DarkLocker (Monument) Porn Ransomware (Restore Files)

Article created to help wipe out the DarkLocker ransomware virus, also known as Monument ransomware and assist in restoring files without paying ransom.

Ransomware infection believed to be an evolved modification of the JigSaw ransomware variant, has been detected. Besides showing a lockscreen message, the DarkLocker ransomware also encrypts the files on the computers infected by it. After the files are encrypted, the DarkLocker ransomware demands the payoff of approximately 0,15-0.20 BTC for the restoring of the encrypted files. In case you have become a victim of this cyber-threat, reccomendations are to focus on reading this article thoroughly.

Threat Summary

Name

DarkLocker

TypeRansomware
Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom note and “instructions” linking to a web page and a decryptor..
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by DarkLocker

Download

Malware Removal Tool

\\\\\\\\\\\

User ExperienceJoin our forum to Discuss DarkLocker.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

DarkLocker Ransomware – How Does It Spread

For this ransomware infection to actually reach computers of unsuspecting users, the creators of the virus have also engineered a plan to spread it. One scenario of spreading the ransomware is by conducting a massive spam campaign of e-mail messages sent to many users on a global scale. To do this, the cyber-criminals may have a pre-configured e-mail list of legitimate e-mail addresses. To obtain such lists, they may purchase it on the black market by someone who collects personal information by stealing it or breaking privacy policy of shady websites.

Then, these e-mails may be embedded in a spam bot which in it’s turn sends spam messages with malicious e-mail attachments, like the example below:

Once the attachment is opened, infection by DarkLocker is inevitable.

But this may not be the only way of infecting with this virus. The DarkLocker malware may spread via fake updates, programs, patches and other “software” uploaded online as well.

DarkLocker Ransomware – Activity

Once the user becomes infected, the virus may situate it’s malicious files on the following Windows folders of great importance:

  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalRow%
  • %SystemDrive%
  • %Startup%
  • %Windows%

Among the malicious files may be different types of exectuables as well as support modules, but the main two identified are named as the following:

  • can.exe
  • Winlk.exe

After this infection drops it’s files, it may initiate modifications by adding value strings with data in the Windows Registry Editor. The predominantly targeted Windows Registry keys are the following:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

In addition to this, the DarkLocker ransomware may also delete backups, system restore points and shadow volume copies of Windows. It may also shut down critical system security processes to ensure uninterrupted file encryption

DarkLocker Ransomware – Encryption Process

For the file encryption of this virus, one or more than one encryption modes can be used to render the files no longer openable. This is achievable by combining the encryption mode with the cipher. The DarkLocker virus may be pre-configured to encrypt only a portion of the files, hence the larger the file, the more size will be encrypted. This is done to ensure a faster encryption process. For the infection, DarkLocker may target certain files of bigger importance than the average file types. Such files may be:

  • Documents.
  • Images.
  • Audio files.
  • Videos.
  • Database files.
  • Other files associated with often used software.

In addition to performing this, the DarkLocker virus may also be careful to avoid encrypting files in different system folders, that may cause Windows to misbehave and even crash.

After the encryption process is compete. The ransomware has been reported by researcher Amigo A to display the following ransom note type of file, extorting victims to pay ransom:

Remove DarkLocker Ransomware and Restore Files Encrypted by It

Before beginning to remove this virus, recommendations are to focus on saving the files encrypted by it on another drive, preferably external.

Then, we advise you to follow the following removal instructions to help you remove DarkLocker by isolating it first. In case you feel unsure that you will remove all objects created by this virus manually, recommendations are to focus on performing the removal process automatically by downloading an advanced anti-malware program. It will detect and remove DarkLocker files automatically and protect the system against any future intrusions too.

After having removed DarkLocker virus, reccomendations are to focus on restoring your files using some alternative methods. We have mentioned several of those in step “2. Restore files encrypted by DarkLocker” below. They are designed to enable you to restore at least some of the files, until a decryptor is released for free download. In the meantime you can check this article, as we will update it if there is any development with this virus.

Manually delete DarkLocker from your computer

Note! Substantial notification about the DarkLocker threat: Manual removal of DarkLocker requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove DarkLocker files and objects
2.Find malicious files created by DarkLocker on your PC

Automatically remove DarkLocker by downloading an advanced anti-malware program

1. Remove DarkLocker with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by DarkLocker
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.