May 2017 is the month of ransomware, it seems, and the latest string that has been reported to encrypt files has been recently discovered. The virus, named Deos or Locker has been reported to ask from victims the ransom amount of 0.1 BTC to decrypt the encrypted files. The ransomware also drops a ransom note with complete instructions on how to pay the ransom. In case your computer system has been infected by the Deos ransomware virus, we advise you to read this article thoroughly.
|Short Description||Deos ransomware encrypts the files on the infected computer and demands victims to pay in BitCoin to get the files back.|
|Symptoms||Files are encrypted with a .locked file extension. The ransom note looks like the picture above this table.|
|Distribution Method||Spam Emails, Email Attachments, Executable files|
|Detection Tool|| See If Your System Has Been Affected by Deos |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Deos.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Deos Virus – Distribution Methods
In order to be widespread, the Deos ransomware infection aims to infect via several different methods. Instead of only being limited to one way of infecting victims, the virus may also be distributed via:
- Spam e-mail campaigns that contain malicious e-mail attachments or web links leading to the infection.
- Malicious files concealed as fake setups, key generators, Adobe Flash or Java Player updates, license activators or other types of files.
- Other malware that may have already infected your computer, such as Worms, Trojans and others.
- Via potentially unwanted and suspiciously behaving programs, installed via bundling or other dubious method.
After the victim of the ransomware has already opened the malicious files of the virus, the virus begins to download the payload of Deos on the victim’s computer.
Deos Ransomware – Analysis
Once this ransomware infection has already been situated on your computer, it’s files may reside on multiple different locations of the system, including:
The primary malicious file of this ransomware has the name Locker.exe, and it aims to perform multiple different activities on the computer, including the encryption of the files.
One of the malicious activities Deos ransomware is involved with is to create registry entries in the sub-keys Run and RunOnce to allow itself to run on Windows Start-up. The sub-keys in which the values may be located are the following:
After the registry entries have been modified on the infected machine, the Deos ransomware may also delete the shadow volume copies, thus eliminating any chance of backup on the compromised computer.
After this has been done, the ransomware virus may finally drop it’s ransom note, which has the following message to victims:
ALL YOUR FILES HAVE BEEN ENCRYPTED
THE KEY FOR DECRYPTION IS STORED ON OUR PRIVATE SERVER, TO GET IT YOU NEED TO
PAY A RANSOM IN BITCOIN OF 0.1 BTC TO THE FOLLOWING ADDRESS:
AFTER PAYMENT, INSERT THE
TRANSACTION URL IN THE SPACE BELOW AND WAIT FOR DECRYPT.
THERE IS NO OTHER WAY TO DECRYPT YOUR FILES, EXCEPT PAYING.
YOUR KEY WILL BE DESTROYED AFTER THE TIMER REACHES 0.
Deos .locked – Encryption Process
The Deos ransomware hunts for very specific types of files to encrypt and these files are primarily photos and important documents. But the Deos virus is very careful not to encrypt files in the directories of Windows that may damage the operating system and crash your PC. Deos ransomware looks for the following types of files to encrypt them:
→ .asp, .aspx, .csv, .doc, .docx, .html, .jpg, .mdb, .odt, .php, .png, .ppt, .pptx, .psd, .sln, .sql,.txt, .xls, .xlsx, .xml
To encrypt the data on the computers infected by it, Deos ransomware utilizes the AES encryption algorithm. This results in performing several different modifications in the core structure of the file itself. These modifications lead to the file being added the .locked file extension and looking like the following:
Remove Deos Ransomware and Restore .locked Files
For the removal of this ransomware infection, experts advise to backup the files before actually proceeding. Then, it is recommended to follow the removal instructions underneath. They are created so that you can remove the virus either manually by isolating it in safe mode or automatically with the aid of an advanced anti-malware program. Using anti-malware is always preferable because full removal of all malicious files and objects created by Deos ransomware are deleted, and the system is protected in the future too.
In case you are looking for ways of restoring the files that have been encoded by this virus, there are several methods that you can try below in step “2. Restore files encrypted by Deos.” They are not 100 percent chance of success but may result in the successful recovery of some of your files.