DarkLocker (Monument) Porn Ransomware (Restore Files) - How to, Technology and PC Security Forum | SensorsTechForum.com

DarkLocker (Monument) Porn Ransomware (Restore Files)

Article created to help wipe out the DarkLocker ransomware virus, also known as Monument ransomware and assist in restoring files without paying ransom.

Ransomware infection believed to be an evolved modification of the JigSaw ransomware variant, has been detected. Besides showing a lockscreen message, the DarkLocker ransomware also encrypts the files on the computers infected by it. After the files are encrypted, the DarkLocker ransomware demands the payoff of approximately 0,15-0.20 BTC for the restoring of the encrypted files. In case you have become a victim of this cyber-threat, reccomendations are to focus on reading this article thoroughly.

Threat Summary



Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom note and “instructions” linking to a web page and a decryptor..
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by DarkLocker


Malware Removal Tool


User ExperienceJoin our forum to Discuss DarkLocker.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

DarkLocker Ransomware – How Does It Spread

For this ransomware infection to actually reach computers of unsuspecting users, the creators of the virus have also engineered a plan to spread it. One scenario of spreading the ransomware is by conducting a massive spam campaign of e-mail messages sent to many users on a global scale. To do this, the cyber-criminals may have a pre-configured e-mail list of legitimate e-mail addresses. To obtain such lists, they may purchase it on the black market by someone who collects personal information by stealing it or breaking privacy policy of shady websites.

Then, these e-mails may be embedded in a spam bot which in it’s turn sends spam messages with malicious e-mail attachments, like the example below:

Once the attachment is opened, infection by DarkLocker is inevitable.

But this may not be the only way of infecting with this virus. The DarkLocker malware may spread via fake updates, programs, patches and other “software” uploaded online as well.

DarkLocker Ransomware – Activity

Once the user becomes infected, the virus may situate it’s malicious files on the following Windows folders of great importance:

  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalRow%
  • %SystemDrive%
  • %Startup%
  • %Windows%

Among the malicious files may be different types of exectuables as well as support modules, but the main two identified are named as the following:

  • can.exe
  • Winlk.exe

After this infection drops it’s files, it may initiate modifications by adding value strings with data in the Windows Registry Editor. The predominantly targeted Windows Registry keys are the following:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

In addition to this, the DarkLocker ransomware may also delete backups, system restore points and shadow volume copies of Windows. It may also shut down critical system security processes to ensure uninterrupted file encryption

DarkLocker Ransomware – Encryption Process

For the file encryption of this virus, one or more than one encryption modes can be used to render the files no longer openable. This is achievable by combining the encryption mode with the cipher. The DarkLocker virus may be pre-configured to encrypt only a portion of the files, hence the larger the file, the more size will be encrypted. This is done to ensure a faster encryption process. For the infection, DarkLocker may target certain files of bigger importance than the average file types. Such files may be:

  • Documents.
  • Images.
  • Audio files.
  • Videos.
  • Database files.
  • Other files associated with often used software.

In addition to performing this, the DarkLocker virus may also be careful to avoid encrypting files in different system folders, that may cause Windows to misbehave and even crash.

After the encryption process is compete. The ransomware has been reported by researcher Amigo A to display the following ransom note type of file, extorting victims to pay ransom:

Remove DarkLocker Ransomware and Restore Files Encrypted by It

Before beginning to remove this virus, recommendations are to focus on saving the files encrypted by it on another drive, preferably external.

Then, we advise you to follow the following removal instructions to help you remove DarkLocker by isolating it first. In case you feel unsure that you will remove all objects created by this virus manually, recommendations are to focus on performing the removal process automatically by downloading an advanced anti-malware program. It will detect and remove DarkLocker files automatically and protect the system against any future intrusions too.

After having removed DarkLocker virus, reccomendations are to focus on restoring your files using some alternative methods. We have mentioned several of those in step “2. Restore files encrypted by DarkLocker” below. They are designed to enable you to restore at least some of the files, until a decryptor is released for free download. In the meantime you can check this article, as we will update it if there is any development with this virus.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share