiltrates into your computer, it downloads and installs
ransomware files into your system.
You should manually check the following system folders for the batch (.cmd, .btm, .bat), bitmap (.bmp), DLL (.dll) and executable (.exe) files that could be created by the ransomware virus:
- \%TEMP%\
- \%APPDATA%\
- \%ProgramData%\
- \%UserpProfile%\
Clean your Windows Registry (for experienced users only)
It’s strongly recommended to clean your Windows Registry to remove all entries associated with ransomware infection. Windows Registry contains all the settings and information for the software applications and user accounts in your Windows operating system. You need to launch Registry Editor utility to make changes to registry.
Press Windows + R and type Run regedit or regedit.exe into the Open: search field. Click OK button or press Enter key.
When you open the Registry Editor for the first time, you’ll see a treeview on the left-hand side that contains all of the registry keys, with values and data on the right-hand side.
Once Registry Editor opened, you need to find and remove registry keys and values created by ransomware infection.
Press Ctrl + F (or go to Menu –> Edit –> Find) to open the Find bar.
Look up the names of the files associated with ransomware threat affecting your PC and type it into “Find what:” text box. Select all checkboxes and then click Find Next button.
Right-click on the located registry entry and click Delete from the context menu. Repeat this process for each of the registry entries associated with the malware or adware.
Click Yes button in the confirmation window.
Check the following auto startup folders for suspicious registry keys:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
- Next, check the HKEY_CURRENT_USER folder for suspicious registry keys.
To remove all traces of ransomware, you need to delete the malicious registry keys associated with it.
Potato removal using Safe Mode with Command Prompt
If you cannot start your computer in Safe Mode with Networking, try performing a System Restore using Safe Mode with Command Prompt.
This method works only if System Protection feature is enabled on your Windows 10 computer. You can find more information about System Protection feature in the following article on our website.
Method 1: Using the Start Menu
Click Windowsbutton in the bottom-left corner and select Power option, then hold Shift key and click Restart.
You computer will be rebooted once again. You will see the following window with a few options. Select Troubleshoot option.
Next, select Advanced options.
Go to Startup Settings in the Advanced options window.
Click Restart button.
You computer will be rebooted once again. You will see Startup Settings window with different advanced troubleshooting modes.
Select Enable Safe Mode with Command Prompt and press F6 to activate this mode.
After your computer restarts, an MS-DOS black command prompt window will appear. Type cd restore using command prompt and press Enter.
Type rstrui.exe in the next line and press Enter.
Check if System Restore window opens and click Next button to continue.
Select a restore point with the date prior to malware infection and click Next button.
Click Finish button to confirm your restore point.
Click Yes button in the confirmation window.
Method 2: Using Windows 10 search engine
You can use Windows 10 search system for booting into Safe Mode with Command Prompt and then try to perform a System Restore.
Click Windows start button to open Start screen. Type Advanced and select View advanced startup options.
Choose Recovery option in the left navigation bar. Click Restart now button.
Once your computer restarts successfully, you will see a window with three options available. Select Troubleshoot option.
Next, select Advanced options.
Next, go to Startup Settings.
Click Restart button in the Startup Settings window.
You computer will be restarted once again. You will see Startup Settings window with different advanced troubleshooting modes.
Select Enable Safe Mode with Command Prompt and press F6 to activate this mode.
After your computer restarts, an MS-DOS black command prompt window will appear. Type cd restore using command prompt and press Enter.
Type rstrui.exe in the next line and press Enter.
Check if System Restore window opens and click Next button to continue.
Select a restore point with the date prior to malware infection and click Next button.
Click Finish button to confirm your restore point.
Click Yes button in the confirmation window.
Method 3: Using Lock Screen
If other start methods don’t work on your computer, you can try to reboot into Safe Mode with Command Prompt using the following manual.
Note that you must have access to Windows lock screen with password field.
Click Power icon in the bottom-right corner, then hold Shift key and click Restart.
Once your computer restarts successfully, you will see a window with three options available. Select Troubleshoot option.
Next, select Advanced options.
Go to Startup Settings in the Advanced options window.
Click Restart button.
You computer will be restarted once again. You will see Startup Settings window with different advanced troubleshooting modes.
Select Enable Safe Mode with Command Prompt and press F6 to activate this mode.
After your computer restarts, an MS-DOS black command prompt window will appear. Type cd restore using command prompt and press Enter.
Type rstrui.exe in the next line and press Enter.
Check if System Restore window opens and click Next button to continue.
Select a restore point with the date prior to malware infection and click Next button.
Click Finish button to confirm your restore point.
Click Yes button in the confirmation window.
Windows 8
Removal Instructions for Windows 8.1 Users
Potato removal using Safe Mode with Networking
Why choose this reboot method instead of the common Safe Mode? Safe Mode with Networking option allows to access Internet in order to download necessary tools that can help you to remove Potato ransomware from your PC.
You can start Windows 8.1 in Safe Mode with Networking using one of the easy methods below. Depending on the type of ransomware, one of the described start methods may not work properly.
Method 1: Using Windows 8 search engine
If you have a new computer with UEFI BIOS and SSD hard drive, pressing both F8 and Shift+F8 keys may not work for you to get into safe mode.
The easiest method for booting into Safe Mode with Networking is to use the Advanced options settings.
Click Windows start 
button to open Start screen. Type in Advanced and select Change advanced startup options from the Search results list.
Go to Update and recovery –> Recovery and click Restart now button.
Once your computer restarts successfully, you will see a window with three options available. Select Troubleshoot option.
Next, select Advanced options.
Next, go to Startup Settings.
Click Restart button.
You computer will be rebooted once again. You will see Startup Settings window with different advanced troubleshooting modes.
Select Enable Safe Mode with Networking and press F5 to activate this mode. Safe Mode with Networking option allows to access Internet in order to download necessary tools that can help you to remove ransomware from your PC.
Desktop screenshot of the Safe Mode with Networking.
Method 2: Using Lock Screen
If other start methods don’t work on your computer, you can try to reboot into Safe Mode with networking using the following manual.
Note that you must have access to Windows lock screen with password field.
Click Power 
icon in the bottom-right corner, then hold Shift key and click Restart.
Select Troubleshoot in the Choose an options window.
Next, choose Advanced options.
Choose Startup Settings in the Advanced options.
Click Restart button to reboot your PC.
You computer will be restarted once again. You will see Startup Settings window with different advanced troubleshooting modes.
Select Enable Safe Mode with Networking and press F5 to activate this mode.
Desktop screenshot of the Safe Mode with Networking.
Method 3: Using Run (msconfig.exe) utility
This is the quickest method to start Windows in Safe Mode with Networking. However, in some cases this start method may not work properly due to malware activity.
Press Windows + R keys. Type msconfig or msconfig.exe in the Open field. Click OK button or hit Enter key.
Go to Boot tab. Check mark in Safe boot checkbox and in Network checkbox. Click OK button.
Click Restart button in the confirmation window.
Your computer will boot up in safe mode with a black blank screen and with the words “Safe Mode” in all four corners.
Desktop screenshot of the Safe Mode with Networking.
Turn off Safe Mode with Networking
If you used Method 4 (through Windows + R –> Run –> msconfig) to start Windows in Safe Mode with Networking, you need to turn this safe mode off in order to return your PC to a Normal startup mode. Otherwise, your PC will continue to automatically boot into Safe Mode with Networking.
Press Windows + R and type msconfig or msconfig.exe in the Open: field. Click OK button or hit Enter.
Go to General tab and select Normal startup checkbox.
Go to Boot tab and check whether all checkboxes are unchecked. Click OK button.
Click Restart button in the confirmation window.
Your computer will restart in a Normal startup mode with all drivers, applications and other components running.
Once you are in Safe Mode with Networking, launch your web browser and download a trusted anti-virus or anti-malware software to scan your PC for Potato malicious files and processes. If you don’t want to purchase an anti-malware software license, you can simply scan your system for viruses, and then manually remove the detected malicious files.
You may need to see hidden files and folders to delete all the malicious files. Follow the steps below to display hidden files, folders and file extensions.
Right-click Start button and go to Control Panel.
Select Appearance and Personalization settings in the Control Panel (view by: Category).
Next, go to File Explorer Options –> Show hidden files and folders.
Click View tab, and then select Show hidden files, folders, or drives in the list. Scroll down and un-check the Hide extensions for known file types box. Click OK button.
Don’t forget to restore previous system settings once you get rid of ransomware threat.
Remove malicious files installed by ransomware
Once an exploit kit infiltrates into your computer, it downloads and installs ransomware files into your system.
You should manually check the following system folders for the batch (.cmd, .btm, .bat), bitmap (.bmp), DLL (.dll) and executable (.exe) files that could be created by the ransomware virus:
- \%TEMP%\
- \%APPDATA%\
- \%ProgramData%\
- \%UserpProfile%\
Clean your Windows Registry (for experienced users only)
It’s strongly recommended to clean your Windows Registry to remove all entries associated with ransomware infection. Windows Registry contains all the settings and information for the software applications and user accounts in your Windows operating system. You need to launch Registry Editor utility to make changes to registry.
Press Windows + R and type Run regedit or regedit.exe into the Open: search field. Click OK button or press Enter key.
When you open the Registry Editor for the first time, you’ll see a treeview on the left-hand side that contains all of the registry keys, with values and data on the right-hand side.
Once Registry Editor opened, you need to find and remove registry keys and values created by ransomware infection.
Press Ctrl + F (or go to Menu –> Edit –> Find) to open the Find bar.
Look up the names of the files associated with ransomware threat affecting your PC and type it into “Find what:” text box. Select all checkboxes and then click Find Next button.
Right-click on the located registry entry and click Delete from the context menu. Repeat this process for each of the registry entries associated with the malware or adware.
Click Yes button in the confirmation window.
Check the following auto startup folders for suspicious registry keys:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
- Next, check the HKEY_CURRENT_USER folder for suspicious registry keys.
To remove all traces of ransomware, you need to delete the malicious registry keys associated with it.
Potato removal using Safe Mode with Command Prompt
If you cannot start your computer in Safe Mode with Networking, try performing a System Restore using Safe Mode with Command Prompt.
This method works only if System Protection feature is enabled on your Windows 8 computer. You can find more information about System Protection feature in the following article on our website.
Method 1: Using Windows 8 search engine
Click Windows start button to open Start screen. Type Advanced in the Search field and select Change advanced startup options.
Go to Update and recovery –> Recovery and click Restart now button.
Once your computer restarts successfully, you will see a window with three options available. Select Troubleshoot option.
Next, select Advanced options.
Choose Startup Settings in the advanced options.
Click Restart button.
You computer will be restarted once again. You will see Startup Settings window with different advanced troubleshooting modes.
Select Enable Safe Mode with Command Prompt and press F6 to activate this mode.
After your computer restarts, an MS-DOS black command prompt window will appear. Type cd restore using command prompt and press Enter.
Type rstrui.exe in the next line and press Enter.
Check if System Restore window opens and click Next button to continue.
Select a restore point with the date prior to malware infection and click Next button.
Click Finish button to confirm your restore point.
Click Yes button in the confirmation window.
Method 2: Using Lock Screen
If other start methods don’t work on your computer, you can try to reboot into Safe Mode with Command Prompt using the following manual.
Note that you must have access to Windows lock screen with password field.
Click Power icon in the bottom-right corner, then hold Shift key and click Restart.
Select Troubleshoot in the Choose an options window.
Next, choose Advanced options.
Choose Startup Settings in the Advanced options.
Click Restart button to reboot your PC.
You computer will be restarted once again. You will see Startup Settings window with different advanced troubleshooting modes.
Select Enable Safe Mode with Command Prompt and press F6 to activate this mode.
After your computer restarts, an MS-DOS black command prompt window will appear. Type cd restore using command prompt and press Enter.
Type rstrui.exe in the next line and press Enter.
Check if System Restore window opens and click Next button to continue.
Select a restore point with the date prior to malware infection and click Next button.
Click Finish button to confirm your restore point.
Click Yes button in the confirmation window.
Windows 7
Removal Instructions for Windows 7 Users
Potato removal using Safe Mode with Networking
Why choose this reboot method instead of the common Safe Mode? Safe Mode with Networking option allows to access Internet in order to download necessary tools that can help you to remove Potato ransomware from your PC.
You can start Windows 7 in Safe Mode with Networking using one of the easy methods below. Depending on the type of ransomware, one of the described start methods may not work properly.
Method 1: Using Advanced Boot Options menu
If you have a new computer with UEFI BIOS and SSD hard drive, pressing both F8 and Shift+F8 keys may not work for you to get into safe mode.
Restart your computer.
While your PC restarts, immediately press and hold F8 key.
Use the arrow keys to highlight Safe Mode with Networking on the Advanced Boot Options screen. Hit Enter key.
Your computer will boot up in safe mode with a black blank screen and with the words “Safe Mode” in all four corners.
Desktop screenshot of the Windows 7 Safe Mode with Networking.
Method 2: Using Run (msconfig.exe) utility
This is the quickest method to start Windows in Safe Mode with Networking. However, in some cases this start method may not work properly due to malware activity.
Press Windows + R keys. Type msconfig or msconfig.exe in the Open field. Click OK button or hit Enter key.
Go to Boot tab. Check mark in Safe boot checkbox and in Network checkbox. Click OK button.
Click Restart button in the confirmation window.
Your computer will boot up in safe mode with a black blank screen and with the words “Safe Mode” in all four corners.
Desktop screenshot of the Windows 7 Safe Mode with Networking.
Turn off Safe Mode with Networking
If you used Method 2 (through Windows + R –> Run –> msconfig) to start Windows in safe mode with networking, you need to turn this safe mode off in order to return your PC to a Normal startup mode. Otherwise, your PC will continue to automatically boot into Safe Mode with Networking.
Press Windows + R and type msconfig or msconfig.exe in the Open: field. Click OK button or hit Enter.
Go to General tab and select Normal startup checkbox.
Go to Boot tab and check whether all checkboxes are unchecked. Click OK button.
Click Restart button in the confirmation window.
Your computer will restart in a Normal startup mode with all drivers, applications and other components running.
Once you are in Safe Mode with Networking, launch your web browser and download a trusted anti-virus or anti-malware software to scan your PC for Potato malicious files and processes. If you don’t want to purchase an anti-malware software license, you can simply scan your system for viruses, and then manually remove the detected malicious files.
You may need to see hidden files and folders to delete all the malicious files. Follow the steps below to display hidden files, folders and file extensions.
Click Start 
button and go to Control Panel.
Select Appearance and Personalization settings in the Control Panel (view by: Category).
Go to File Explorer Options –> Show hidden files and folders.
Click View tab, and then select Show hidden files, folders, or drives in the list. Scroll down and un-check the Hide extensions for known file types box. Click OK button.
Don’t forget to restore previous system settings once you get rid of ransomware threat.
Remove malicious files installed by ransomware
Once an exploit kit infiltrates into your computer, it downloads and installs ransomware files into your system.
You should manually check the following system folders for the batch (.cmd, .btm, .bat), bitmap (.bmp), DLL (.dll) and executable (.exe) files that could be created by the ransomware virus:
- \%TEMP%\
- \%APPDATA%\
- \%ProgramData%\
- \%UserpProfile%\
Clean your Windows Registry (for experienced users only)
It’s strongly recommended to clean your Windows Registry to remove all entries associated with ransomware infection. Windows Registry contains all the settings and information for the software applications and user accounts in your Windows operating system. You need to launch Registry Editor utility to make changes to registry.
Press Windows + R and type Run regedit or regedit.exe into the Open: search field. Click OK button or press Enter key.
When you open the Registry Editor for the first time, you’ll see a treeview on the left-hand side that contains all of the registry keys, with values and data on the right-hand side.
Once Registry Editor opened, you need to find and remove registry keys and values created by ransomware infection.
Press Ctrl + F (or go to Menu –> Edit –> Find) to open the Find bar.
Look up the names of the files associated with ransomware threat affecting your PC and type it into “Find what:” text box. Select all checkboxes and then click Find Next button.
Right-click on the located registry entry and click Delete from the context menu. Repeat this process for each of the registry entries associated with the malware or adware.
Click Yes button in the confirmation window.
Check the following auto startup folders for suspicious registry keys:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
- Next, check the HKEY_CURRENT_USER folder for suspicious registry keys.
To remove all traces of ransomware, you need to delete the malicious registry keys associated with it.
Potato removal using Safe Mode with Command Prompt
If you cannot start your computer in Safe Mode with Networking, try performing a System Restore using Safe Mode with Command Prompt.
This method works only if System Protection feature is enabled on your Windows 7 computer. You can find more information about System Protection feature in the following article on our website.
Method 1: Using Advanced Boot Options menu
Restart your computer.
During your PC boot process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then use arrow keys to select Safe Mode with Command Prompt from the list.
Hit Enter key.
After your computer restarts, an MS-DOS black command prompt window will appear. Type cd restore using command prompt and press Enter.
Type rstrui.exe in the next line and press Enter.
Check if System Restore window opens and click Next button to continue.
Select a restore point with the date prior to malware infection and click Next button.
Click Finish button to confirm your restore point.
Click Yes button in the confirmation window.
Windows XP
Removal Instructions for Windows XP Users
Potato removal using Safe Mode with Networking
Why choose this reboot method instead of the common Safe Mode? Safe Mode with Networking option allows to access Internet in order to download necessary tools that can help you to remove Potato ransomware from your PC.
You can start Windows XP in Safe Mode with Networking using one of the easy methods below. Depending on the type of ransomware, one of the described start methods may not work properly.
Method 1: Using Windows Advanced Options Menu
If you have a new computer with UEFI BIOS and SSD hard drive, pressing both F8 and Shift+F8 keys may not work for you to get into safe mode.
Restart your computer.
While your PC restarts, immediately press and hold F8 key.
Use the arrow keys to highlight Safe Mode with Networking on the Advanced Boot Options screen.
Hit Enter key. If you have multiple operating system installed, select Windows XP and press Enter key.
Your computer will boot up in safe mode with a black blank screen and with the words “Safe Mode” in all four corners.
Click Yes button to proceed to work in safe mode.
Desktop screenshot of the Windows XP Safe Mode with Networking.
Method 2: Using Run (msconfig.exe)
This is the quickest method to start Windows in Safe Mode with Networking. However, in some cases this start method may not work properly due to malware activity.
Press Windows + R keys. Type msconfig or msconfig.exe in the Open field. Click OK button or hit Enter key.
Go to BOOT.INI tab. Check mark in /SAFEBOOT checkbox and in NETWORK checkbox. Click OK button.
Click Restart button in the confirmation window.
Your computer will boot up in safe mode with a black blank screen and with the words “Safe Mode” in all four corners.
Desktop screenshot of the Windows XP Safe Mode with Networking.
Turn off Safe Mode with Networking
If you used Method 2 (through Windows + R –> Run –> msconfig) to start Windows in safe mode with networking, you need to turn this safe mode off in order to return your PC to a Normal startup mode. Otherwise, your PC will continue to automatically boot into Safe Mode with Networking.
Press Windows + R and type msconfig or msconfig.exe in the Open: field. Click OK button or hit Enter.
Go to General tab and select Normal startup – load all device drivers and services checkbox.
Go to BOOT.INI tab and check whether all checkboxes are unchecked. Click OK button.
Click Restart button in the confirmation window.
Click Yes button to continue restarting.
Your computer will restart in a Normal startup mode with all drivers, applications and other components running.
Once you are in Safe Mode with Networking, launch your web browser and download a trusted anti-virus or anti-malware software to scan your PC for Potato malicious files and processes. If you don’t want to purchase an anti-malware software license, you can simply scan your system for viruses, and then manually remove the detected malicious files.
You may need to see hidden files and folders to delete all the malicious files. Follow the steps below to display hidden files, folders and file extensions.
Click Start 
button and go to Control Panel.
Select Folder Options settings in the Control Panel.
Click View tab, and then check Show hidden files, folders, or drives checkbox in the list. Scroll down and un-check Hide extensions for known file types checkbox. Click OK button.
Don’t forget to restore previous system settings once you get rid of ransomware threat.
Remove malicious files installed by ransomware
Once an exploit kit infiltrates into your computer, it downloads and installs ransomware files into your system.
You should manually check the following system folders for the batch (.cmd, .btm, .bat), bitmap (.bmp), DLL (.dll) and executable (.exe) files that could be created by the ransomware virus:
- \%TEMP%\
- \%APPDATA%\
- \%ProgramData%\
- \%UserpProfile%\
Clean your Windows Registry (for experienced users only
It’s strongly recommended to clean your Windows Registry to remove all entries associated with ransomware infection. Windows Registry contains all the settings and information for the software applications and user accounts in your Windows operating system. You need to launch Registry Editor utility to make changes to registry.
Press Windows + R and type Run regedit or regedit.exe into the Open: search field. Click OK button or press Enter key.
When you open the Registry Editor for the first time, you’ll see a treeview on the left-hand side that contains all of the registry keys, with values and data on the right-hand side.
Once Registry Editor opened, you need to find and remove registry keys and values created by ransomware infection.
Press Ctrl + F (or go to Menu –> Edit –> Find) to open the Find bar.
Look up the names of the files associated with ransomware threat affecting your PC and type it into “Find what:” text box. Select all checkboxes and then click Find Next button.
Right-click on the located registry entry and click Delete from the context menu. Repeat this process for each of the registry entries associated with the malware or adware.
Click Yes button in the confirmation window.
Check the following auto startup folders for suspicious registry keys:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
- Next, check the HKEY_CURRENT_USER folder for suspicious registry keys.
To remove all traces of ransomware, you need to delete the malicious registry keys associated with it.
Potato removal using Safe Mode with Command Prompt
If you cannot start your computer in Safe Mode with Networking, try performing a System Restore using Safe Mode with Command Prompt.
This method works only if System Protection feature is enabled on your Windows XP computer. You can find more information about System Protection feature in the following article on our website.
Method 1: Using Windows Advanced Options Menu
Restart your computer.
During your PC boot process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then use arrow keys to select Safe Mode with Command Prompt from the list.
Hit Enter key. If you have multiple operating system installed, select Windows XP and press Enter key.
After your computer restarts, an MS-DOS black command prompt window will appear. Type C:\Windows\system32\Restore\rstrui.exe using command prompt and press Enter.
Check if System Restore window opens and click Next button to continue.
Select a restore point with the date prior to malware infection and click Next button.
Click Next button to confirm your restore point.
Potato removal using Normal Startup mode
When your computer works in normal mode, all the drivers, software and network services will be started and run as usual. You can try to perform a System Restore in normal startup mode.
Method 1: Using the Start Menu
Click Start button and then click All Programs option. Go to: Accessories –> System Tools –> System Restore.
Check if System Restore window opens and click Next button to continue.
Select a restore point with the date prior to malware infection and click Next button.
Click Next button to confirm your restore point.
Wait until the restoration process is complete and click OK button.
Method 2: Using Run (rstrui.exe) utility
Below is another quick way to start and use System Restore without reboot into Safe Mode. However, some versions of ransomware may block important operating system features, so this method may not work on all computers.
Press Windows + R keys. Type C:\Windows\system32\Restore\rstrui.exe in the Open field to start System Restore console as administrator.
Check if System Restore window opens and click Next button to continue.
Select a restore point with the date prior to malware infection and click Next button.
Click Next button to confirm your restore point.
Wait until the restoration process is complete and click OK button.
After restoring your PC to a previous date, download and scan your computer with recommended anti-malware software to remove any remaining Potato ransomware files.
Restore previous versions of the files encrypted by Potato ransomware
To restore files encrypted by ransomware, try using Windows Previous Versions feature. This recovery method is only effective if the System Restore option was enabled on your Windows operating system. Notice: some types of ransomware are known to remove Shadow Volume Copies of the files, so this method may not be working on your computer.
Please check out our “How to Restore Previous Versions of a File” step-by-step guide for more information.
Recover your files using ShadowExplorer program
You can also try using a third-party software to recover files deleted, damaged or encrypted by ransomware attack. We recommend you to install ShadowExplorer version 0.9 – this tool is free and user-friendly. ShadowExplorer allows to browse through Shadow Copies of your files created by the Windows Volume Shadow Copy Service. Notice: some types of ransomware are known to remove Shadow Volume Copies of the files, so this method may not be working on your computer.
Please read our ShadowExplorer installation and user’s guide for additional information about this useful application.
How to Prevent Ransomware Attacks?
Security Tips to Protect Your Computer against Ransomware:
- Back up your important data on a regular basis. Use an external hard drive and/or a cloud service for back ups.
- Turn on System Restore feature in your operating system.
- Disable macros in Microsoft Office suite (Word, Excel, PowerPoint, etc.).
- Install a Microsoft Office viewer to check a downloaded Word or Excel document without macros.
- Configure your webmail to block automatically attachments with extensions like .exe, .vbs, and .scr.
- Don’t open attachments in emails that look suspicious.
- Don’t click any links in spam and suspicious emails.
- Don’t click suspicious hyperlinks and don’t open adult photos or videos received in social networks or instant messengers.
- Patch your Windows operating system reguralry.
- For daily use, don’t use Windows user account with administrative privileges.
- Enable “Show File Extensions” option in order to see what types of files you open. Stay away from suspicious files with extensions like ‘.exe’, ‘.vbs’ and ‘.scr’.
Ransomware files often can look like they have two extensions – e.g., “.pdf.exe”, “.avi.exe” or “.xlsx.scr” – so pay attention to the files of this sort. - Disable Windows PowerShell framework.
- Disable Windows Script Host (WSH) technology.
- Use the Windows Group or Local Policy Editor to create Software Restriction Policies to disable executable files running from AppData, LocalAppData, Temp, ProgramData and Windows\SysWow folders.
- Disable file sharing to make sure that the ransomware virus will stay isolated to infected PC only.
- Disable Remote Desktop Protocol (RDP).
- Switch off unused Bluetooth or infrared ports.
- Keep the Windows Firewall turned on and properly configured.
- Use a trusted ransomware-blocking anti-malware software and keep its database up-to-date.
- Keep your web browsers up-to-date.
- Remove outdated and unnecessary browser extensions, plugins and add-ons.
- Keep Adobe Flash Player, Java, and other important software up-to-date.
- Always scan for viruses compressed or archived files.
- Use strong passwords that can’t be easily brute-forced.
- Install an AdblockPlus browser extension to block pop-up ads and warnings as they also used to spread ransomware exploits.
- Deactivate AutoPlay to stop malicious processes to automatically start from external drive, such as external hard drives or USB memory sticks.
