Invisible Empire Ransomware - How To Remove?


A new version of Jigsaw ransomware has been delivered. It is named after the art of Juha Arvid Helminen that endeavors to demonstrate how uniforms can disguise misdeeds. Accordingly, the new variant of Jigsaw ransomware is called Invisible Empire ransomware. Its lock screen uses the Invisible Empire theme. Seems like the developers of this new edition of Jigsaw ransomware are quite self-ironic. It is important to clarify here that the artist who created the Invisible Empire is in no way related to these hackers.

About Invisible Empire Ransomware

Invisible Empire ransomware is identical to its source ransomware. It uses AES cipher for data encryption. The data encrypted may vary from text to video files, in fact, any type of file can be corrupted. The only difference is the extension which is appended to the encrypted files, which is .payransom. The ransom required is 150 USD which should be payed in Bitcoins, the Bitcoin address is provided in the note. But it can double or even triple depending on the amount of files and the time period of the transfer. Every hour the encrypted files are threatened to be deleted and restarting the computer may result in damaging the hard drive. The ransom note is being written slowly on the lock screen at the precise time to make you flee in terror.

In the directories %AppData%\Systmd\, %LocalAppData%\Wrkms\ and %AppData%\System32Work Invisible Empire file encryptor creates the following files: systmd.exe, wrkms.exe, Address.txt and EncryptedFileList.txt. It adds the following registry entries to Windows Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\wrkms.exe and %UserProfile%\AppData\Roaming\Wrkms\wrkms.exe. These registry entries launches wrkms.exe and systmd.exe files whenever the Windows starts. This is how Invisible Empire ransomware is activated.

How is Invisible Empire Ransomware Distributed?

Invisible Empire is an encoding trojan. Therefore, it spreads via infected e-mails or their attachments carrying malicious codes. These quasi official letters fall into the spam folder of your e-mail box. If you open them, you get infected with this cryptomalware. The other method of distribution is security vulnerabilities attacked by exploit kits. Such kits as Angler EK makes the computer’s system vulnerable which, in turn, invites ransomwares.

How to Decrypt Files Encrypted by Invisible Empire Ransomware?

We have good news for you. DemonSlay335 adjusted Jigsaw Ransomware decryptor to Invisible Empire ransomware. So let us begin with the decryption. Firstly, open Windows Task Manager and terminate %UserProfile%\AppData\Roaming\Wrkms\wrkms.exe and %UserProfile%\AppData\Local\Systmd\systmd.exe processes. This way you terminate the deletion processes of the ransomware. Run MSConfig and disable the startup entries related to these executables. Then, download the jigsaw decryptor at Once the JigSawDecrypter.exe file is downloaded, double-click it. When the window opens, select the directory of encrypted data and click the Decrypt My Files button. Now the decryption has begun. When it has finished, the decryptor will present you with the window stating, ‘‘Finished! Decrypted’’ and ‘‘Files Decrypted!’’. The decryption process is over. As you can see, it is really clear and simple, thus, paying the ransom would a serious mistake.

To wipe out Invisible Empire ransomware from your computer employ reputable malware removal tools such as , Malwarebytes or

Automatic Invisible Empire Ransomware removal tools

Note: Reimage trial provides detection of parasites and assists in their removal for free. You can remove detected files, processes and registry entries yourself or purchase a full version.  We might be affiliated with some of these programs. Full information is available in disclosure

Manual removal


Important Note: Although it is possible to manually remove Invisible Empire Ransomware, such activity can permanently damage your system if any mistakes are made in the process, as advanced spyware parasites are able to automatically repair themselves if not completely removed. Thus, manual spyware removal is recommended for experienced users only, such as IT specialists or highly qualified system administrators. For other users, we recommend using Reimage or other tools found on

External decryptor:

About the author

 - Main Editor
I have started in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.
June 3, 2016 06:22, January 4, 2017 06:11

Leave a Reply

Your email address will not be published. Required fields are marked *