Raptum ransomware is a file-encrypting malware variant that holds victims' personal documents, photos, and business files hostage in exchange for cryptocurrency payment. Once it infiltrates a system, it systematically encrypts files using strong cryptographic algorithms and appends a distinctive extension to affected files, making them completely inaccessible without the decryption key. Victims typically discover the infection when they can no longer open their files and find a ransom note demanding payment in Bitcoin.

Raptum Ransomware — cybersecurity illustration
Photo by cottonbro studio on Pexels

This ransomware strain belongs to the broader family of crypto-malware that has plagued home users and small businesses for years. Like similar threats, Raptum focuses on maximizing damage by targeting common file types—documents, spreadsheets, databases, images, and archives—while leaving system files intact so the victim can still read the ransom demands and potentially pay.

If you believe Raptum ransomware is currently encrypting your files: Immediately disconnect your computer from the network (unplug Ethernet, disable Wi-Fi). Power off the machine if possible. Do NOT pay the ransom—there's no guarantee you'll receive a working decryption tool. Contact Computer Repair Roswell at (770) 856-1550 before taking any other action. We may be able to stop the encryption in progress and recover some unencrypted shadow copies.

Threat Profile

Attribute Details
Family File-encrypting ransomware
Aliases Ransom:Win32/Raptum, Trojan-Ransom.Win32.Raptum
Target Platform Windows 7 through Windows 11 (32-bit and 64-bit)
Discovered Specific variant date varies; family emerged circa 2019–2020
Distribution Methods Malicious email attachments, exploit kits, RDP brute-force, fake software updates
Encryption Algorithm Typically AES-256 or RSA-2048 hybrid encryption (known for this family)
File Extension Varies by variant; commonly appends .raptum, .locked, or random string
Ransom Note Filename Varies; often HOW_TO_RECOVER_FILES.txt or README.html
Persistence Mechanism Registry Run keys, scheduled tasks; some variants disable System Restore
Data Exfiltration Some variants may upload file lists or samples before encryption
Payment Demand Typically $300–$1,500 USD in Bitcoin (amount varies by variant and target)
Removal Difficulty Moderate (malware removal straightforward; file recovery without key is extremely difficult)

How It Spreads

Raptum ransomware typically arrives through social engineering tactics that trick users into executing the malicious payload themselves. The most common infection vector remains phishing emails with malicious attachments disguised as invoices, shipping notifications, or urgent business documents. These attachments may be Office documents with malicious macros, JavaScript files masquerading as PDFs, or executable files hidden inside ZIP archives with double extensions like document.pdf.exe.

Beyond email campaigns, attackers distribute Raptum through compromised websites hosting exploit kits that target unpatched browser or plugin vulnerabilities, and through Remote Desktop Protocol brute-force attacks against small businesses that leave RDP ports exposed to the internet without proper security controls. Once attackers gain RDP access, they can manually deploy the ransomware during off-hours to maximize damage before discovery.

Additional distribution methods include:

  • Fake software updates: Pop-ups claiming your Flash Player, browser, or codec needs updating, but downloading the ransomware instead
  • Pirated software bundles: Cracked applications or key generators from torrent sites that contain the ransomware as a bonus payload
  • Malvertising campaigns: Malicious advertisements on legitimate websites that redirect to exploit kit landing pages
  • USB drives and removable media: The ransomware can spread through infected external drives when AutoRun is enabled
  • Secondary payload from other malware: Downloaders and trojan droppers that fetch and execute ransomware as their final stage

What It Does On Your Machine

When Raptum ransomware executes, it immediately begins a multi-stage attack designed to cause maximum damage while preventing recovery. The malware first checks its execution environment to ensure it's not running in a security researcher's sandbox or virtual machine—some variants will terminate if they detect analysis tools. Once it confirms a real target, it establishes persistence by creating registry entries and scheduled tasks that would reactivate the malware after reboot, though this persistence primarily serves to ensure the ransom note remains visible rather than re-encrypting files.

The ransomware then attempts to delete or disable Windows recovery options. It executes commands to remove shadow copies (the Windows backup feature that normally allows file restoration), disables System Restore points, and may even clear Windows Event Logs to frustrate forensic analysis. This scorched-earth approach to backups happens before any encryption begins, ensuring victims have fewer options for recovery without paying.

Next comes the encryption phase. Raptum scans the system for valuable file types—targeting over 150 extensions including documents (.doc, .docx, .pdf, .xls), images (.jpg, .png, .psd), databases (.sql, .mdb), archives (.zip, .rar), and other business-critical formats. It typically spares system files in Windows and Program Files directories so the operating system remains functional. The malware uses strong encryption that cannot be broken through brute-force methods. Each file receives a unique encryption key that's then encrypted with a master public key, making decryption impossible without the attacker's private key stored on their command server.

After encryption completes, Raptum drops ransom notes in multiple locations—often in every folder containing encrypted files and on the desktop. These notes provide instructions for purchasing Bitcoin and contacting the attackers through Tor-based websites or email addresses. Some variants change the desktop wallpaper to display the ransom demand prominently. The malware may also display a lock screen or pop-up window that appears on startup, preventing normal use until dismissed.

Typical Raptum Ransomware Artifacts: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\raptum.exe %LOCALAPPDATA%\Temp\{GUID}\payload.exe %USERPROFILE%\Desktop\HOW_TO_RECOVER_FILES.txt %USERPROFILE%\Documents\README_RECOVERY.html Registry persistence (varies by variant): HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Raptum HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemUpdate # Shadow copy deletion command often executed: vssadmin.exe Delete Shadows /All /Quiet wmic shadowcopy delete # Backup service manipulation: bcdedit /set {default} recoveryenabled No bcdedit /set {default} bootstatuspolicy ignoreallfailures

Manual Removal — Step by Step

01

Isolate the Infected Computer Immediately

Disconnect from all networks—unplug Ethernet cables and disable Wi-Fi. If the computer is connected to shared drives or network storage, disconnect those as well. Ransomware can spread to network shares and external drives, so isolation prevents further damage. If you have other computers on the same network, check them immediately for signs of infection.

02

Boot Into Safe Mode with Networking

Restart the computer and repeatedly press F8 (or Shift+F8 on some systems) before Windows loads. Select "Safe Mode with Networking" from the menu. This starts Windows with minimal drivers and services, which often prevents ransomware from loading while still allowing you to download necessary removal tools. On Windows 10/11, you may need to use Settings > Update & Security > Recovery > Advanced Startup instead.

03

Identify and Terminate Malicious Processes

Open Task Manager (Ctrl+Shift+Esc) and look for suspicious processes—especially those with random names, high CPU usage, or running from temporary folders. Common locations include %TEMP%, %LOCALAPPDATA%, or folders with GUID names. Note the file location before ending the process. Be cautious—terminating legitimate Windows processes can cause system instability, so research any unfamiliar process names before acting.

04

Remove Persistence Mechanisms

Open Registry Editor (type regedit in Start menu) and navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and the same path under HKEY_LOCAL_MACHINE. Look for entries that reference suspicious executable paths you identified in the previous step. Delete these entries. Also check Task Scheduler (type taskschd.msc) for suspicious scheduled tasks and delete any that reference the malware's file locations.

05

Delete the Ransomware Binary and Associated Files

Navigate to the folder locations you identified and delete the ransomware executable and any related files. Common locations include the Temp folder, randomly-named folders in AppData\Local, or the Startup folder. You may need to enable "Show hidden files" in File Explorer options. Also delete all ransom note files (usually .txt or .html files with names like README or HOW_TO_RECOVER). Empty the Recycle Bin afterward.

06

Run Malwarebytes or Similar Reputable Scanner

Download and install Malwarebytes (free version is sufficient) or another reputable anti-malware tool like Emsisoft Emergency Kit. Update the definitions and run a full system scan. These tools have signatures for known ransomware variants and can detect remnants or associated malware you may have missed. Quarantine or delete any threats found. Consider running a second scanner like HitmanPro for confirmation.

07

Check for Free Decryption Tools

Visit No More Ransom (nomoreransom.org) or similar legitimate security vendor sites to see if a free decryptor exists for your specific Raptum variant. You'll need to identify your exact variant by the file extension added to encrypted files or the ransom note contents. Be extremely cautious—many fake "decryptors" are scams or contain additional malware. Only download from trusted security companies.

08

Attempt Shadow Copy Recovery (if not deleted)

If the ransomware failed to delete shadow copies, you may recover some files. Use Shadow Explorer (a free tool) or Windows' built-in Previous Versions feature. Right-click encrypted files or folders, select Properties, then the Previous Versions tab. If shadow copies exist, you can restore them. This is unlikely with modern ransomware variants, but worth checking before considering data loss final.

09

Change All Important Passwords

Once you're confident the system is clean, change passwords for all important accounts—especially email, banking, and any accounts whose passwords may have been saved in your browser. Do this from a different, known-clean device if possible. Some ransomware variants include keyloggers or information stealers that may have captured credentials before encryption began.

10

Reboot Normally and Verify System Stability

Restart the computer normally (not in Safe Mode) and monitor for any suspicious behavior. Check that no malicious processes restart, that Task Manager looks normal, and that no unwanted startup entries have reappeared. Run another quick scan with your anti-malware tool. If everything appears clean and stable for 24-48 hours of normal use, the active infection has been successfully removed—though encrypted files remain encrypted without the decryption key.

Prevention

  1. Maintain offline backups: Keep regular backups of important files on external drives that are disconnected from your computer when not actively backing up. Cloud backup is good, but also maintain at least one completely offline copy that ransomware cannot reach through your network connection.
  2. Keep Windows and all software updated: Enable automatic updates for Windows, browsers, and all plugins (especially Java, Adobe products, and Office). Most ransomware exploits known vulnerabilities that have been patched—staying current closes these doors.
  3. Exercise extreme caution with email attachments: Never open attachments from unknown senders. Be suspicious of unexpected attachments even from known contacts, as their accounts may be compromised. Be especially wary of Office documents that prompt you to "enable macros" or executable files masquerading as PDFs.
  4. Use reputable antivirus with real-time protection: Install quality security software that includes behavioral detection, not just signature-based scanning. Windows Defender has improved significantly and provides decent baseline protection if kept updated, but commercial solutions often offer additional ransomware-specific protections.
  5. Disable RDP or secure it properly: If you don't need Remote Desktop Protocol, disable it entirely. If you do need it, never expose it directly to the internet—use a VPN for remote access instead. If RDP must be internet-accessible, use extremely strong passwords, enable Network Level Authentication, and implement account lockout policies.
  6. Enable "Show file extensions" in Windows: In File Explorer options, uncheck "Hide extensions for known file types." This makes it much easier to spot fake files like invoice.pdf.exe that pretend to be documents but are actually executables.
  7. Limit user account privileges: Use a standard user account for daily work rather than an administrator account. Ransomware running under standard user privileges has more limited access to system files and other user accounts on the computer.
  8. Implement application whitelisting if possible: For business environments, consider using Windows AppLocker or similar tools to prevent unauthorized executables from running. This is more complex to configure but highly effective against ransomware.
Our Guarantee: When Computer Repair Roswell removes malware from your computer, it stays removed. We provide a 90-day warranty on all malware removal services. If the same infection returns within 90 days through no fault of your own (no new risky downloads, no disabled antivirus), we'll re-clean your system at no additional charge. That's our commitment to doing the job right the first time.

Bring It In

Ransomware infections are among the most stressful computer problems you can face, especially when important files are at stake. While the steps above can help remove the active infection, file recovery without the decryption key remains extremely difficult and often impossible. At Computer Repair Roswell, we've dealt with hundreds of ransomware cases over the years. We maintain relationships with security researchers and keep current on which variants have available decryptors, and we have specialized tools for attempting shadow copy recovery and damaged file system repair. We'll be honest with you about your recovery chances and never make promises we can't keep about getting your files back.

More importantly, we can help you recover from this disaster and prevent the next one. We'll clean your system thoroughly, help you set up a proper backup strategy that will actually protect you next time, and make sure your security posture is strong enough to prevent reinfection. We're located at 1394 Canton Road in Roswell, right in the heart of the community we serve. Call us at (770) 856-1550 to discuss your situation—consultation is free, and we'll give you honest advice even if that means telling you we can't help. Ransomware doesn't have to mean permanent data loss, but the sooner you act, the more options you have.