Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove .Locked4 Virus (Fantom Ransomware) and Restore Files

Attention! This article will help you remove .locked4 Virus (Fantom ransomware) effectively. Follow the ransomware removal instructions given below carefully.

The Fantom ransomware cryptovirus is back with a new variant. The virus encrypts files with more than 1200 different extensions as in the past. The newly appended extension to the encrypted files is .locked4. A ransom sum is demanded from all victims, while a ProtonMail address is given for contacting the cybercriminals – namely fixfiles@protonmail.ch. See if you can try to restore some of your files with the ways outlaid at the end of this article.

Threat Summary

Name Fantom Ransomware
Type Ransomware, Cryptovirus
Short Description The ransomware will encrypt your files and demand payment. A ProtonMail address is given as a contact – fixfiles@protonmail.ch.
Symptoms The ransomware will encrypt over 1200 files with different extensions while placing the .locked4 extension after their names. A ransom note with instructions will be shown on your screen after the encryption process is done.
Distribution Method Spam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Fantom Ransomware

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss Fantom Ransomware.

.Locked4 Virus (Fantom Ransomware) – Infection

The latest variant of the Fantom ransomware is possible to spread in a few ways. Spam emails are believed to be the most used way for spreading this virus. A spam email like that usually is being composed of a brief description that tries to convince you that is of big importance. Furthermore, victims usually open an attached file, which is presented as useful or having more information related to the letter. Those attachments might look harmless, but upon opening, such a file can drop the payload of the virus and infect your computer. One of these files is on VirusTotal:

Websites for file-sharing or social media could be utilized to spread the Fantom ransomware variant further. The cyber crooks might have put a file containing a malicious script on those networks. Opening the file will release the payload of the ransomware, and your system will be infected shortly after. Avoid any suspicious emails, links, and files as prevention from these attacks. When you are about to open a file you downloaded, check its signatures first, along with its size and scan it with a security tool. You can read more ransomware tips for prevention in our forum.

.locked4 Virus (Fantom Ransomware) – Information

The Fantom ransomware cryptovirus is back with a newer variant. The latest iteration of the Fantom ransomware was discovered by the malware researcher Karsten Hahn.

Right after the infection, the payload file will create files on your personal computer. Those files will launch a fake update. You can see the fake Windows update screen right here below:

The screen will be locked and disallow any interaction with it or different windows. If you see the screen shown in the above image, know that your files are in the process of being locked in the background. You might be able to close the screen using the Ctrl + F4 key combination. That will not stop the encryption process. The screen is detailed and even has a percentage counter to fake the spike in activity of your disk drives – to best imitate an update.

The Fantom ransomware can create entries in the Windows Registry, that allow it to auto-start with the boot of the Windows operating system. In support of that, the ransomware will not encrypt any files which have the following extensions:

→.sys, .dll, .exe, .ico, .link, .locked4, .purge, .frozen, .tmp, .temp, dll, ini, manifest, .com, .prx, .bin, .am, .dlm, .ngr

The following folders might also be ignored along with all files inside them:

→APPDATA, ProgramData, ProgramFiles, WINDOWS, APPDATA, Appdata, Application Data, intel, nvidia, Program Files, Program Files x86, Windows, RECYCLER, Recycle.Bin, Recycler, TEMP, Temp, Microsoft, RECYCLE.BIN

After encrypting the rest of the files set in the ransomware’s code, a note with the instructions for paying the ransom will appear on your desktop. That ransom note looks the same as the one in the last variant of the cryptovirus. It is contained in a file called ”RESTORE-FILES![random symbols].hta” and looks like the following:

stf-fantom-ransomware-crypto-virus-ransom-note

The newest variant of Fantom ransomware does not set a price for paying not unlike its predecessors. The claim for the deletion of your files from its servers after a while is still there. The criminals who made it once again are using the ProtonMail encrypted mail service and a BitMessage address:

  • fixfiles@protonmail.ch
  • https://bitmsg.me BM-2cTivRoWe5eXdZAt8PqxTJ6tqaQwoaNt6t

Do NOT contact the cybercriminals asking for decryption. No guarantee exists that you will get your files back to normal and as you should know by now, that these crooks will keep making ransomware. Deciding to give them money for the potential unlocking of your files is a bad idea, because it will probably be used to build the next ransomware project. In conclusion, you might end up having your files locked again.

The latest version of the Fantom ransomware is believed to search to encrypt files with nearly 1,300 different extensions, just like before. The list is enormous, so all of those extensions are put in the below drop-down window:

Extensions List

All of the encrypted files will have one and the same extension appended to them, which is .locked4. The ransomware probably uses the RSA-2048 encryption algorithm as its past iterations. The ransomware still seems to be not decryptable.

The Fantom ransomware is very likely to delete the Shadow Volume Copies from the Windows operating system. Read below to learn of some ways in which you can try to restore some of your data.

Remove .locked4 Virus (Fantom Ransomware) and Restore Your Files

If your computer got infected with the Fantom ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance of spreading further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide provided below. To see in what ways you can try to recover your data, check the step titled 2. Restore files encrypted by Fantom ransomware.

Manually delete Fantom Ransomware from your computer

Note! Substantial notification about the Fantom Ransomware threat: Manual removal of Fantom Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Fantom Ransomware files and objects
2.Find malicious files created by Fantom Ransomware on your PC

Automatically remove Fantom Ransomware by downloading an advanced anti-malware program

1. Remove Fantom Ransomware with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Fantom Ransomware
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.