Remove BlackSheep Ransomware. Restore .666 files

BlackSheep ransomware virus has been spotted to be out in cyberspace by security researchers. The offensive threat modifies files stored on infected PCs and demands $500 ransom from victims. All modified files receive the malicious extension .666 and become out of reach until the decryption key is applied. The good news for all victims of BlackSheep virus is that there is a safe way to remove the threat and recover .666 files without a ransom payment.

Manual Removal Guide
Recover .666 Files
Skip all steps and download anti-malware tool that will safely scan and clean your PC.

DOWNLOAD BlackSheep Removal Tool

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

What BlackSheep Is and How It Harms the System

BlackSheep is the name of a newly discovered ransomware virus. Ransomware is a type of computer malware that infects computer systems and demand a ransom payment from victims. BlackSheep is a data and screen locker ransomware which means it both encrypts files and blocks the access to PC screen.

Security specialists have analyzed samples of BlackSheep virus, and according to them, it is a new variant of FuckTheSystem ransomware that we reported a few weeks ago. It appears that the ransomware is activated by an executable file of the same name. So once BLACKSHEEP.exe is running on the computer the malicious code can perform various system modifications and eventually encrypt sensitive user data. In an attempt to disguise the infection process the virus is designed to display a crafted blue Windows Update screen on top of the screen. It looks suspicious, and every user should recognize the scam because of design flaws and text that differs the original presented by Windows OS.

Wait Until It’s Completed
Window Update in Progress


BlackSheep crypto virus has a built-in encryption engine in its malicious code. This functionality is activated automatically and allows the threat to modify each file which is set in its target data list. There is no information which are the specific file types encrypted by BlackSheep virus, however, we may assume that like most data locker ransomware it corrupts documents, photos, images, videos, music, archives, text files and other files that are created in commonly used file formats. Encrypted files can be recognized by the malicious extension .666 that is appended at the end of their original names.

BlackSheep ransomware virus generates a specific ransom note and locks the PC screen with it upon data encryption. The image provides information about the infection with BlackSheet ransomware as well as payment instructions for the decryption key. Hackers demand a ransom of $500 in BTC to be transferred to their bitcoin address in 54-hour time frame. There is also a button that serves as an option to contact them which is not recommendable anyway. What reads the whole ransom message is:



To facilitate the BlackSheep virus removal process victims can try two keyboard combinations that may unlock the PC screen:

Alt + Tab
Alt + F4

Distribution Techniques of BlackSheep Ransomware Virus

Most of the times hackers choose to spread the malicious BlackSheep payload via email campaigns. Malicious spam email usually has an attached file, and the text above is written in a way to trick the receiver into interaction with the file. The file may be word document with embedded malicious macros, a PDF file that contains embedded malicious Word document or another file which may hide the executable payload. In case an attachment is missing there may be a link presented in the body text. It may land users on cologne of a legitimate website that is crafted by hackers. So an unnoticed drive-by download attack may infect the PC with BlackSheep ransomware virus. Additionally, the virus may be spread via social media messages, posts and shares, file sharing services, pirated software, freeware, and advertisements.

Remove BlackSheep Ransomware and Restore Encrypted Files

WARNING! Manual removal of the BlackSheep ransomware virus requires being familiar with system files and registries. Removing important data accidentally can lead to permanent system damage. If you don’t feel comfortable with manual instructions, download a powerful anti-malware tool that will scan your system for malware and clean it safely for you.

DOWNLOAD Anti-Malware Tool

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

BlackSheep Ransomware Virus – Manual Removal Steps

Start the PC in Safe Mode with Network

This will isolate all files and objects created by the ransomware so they will be removed efficiently. The steps bellow are applicable to all Windows versions.

1. Hit the WIN Key + R

2. A Run window will appear. In it, write msconfig and then press Enter

3. A Configuration box shall appear. In it Choose the tab named Boot

4. Mark Safe Boot option and then go to Network under it to tick it too

5. Apply -> OK

Show Hidden Files

Some ransomware threats are designed to hide their malicious files in the Windows so all files stored on the system should be visible.

1. Open My Computer/This PC

2. Windows 7

    – Click on Organize button
    – Select Folder and search options
    – Select the View tab
    – Go under Hidden files and folders and mark Show hidden files and folders option

3. Windows 8/ 10

    – Open View tab
    – Mark Hidden items option

how to make hidden files visible in Windows 8 10 bestsecuritysearch instructions

4. Click Apply and then OK button

Enter Windows Task Manager and Stop Malicious Processes

1. Hit the following key combination: CTRL+SHIFT+ESC

2. Get over to Processes

3. When you find suspicious process right click on it and select Open File Location

4. Go back to Task Manager and end the malicious process. Right click on it again and choose End Process

5. Next, you should go folder where the malicious file is located and delete it

Repair Windows Registry

1. Again type simultaneously the WIN Key + R key combination

2. In the box, write regedit and hit Enter

3. Type the CTRL+ F and then write the malicious name in the search type field to locate the malicious executable

4. In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys

Click for more information about Windows Registry and further repair help

Recover .666 Files

WARNING! All files and objects associated with BlackSheep ransomware virus should be removed from the infected PC before any data recovery attempts. Otherwise the virus may encrypt restored files. Furthermore, a backup of all encrypted files stored on external media is highly recommendable.

NOTE: The good news is that the security researcher Michael Gillespie has developed and released free decryption tool that can recover .666 files.

Decrypt .666 files with StupidDecrypter

1. Use present backups

2. Use professional data recovery software

Stellar Phoenix Data Recovery – a specialist tool that can restore partitions, data, documents, photos, and 300 more file types lost during various types of incidents and corruption.

3. Using System Restore Point

    – Hit WIN Key
    – Select “Open System Restore” and follow the steps


4. Restore your personal files using File History

    – Hit WIN Key
    – Type restore your files in the search box
    – Select Restore your files with File History
    – Choose a folder or type the name of the file in the search bar
    – Hit the “Restore” button

Preventive Security Measures

  • Enable and properly configure your Firewall.
  • Install and maintain reliable anti-malware software.
  • Secure your web browser.
  • Check regularly for available software updates and apply them.
  • Disable macros in Office documents.
  • Use strong passwords.
  • Don’t open attachments or click on links unless you’re certain they’re safe.
  • Backup regularly your data.
  • Was this content helpful?

    Author : Gergana Ivanova

    Gergana Ivanova is a computer security enthusiast who enjoys presenting the latest issues related to cyber security. By doing thorough researches and sharing them on BestSecuritySearch, she hopes that more victims of malware infections will be able to secure their corrupted computer systems properly and eventually recover lost files.

    Related Posts

    Leave a Reply

    Your email address will not be published. Required fields are marked *