A virus created for the Chech speaking users, calling itself FileLocker has been reported by malware researchers to roam around the web and infect users. The virus uses the AES-256 and RSA ciphers to convert important documents into types of files that are no longer openable. The ransomware infection is also reported to leave behind a ransom note in which a message extorts users to pay a hefty ransom fee in order to get the files back. In case you have been infected by this ransomware, recommendations are to read this article thoroughly.
|Short Description||The malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.|
|Symptoms||The user may witness ransom notes and “instructions” linking to a web page and a decryptor. Changed file names and the file-extension .ENCR has been used.|
|Detection Tool|| See If Your System Has Been Affected by .ENCR FileLocker |
Malware Removal Tool
|User Experience||Join our forum to Discuss .ENCR FileLocker.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
.ENCR FileLocker – How Does It Infect
For this particular ransomware infection to get into your computer the cyber-criminals may use malicious e-mail spam containing malicious file attachments, fake updates and also fake installers of programs found in shady websites. Whatever the case may be, once a malicious executable containing this virus is opened, it connects to a remote host and downloads it’s malicious files onto the computer of the user:
→ %User’s Profile%\Documents\UserFilesLocker.exe
.ENCR FileLocker Post-Infection Activity
After being infected with this ransomware virus, it may connect to multiple hosts to transfer information from the infected computer.
Then, the .ENCR FileLocker ransomware performs encryption via the AES cipher and then uses RSA in combination to generate unique decryption keys. The files which it targets for encryption are usually often used types of files:
→ .asf, .avi, .cer, .div, .dll, .exe, .flv, .inf, .ini, .jpg, .mkv, .mng, .mov, .mp3, .mp4, .mpeg, .mpg, .ogg, .ogv, .pkg, .qt, .rm, .rmvb, .run, .sh, .txt, .webm, .wmw, .xvid, .yuv
Since the .ENCR FileLocker encrypts executable files, it chooses very carefully the folders in which it encodes data:
After the encryption process is complete, this ransomware virus adds the .ENCR file extension to the encrypted files, making them appear like the following:
The virus also drops a ransom note, written entirely in Czech. In it, it demands bitcoins and threatens to increase the ransom if the payoff is not conducted in time:
“VŠECHNA VAŠE OSOBNI DATA BYLA NANESTESTI PRO VAS KOMPLETNE ZASIFROVANA
Krok 1 – PLATBA
Krok 2 – Informujte nas
Step 3 – Obnova dat
Vaše data a soubory jsou nyni bohužel zašifrovaný našim klicem. K šifrováni byl použit unikatni AES-256 key generovaný na tomto pocitaci. V tento okamžik jsou jiz všechny soubory zašifrované a klic bezpecne uloženy v zasifrovane v podobě klice RSA-2048.
Jediný a pouze mozny způsob navraceni Vašich souboru je provést platbu Bitcoinem a vyzadat od nas klice k odsifrovani. Neverte zadnym pohádkám na internetu, ze toto je mozne obejit, jednoduše neni kdyby bylo mnoho veci na tomto svete přestane fungovat.
Zaplatte dle instrukci v následujících krocích podle listy nahoře a vyčkejte na Vaše klice. I nam jde o profesionální klientsky servis a reputaci na trhu, proto se budeme snažit odemknout Vaše soubory co nejdříve.
Castka k uhrade: 0.8 BTC
Castka k uhrade: 2.1 BTC (another variant)”
Remove .ENCR FileLocker and Try Decrypting Your Files
For the removal of this ransomware infection, advices are to focus on backing up the encrypted files prior to the removal. Then you can delete the .ENCR FileLocker by following the removal instructions posted below. They are methodologically arranged to help you remove this ransomware. In case you do not have enough experience in the removal of this ransomware infection, we recommend downloading an advanced anti-malware software. It will help you perform the removal automatically and swiftly.
In case you are looking for methods to restore your files in case they have been encrypted by this ransomware infection, we recommend checking the alternative file decryption methods below in step “2. Restore files encrypted by .ENCR FileLocker”. They may not be 100% effective but at least some of the important files might be recovered.