Serpent Ransomware

Also Known As: Serpent virus
Distribution: Low
Damage level: Severe

Serpent ransomware removal instructions

What is Serpent?

Serpent is a ransomware-type virus similar to Hades Locker. The evolution of this ransomware is as follows: Zyklon - WildFire - HadesLocker - Serpent (the latest variant from this family). Cyber criminals spread this ransomware via spam emails (malicious .doc attachments containing macros that infect the system). Once infiltrated, Serpent encrypts files using AES-256 and RSA-2048 algorithms. This ransomware also appends names of encrypted files with the ".serpent" extension (for example, "sample.jpg" is renamed to "sample.jpg.serpent"). Updated variants of this ransomware use .serp or .srpx extensions for encrypted files. Following successful encryption, Serpent creates two files ("HOW_TO_DECRYPT_YOUR_FILES_Dn6.txt" and "HOW_TO_DECRYPT_YOUR_FILES_Dn6.html"), placing them in each folder containing encrypted files. (Updated variants of this ransomware use README_TO_RESTORE_FILES[random characters].txt file for ransom instructions). Both files contain an identical ransom-demand message.

The spam email used to distribute Serpent contains Danish text and, thus, it is safe to assume that cyber criminals target users mainly from Denmark. Serpent's ransom-demand message informs victims of the encryption and encourages them to purchase a special decrypter by visiting Serpent's website. Be aware that RSA-2048 is an asymmetric encryption algorithm. Therefore, public (encryption) and private (decryption) keys are generated during the encryption process. Restoring files without a private key is impossible. Cyber criminals store this key on a remote server and encourage victims to pay a ransom to receive it. The cost of decryption is .75 Bitcoin (~$797). If, however, the ransom is not paid within seven days, the cost increases to 2.25 BTC (~$2389). Despite these threats and demands, never pay any ransom or attempt to contact these people. Research shows that criminals often ignore victims, once payments are submitted. There is a high probability that paying will not deliver any positive result. Unfortunately, there are no tools capable of restoring files encrypted by Serpent and, thus, you can only restore your files/system from a backup.

Screenshot of a message encouraging users to pay a ransom to decrypt their compromised data:

Serpent decrypt instructions

The Internet is full of ransomware-type viruses, all of which are virtually identical. As with Serpent, malware such as Digisom, DUMB, CryptoShield, and many others, also encrypt files and make ransom demands. In fact, there are just two major differences: 1) type of encryption algorithm [symmetric/asymmetric] used, and; 2) cost of decryption. Ransomware-type viruses are commonly distributed using spam emails (malicious attachments), peer-to-peer (P2P) networks (torrents, eMule, etc.), third party software download sources (freeware download/free file hosting websites,etc.), fake software update tools, and trojans. Therefore, be cautious when opening files received from suspicious emails, and when downloading software from unofficial sources. Furthermore, keep your installed applications up-to-date and use a legitimate anti-virus/anti-spyware suite. The key to computer safety is caution.

Screenshot of Serpent ransomware HTML file:

Serpent html file

Ransom-demand message presented within Serpent text and HTML files:

================ PLEASE READ THIS MESSAGE CAREFULLY ================

Your documents, photos, videos, databases and other important files have been encrypted!
The files have been encrypted using AES256 and RSA2048 encryption (unbreakable)
To decrypt your files you need to buy the special software 'Serpent Decrypter'.
You can buy this software on one of the websites below.
If the websites above do not work you can use a special website on the TOR network. Follow the steps below
1. Download the TOR browser
2. Inside the TOR browser brower navigate to : 3o4kqe6khkfgx25g.onion/
3. Follow the instructions to buy 'Serpent Decrypter'

================ PLEASE READ THIS MESSAGE CAREFULLY ================

Screenshots of Serpent Tor website:

"Home" page:

Serpent website Home page

Text presented within this page:

Your documents, photos, videos, databases and other important files have been encrypted!

To restore your files you can buy special software 'Serpent Decrypter'
If you pay within 7 days the price is 0.75 bitcoins (~€712.5)
After 7 days the price will rise to 2.25 bitcoins (~€2137.5)
The special price will end in 6d 23h 50m 20s
Purchasing the 'Serpent Decrypter' software
The only payment method accept are Bitcoins. Below is an extensive step by step guide for buying bitcoins. If you need any more help contact our support team or search on google.
1. First you will have to create a Bitcoin (BTC) wallet. We recommend the most popular wallet (hxxps://
2. Next you will have to top up your Bitcoin wallet.
Buy 0.75 Bitcoins
We recommend the following trusted websites below to buy bitcoins (not related to us) | Many different business and private seller accepting bank transfer, paypal, western union and more | Good for EU market sofort, ideal, bancontact, mistercash, sepa, trustpay | Also good for EU market with many different payment methods | wire transfer, debit / credit cards | international wire transfer, debit / credit cards
You can find many more sellers on google
3. To receive your payment we have created an unique bitcoin address for you. Send 0.75 Bitcoins to the Bitcoin address below 12nNvHwSv4yk8LeENeZwncZb5d71fuqsVw
4. Wait for the payment to confirm (this can take up to 30 minutes). Click the refresh payment status button at the end of the page to get the latest status.
5. Once the payment is confirmed you can download "X Decrypter" from this page and decrypt your files. The page will expand and the download url and decryption key will be made visible.

"FAQ" page:

Serpent website FAQ page

Text presented within this page:

Q: How can I decrypt my files?
A: After payment you will receive the decryption software and private key.
Q: Can I only pay with Bitcoins?
A: Yes, only payment in Bitcoins is accepted
Q: What encrypted my files?
A: Each file is encrypted with an unique password using AES256.
This unique password is stored in the file using RSA2048.
Q: Help I have another question
A: Contact our support team if you have any more questions.

"Instructions" page:

Serpent website Instructions page

Text presented within this page:

After payment you can download the decryption software from the home page.
We guarantee all your files will be decrypted!

1. Download the decryption software from the home page.
2. Run the decryption software.
3. Copy the decryption key from the home page.
4. Paste the decryption key in the decryption software.
5. Select the folder or disk you want to decrypt.
6. Click the "Decrypt" button and wait for the succesfull completion of the decryption process.
7. WARNING! Do not turn off your PC before the process is completed!
8. Congratulations! All your files are now restored!

"Support" page:

Serpent website Support page

Text presented within this page:

In case of any problems with payment, decrypting or if you have any questions. Please contact us via the form below.

Screenshot of files encrypted by Serpent (".serpent" extension):

Files encrypted by Serpent

Updated variant of this ransomware adds .serp extension to the encrypted files:

serpent ransomware adds .serp extension to encrypted files

Serpent ransomware removal:

Instant automatic removal of Serpent virus: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Spyhunter is a professional automatic malware removal tool that is recommended to get rid of Serpent virus. Download it by clicking the button below:
▼ DOWNLOAD Spyhunter By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.

Quick menu:

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

windows 10 safe mode with networking

Video showing how to start Windows 10 in "Safe Mode with Networking":

Step 2

Log in to the account infected with the Serpent virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window, click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the Serpent ransomware virus infiltrating your PC).

select a restore point

6. In the opened window, click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Serpent ransomware files.

To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Serpent are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.

Restoring files encrypted by CryptoDefense

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by Serpent, you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

shadow explorer screenshot

To protect your computer from file encryption ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and EasySync CryptoMonitor, which artificially implant group policy objects into the registry to block rogue programs such as Serpent ransomware.

HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises any attempts without need for user-intervention:

hitmanproalert ransomware prevention application

Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:

malwarebytes anti-ransomware

  • The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.

Other tools known to remove Serpent ransomware:

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

Removal Instructions in other languages
Malware activity

Global virus and spyware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

QR Code
Serpent virus QR code
A QR code (Quick Response Code) is a machine-readable code which stores URLs and other information. This code can be read using a camera on a smartphone or a tablet. Scan this QR code to have an easy access removal guide of Serpent virus on your mobile device.
We Recommend:

Get rid of Serpent virus today:

▼ REMOVE IT NOW with Spyhunter

Platform: Windows

Editors' Rating for Spyhunter:
Editors ratingOutstanding!

[Back to Top]

Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.