Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


DeriaLock Virus Remove and Unlock Locked Screen

This article aims to help you remove DeriaLock ransomware from your computer and restore access to Windows functions.

Christmas 2016 has marked the release of a new type of a screenlocker infection that has locked the screens of numerous computers worldwide. The virus aims to deny access to the computer it infects by heavily modifying the Windows Registry. In case you have become a victim of DeriaLock, we advise you to read the following article to become familiar with DeriaLock ransomware and learn how to remove it and gain access to your computer.

Update! There is now a decryptor tool for this ransomware! The tool was created by the malware researcher Michael Gillespie and can be downloaded from the following link, wrapped inside a .zip archive: StupidDecrypter.

Threat Summary

Name

DeriaLock

Type ScreenLock Ransomware
Short Description DeriaLock aims to lock you out of your files but the virus does not encrypt them.
Symptoms Locked screen, pop-up message displayed when you try to exit it with Alt+F4.
Distribution Method Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by DeriaLock

Download

Malware Removal Tool

User Experience Join our forum to Discuss DeriaLock.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does DeriaLock ScreenLocker Infect

At this point the exact method of infection by DeriaLock is not known. However, the ransomware may use a combination of several different tools and tactics to replicate itself onto victims’ hard drives:

  • Malware Obfuscators for antivirus and real-time shield evasion.
  • Spam bots to spread malicious files on e-mails as well as social media and other websites.
  • Exploit kit to connect to the C2 servers of the cyber-crooks and download the payload of DeriaLock ransomware.
  • Malicious macros embedded in either Microsoft Office or Adobe documents to cause an infection when “Enable Content” keys have been pressed.
  • Trojans or other malware that may download the payload of DeriaLock.

Once the user has opened either a malicious attachment or clicked on a malicious URL, an infection may is caused and the following file has been reported to be dropped on the victim machine:

  • SystemLock.exe in the %Startup% folder.

DeriaLock ScreenLocker – Further Analysis

After it has been launched on your computer, the DeriaLock virus will obtain information from the infected computer, such as it’s name and other info. This information allows the malware to generate a custom MD5 hash for unique identification and execution assistance for the screenlocker.

Furthermore, the malware connects to the command and control server (C&C) to download the latest version of itself which is located in the %Startup% directory, as mentioned above.

Once the malicious executable has ran, the DeriaLock threat is programmed to modify the computer so that it locks the user out of his computer, displaying the below shown ransom note:

But the screenlocker is not just an image, instead it is custom software with buttons that convert the ransom note in different languages, like German and Spanish as well.

In addition to all those, DeriaLock has also some defensive features up it’s sleeve. It has been reported by BleepingComputer researchers that this malware shuts down several critical Windows processes to stop you from exiting the lockscreen by entering processes, like Task Manager, Skype, Steam and others. Here are the processes, DeriaLock screenlocker shuts down if it detects them to be opened:

→ taskmgr procexp procexp64 procexp32 skype chrome steam MicrosoftEdge regedit msconfig utilman cmd explorer certmgr control cscript

When the user attempts to either switch tabs, enter task manager or perform any other activities that may exit the lockscreen he receives the following message:

→ “Nice try mate =)
I think that is a bad decision”

Fortunately for Windows XP users and the ones without NET Framework 4.5, this virus requires it to run and will not execute if you have a Windows version earlier than 7.

Remove DeriaLock ScreenLocker and Restore Access to Your PC

In case you have become a victim by this screenlocker type of ransomware, experts advise to remove it immediately and restore access to your files. Since this is malware and it’s safe removal is important, you may want to use an advanced anti-malware for the safe removal after entering Safe Mode on your computer, as described in the instructions below.

After having removed DeriaLock, advices are to immediately perform an online backup and secure your files in multiple methods to protect them from further ransomware infections.

Manually delete DeriaLock from your computer

Note! Substantial notification about the DeriaLock threat: Manual removal of DeriaLock requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove DeriaLock files and objects
2.Find malicious files created by DeriaLock on your PC

Automatically remove DeriaLock by downloading an advanced anti-malware program

1. Remove DeriaLock with SpyHunter Anti-Malware Tool and back up your data
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.