Remove Serpent Ransomware And Recover .serpent Files

Serpent is a ransomware virus which encodes your files and asks for a payment in order to decode and recover them. RSA-2048 and AES-256 encryption algorithms are used in order to make user’s files unopenable and the encoded files start bearing a .serpent extension.

UPDATE: a new .serp extension appeared on April 2017.

The ransomware is somewhat similar to other viruses of this type. It mostly spreads through email and asks for a payment in BitCoin. However, it is very aggressive since it targets more file extensions than usual (almost 900 extensions) and asks for a high amount of money. It also tries to destroy file shadow copies in order to make it even harder to recover the lost files.

This virus should be removed from your machine as soon as possible. We strongly discourage you from paying the ransom since it does not guarantee that you will receive the decryption tool. Also, the criminals will see you as a paying victim and might target your computer again in the future. There is an automatic removal and protection tool available below. It will not only remove the threat but will also secure your computer in the future. We have also included a manual removal guide for experienced Windows users. However, currently there is no decryption tool available for this ransomware so you will have to restore your files from backups or try other recovery methods. We have listed several possible recovery options at the end of this article.

Recommended Method: Download Serpent Virus Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is Serpent ransomware?

This ransomware encrypts user’s files and asks for a payment in order to decrypt them. The operation is similar to other ransomware and it uses the same RSA-2048 and AES-256 algorithms found in most other viruses of such type. These algorithms make it almost impossible to find a decryption key.

The ransomware is distributed mostly through email spam as an attachment. The attachment looks like a legitimate document (for example, an invoice) and tricks users into opening it and activating the virus. It started by targeting Danish users with a file named “Sidste påmindelse for udestående faktura”. The malicious Word document states that it “was created with an older version of Microsoft Office” and asks to enable Macros. It activates immediately, downloads main infection files from a remote server and starts encrypting user files in the background.

IMPORTANT: If you believe that you have just been infected by this or any other ransomware you should immediately turn off your computer in order to stop the encryption process and salvage as many files as possible. Common signs that the encryption is currently taking place is increased CPU, RAM and hard disk space usage and a slower machine in general.

When Serpent is finished encrypting the files it changes the file extensions to .serpent and destroys the original files and shadow copies. It also creates .html and .txt files named “HOW_TO_DECRYPT_YOUR_FILES” with a ransom note inside of them. The instructions include victim’s ID consisting of 32 letters and numbers divided into four parts. The criminals provide a link to a payment site where the victim is asked to pay a ransom in BitCoins in order to gain access to the encrypted files.

Here is a typical ransom note:

================ PLEASE READ THIS MESSAGE CAREFULLY ================

Your documents, photos, videos, databases and other important files have been encrypted!
The files have been encrypted using AES256 and RSA2048 encryption (unbreakable)
To decrypt your files you need to buy the special software ‘Serpent Decrypter’.
You can buy this software on one of the websites below.
If the websites above do not work you can use a special website on the TOR network. Follow the steps below
1. Download the TOR browser
2. Inside the TOR browser brower navigate to : 3o4kqe6khkfgx25g.onion/
3. Follow the instructions to buy ‘Serpent Decrypter’

================ PLEASE READ THIS MESSAGE CAREFULLY ================

The payment website is called “SERPENT RANSOMWARE” and requires you to log in with your victim ID number. It states that the files have been encrypted and demands a BitCoin payment. The website provides a BitCoin address and instructions on how to make the payment.

We strongly discourage you from paying the ransom as this does not guarantee that you will recover your files. It will also leave your computer vulnerable to further attacks. We recommend using the automatic removal tool in order to stop this ransomware immediately and protect your computer. We have also prepared manual removal instructions for more experienced Windows users who feel comfortable with editing important system settings and files. However, please have in mind that the manual method only removes the threat and does not secure your machine.

Here are some screenshots of Serpent ransomware:


 Manual Removal Instructions:

NB: Even if you follow this guide completely there might be some virus files remaining deep in the system. Therefore, we recommend using the automatic removal tool listed above. This way you will be sure that Serpent is removed completely as well as that your computer will be protected from any further threats.

Make sure you bookmark this page as a computer restart will be required. The best way to work is to open this website on a separate device while removing the threat.

Step 1:

You will need to restart the computer in Safe Mode.

When your computer is infected by a virus some of its features may be locked or compromised. You need to bypass this by rebooting your computer using Safe Mode. This will allow you to remove the virus.

Since Safe Mode only has the most basic features do not be scared that your Windows look completely different!

Click here to show how to reboot Windows 98, XP, Vista or Windows 7 in Safe Mode

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard until you get the following screen:
  3. Use arrow keys to highlight Safe Mode With Networking and press Enter.
  4. Wait for the Windows to launch.


Click here to show how to reboot Windows 8, 8.1 or Windows 10 in Safe Mode

F8 method (1/4):

Restarting and constantly hitting F8 might not work for this version of Windows since the booting is much faster and does not always react to the key presses. Try this method first and then proceed to other methods if this does not help.

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard.
    If it does not work try repeating the same procedure but this time holding Shift key and clicking F8.
  3. Follow instructions from Step 5 below:

Shift+Restart method (2/4):

  1. Click the Power icon at the login screen or in the settings charm.
  2. Hold Shift key on your keyboard and click Restart with your mouse while holding:
  3. Click Troubleshoot:

  4. Click Advanced options:
  5. Click Startup Settings:
  6. Click Restart:
  7. Now press F5 key on your keyboard to enable Safe Mode With Networking:

System configuration method (3/4):

  1. Press and hold Windows () key and click R key.
  2. Enter msconfig.exe and click OK:
  3. When System Configuration opens go to the Boot tab:
  4. Check the box “Safe Boot” in Boot options and click OK.
  5. When prompted, click Restart.
  6. Windows will now start in Safe Mode.

System Recovery method (4/4):

If everything above fails you can try inserting System Recovery CD or DVD (works only with Windows 8) or System Recovery USB Memory Stick (works with Windows 8 and 8.1). You will be able to choose Troubleshoot option. The steps are then identical as in Shift + Restart method starting from #3.

Step 2:

Clean up your registry entries.

Hold Windows () key and click R key.

Enter the following in the field:


Click OK.

All Windows registry entries will open.

Most of them are critical for correct system operation and deleting important entries might result in Windows failing to load. Make sure you are very careful while deleting and editing the entries!

Press keyboard buttons CTRL + F and enter:


Click Find Next.

If you find any registry entries that could be associated with Serpent ransomware, delete them by right-clicking on it and choosing Delete.

Repeat the search with the following search queries:


Repeat this search until no results are found anymore.

Step 3:

Clean up Windows temporary files.

You can safely remove all temporary files without posing any risk to your computer.

Hold Windows () key and click R key.

Enter the following in the field:


Click OK.

All temporary files will be listed in the directory.

Select all temporary files by simultaneously pressing CTRL + A and delete them.

Step 4:

Hold Windows () key and click R key.

Enter the following in the field:


Click OK.

A folder will open. Look for the following file:


Delete it permanently by pressing SHIFT + DELETE.

Look for any other recently created and randomly named .exe files and delete them as well.

From the same folder navigate further to this path:

Microsoft\Windows\Start Menu\Programs\Startup

Look for the following file:


Delete it. Look for any other recently created and randomly named .vbs files and delete them as well.

Step 5:

Block virus IPs in your hosts file.

Press and hold Windows () key and click R key.

Enter the following in the field:

notepad %windir%/system32/Drivers/etc/hosts

Click OK.

Your hosts.ini file will open in Notepad. Delete any IPs that are not marked with an “#” in front of them except the “ localhost” entry. Here is an example:

Then, at the bottom of the file, paste the following text and save it:

Step 6:

Find and delete the following file by utilizing Windows Search (Windows () key to open):


Make sure it has been modified recently (at the time of the infection) and is related to the virus.

 Decrypting The Files:

Start recovering your files only if you have finished all removal steps! Otherwise you might cause more damage and make it harder to recover them in the future!

We recommend making a backup of the encrypted files on a separate media in case you are not able to recover the files using our methods.

Check for Serpent decryptor here: List of currently available decryptors. Currently we have no information that such decryptor is available but it might be added in the future so check the list before continuing.

We have a list of extensive file recovery methods available here. The instructions below are just a short version of the simplest methods.

Step 1:

Start by enabling recovery since the virus might have turned it off.

Hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:


Click OK.

A comand prompt will open.

Copy the following:

bcdedit.exe /set {default} recoveryenabled yes

Right-click on the command prompt (black window) and select Paste.

Press Enter.

Step 2:

Restore the old system settings using System Restore. The virus might have changed them so you need to revert to the old ones first.

Sometimes the virus is able to remove your system restore points so this step might be unsuccessful.

Press and hold Windows () key and click R key.

Enter the following in the field:


Click OK.

A System Restore wizard will open.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the attack happened.

If there are no restore points you will see “No restore points have been created…” error.

Step 3:

Try restoring earlier file versions.

Download Shadow Explorer.

When you run the program you will see the list of all shadow copies created.

Select the drive and date that you want to restore from.

Right-click on a folder name and select Export. The folder will be restored.

Read more here about how to restore files from shadow copies.

The virus usually deletes shadow copies so this step this might be unsuccessful. In such case, proceed to Step 4.

Step 4:

Read more on how to restore files (including backups) on our file recovery guide. This guide includes instructions how to restore the files from a backup or shadow copies as well as how to use a professional file recovery program (which has a very high success rate) if everything else fails.

Alternatively you could make a backup with all encrypted files, store it externally and wait for a Serpent decryptor to be created. New free decryptors for various ransomware appear every week but we cannot estimate the waiting time and if it is going to be created at all.

Leave a Reply

Your email address will not be published. Required fields are marked *

Begin typing your search above and press return to search. Press Esc to cancel.