DeriaLock Virus Remove and Unlock Locked Screen - How to, Technology and PC Security Forum |

DeriaLock Virus Remove and Unlock Locked Screen

This article aims to help you remove DeriaLock ransomware from your computer and restore access to Windows functions.

Christmas 2016 has marked the release of a new type of a screenlocker infection that has locked the screens of numerous computers worldwide. The virus aims to deny access to the computer it infects by heavily modifying the Windows Registry. In case you have become a victim of DeriaLock, we advise you to read the following article to become familiar with DeriaLock ransomware and learn how to remove it and gain access to your computer.

Update! There is now a decryptor tool for this ransomware! The tool was created by the malware researcher Michael Gillespie and can be downloaded from the following link, wrapped inside a .zip archive: StupidDecrypter.

Threat Summary



TypeScreenLock Ransomware
Short DescriptionDeriaLock aims to lock you out of your files but the virus does not encrypt them.
SymptomsLocked screen, pop-up message displayed when you try to exit it with Alt+F4.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by DeriaLock


Malware Removal Tool

User ExperienceJoin our forum to Discuss DeriaLock.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does DeriaLock ScreenLocker Infect

At this point the exact method of infection by DeriaLock is not known. However, the ransomware may use a combination of several different tools and tactics to replicate itself onto victims’ hard drives:

  • Malware Obfuscators for antivirus and real-time shield evasion.
  • Spam bots to spread malicious files on e-mails as well as social media and other websites.
  • Exploit kit to connect to the C2 servers of the cyber-crooks and download the payload of DeriaLock ransomware.
  • Malicious macros embedded in either Microsoft Office or Adobe documents to cause an infection when “Enable Content” keys have been pressed.
  • Trojans or other malware that may download the payload of DeriaLock.

Once the user has opened either a malicious attachment or clicked on a malicious URL, an infection may is caused and the following file has been reported to be dropped on the victim machine:

  • SystemLock.exe in the %Startup% folder.

DeriaLock ScreenLocker – Further Analysis

After it has been launched on your computer, the DeriaLock virus will obtain information from the infected computer, such as it’s name and other info. This information allows the malware to generate a custom MD5 hash for unique identification and execution assistance for the screenlocker.

Furthermore, the malware connects to the command and control server (C&C) to download the latest version of itself which is located in the %Startup% directory, as mentioned above.

Once the malicious executable has ran, the DeriaLock threat is programmed to modify the computer so that it locks the user out of his computer, displaying the below shown ransom note:

But the screenlocker is not just an image, instead it is custom software with buttons that convert the ransom note in different languages, like German and Spanish as well.

In addition to all those, DeriaLock has also some defensive features up it’s sleeve. It has been reported by BleepingComputer researchers that this malware shuts down several critical Windows processes to stop you from exiting the lockscreen by entering processes, like Task Manager, Skype, Steam and others. Here are the processes, DeriaLock screenlocker shuts down if it detects them to be opened:

→ taskmgr procexp procexp64 procexp32 skype chrome steam MicrosoftEdge regedit msconfig utilman cmd explorer certmgr control cscript

When the user attempts to either switch tabs, enter task manager or perform any other activities that may exit the lockscreen he receives the following message:

→ “Nice try mate =)
I think that is a bad decision”

Fortunately for Windows XP users and the ones without NET Framework 4.5, this virus requires it to run and will not execute if you have a Windows version earlier than 7.

Remove DeriaLock ScreenLocker and Restore Access to Your PC

In case you have become a victim by this screenlocker type of ransomware, experts advise to remove it immediately and restore access to your files. Since this is malware and it’s safe removal is important, you may want to use an advanced anti-malware for the safe removal after entering Safe Mode on your computer, as described in the instructions below.

After having removed DeriaLock, advices are to immediately perform an online backup and secure your files in multiple methods to protect them from further ransomware infections.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share