Schwerer Ransomware

Schwerer Ransomware Description

The Schwerer Ransomware Trojan falls in the category of crypto-threats. The Schwerer File Encoder Trojan is designed to invade systems, lock content on local disks and removable drives connected to the machine, and present the compromised user with a ransom note offering a decryptor in exchange for 150 EUR/161 USD paid via Bitcoins. The Schwerer Ransomware belongs to the mid-tier section of the crypto-threat market, and its structure resembles those of the CryptoWire Ransomware and the UltraLocker Ransomware since they are written using the AutoIt programming language. The threat at hand appears to be aimed at English-speaking users despite its name that some may associate with Germany. It is possible that a native German-speaker created the Schwerer Ransomware Trojan. However, the threat may invade computers in Eastern Europe, Central Asia and North America as well.

The Schwerer Ransomware is Aimed to Perform a Blitzkrieg-Style of Attack

The Schwerer Ransomware is named after the program window shown to users after the Trojan has finished its work. Compromised users are shown a window named 'Schwerer' which acts as the ransom notification. When the 'Schwerer' message appears it is already too late to limit the damages. The Schwerer Ransomware is aimed to perform a blitzkrieg-style of attack where the encryption process takes place in the background, and the threat seeks to lock a limited number of data formats to minimize the chances it is detected and deleted. The threat may encipher user-generated content like photos, family videos, music, presentations, spreadsheets, media projects on Adobe Photoshop, eBooks and text documents. Cyber security analysts reported that the Schwerer Ransomware is known to create the following files and directories:

  • "C:\Documents and Settings\\Application Data\Other\pawje.exe"
  • "C:\Documents and Settings\\Application Data\Other\awiem.bat"

The threat is reported to add a Registry key in Windows:

"HKCU\Software\Other\Schwerer"

As stated above, the Schwerer Ransomware is written using the AutoIt programming language, and that enables it to access resources from the Microsoft NET Framework on Windows 10, 8.1 and 7. That way, the threat can run via a small file and use legitimate resources without triggering security alerts. The ransom message provided with the 'Schwerer' window reads:

'All your computer file were encrypted with AES, only we can restore your files.
How to restore files :
Files encrypted : [NUMBER OF LOCKED FILES]
1. Send email to 897698@mail2tor.com containing your personal identifier (it is below)
2. We will send you a Bitcoin address, you must send 150€ to it within 3 days.
IF YOU DO NOT UNDERSTAND BITCOIN EMAIL WILL CONTAIN INFORMATIONS
3. Once full amount is sent you email us again. (make sure to contain key)
A. We will send you key and you will paste into textbox below, that will restore files.
Your Identifier: [43 RANDOM CHARACTERS]
Restore key: [TEXT BOX]
[Restore files]'

There is a Decryptor for the Initial Release of the Schwerer Ransomware

As of writing this article, a free decryptor is compiled by a researcher named
Jiri Kropac and provided on the Internet. PC users that are infected with the Schwerer Ransomware may want to load their favorite search service and seek the decryption software by Jiri Kropac. You should note that the authors of the Schwerer Ransomware are likely to see the news regarding their product and issue an update. It is a smart move to add a reputable anti-malware shield and a backup manager to your system to block connections to pages and documents associated with the Schwerer Ransomware. A decent backup manager should allow you to protect your files and export a backup to an external drive for maximum security. AV scanners may tag the objects used by the Schwerer Ransomware as:

  • Artemis!3400D0F64623
  • Ransom_SHWERER.A
  • SCGeneric_c.AXPP
  • TR/FileCoder.opplz
  • Trojan.Generic.21128650
  • Trojan.Generic.21128650 (B)
  • 32.HfsAtITPSINF.D0B3
  • W32/Autoit.ABHUB!tr
  • Win32/Filecoder.Autoit.E
  • Infected with Schwerer Ransomware? Scan Your PC for Free

    Download SpyHunter's Spyware Scanner
    to Detect Schwerer Ransomware
    * SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

    Security Doesn't Let You Download SpyHunter or Access the Internet?


    Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
    • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
    • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
    • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
    • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.

    If you still can't install SpyHunter? View other possible causes of installation issues.

    Technical Information

    Infection Statistics


    Our MalwareTracker shows malware activity across the world. Explore real-time data of Schwerer Ransomware outbreaks and other threats from global to local level.

    File System Details

    Schwerer Ransomware creates the following file(s):
    # File Name Size MD5 Detection Count
    1 file.exe 620,032 3400d0f64623b161fd211c0044557af8 41
    2 %APPDATA%\Other\awiem.bat 4
    3 %APPDATA%\Other\pawje.exe 3

    Registry Details

    Schwerer Ransomware creates the following registry entry or registry entries:
    HKEY..\..\..\..{RegistryKeys}
    Software\Other\Schwerer

Site Disclaimer

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as is:
What is 11 + 10 ?