Remove EVIL LOKCER Ransomware and Restore .EVIL Files

Remove EVIL LOKCER Ransomware and Restore .EVIL Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Remove EVIL LOKCER Ransomware Restore .EVIL Files sensorstechforum

This article provides information about a ransomware dubbed EVIL LOKCER. At the end of it, you will find a step-by-step guide that helps with the removal of this threat as well as alternative data recovery approaches.

As found by security researchers EVIL LOKCER is a ransomware that aims to encrypt important files stored on the infected host and then blackmail victims into paying a ransom fee. For the purpose, it modifies essential system settings that contribute to the successful attack. At the end of the infection process, all files corrupted by EVIL LOKCER ransomware have the extension .[].EVIL and you are no longer able to access the information they store.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionEVIL LOKCER encrypts important files stored on the infected host and then demands a ransom for a decryption solution.
SymptomsValuable data becomes unopenable and is marked with the extensionс .[].EVIL. A ransom is demanded for decryption solution.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by EVIL LOKCER


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss EVIL LOKCER.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

EVIL LOKCER Ransomware – Distribution

One way for the ransomware to land on the computer is via a compromised web page. A visit to such web page can download the infection through your browser and execute its code directly on the system. The URLs of such pages can be distributed via various advertising campaigns, posted on social media channels or send in email spam messages.

Another spread technique which appears to be the most preferred by hackers is sending the ransomware payload in spam email messages. In this case the malicious code could be embedded in a file attachment. The attachment may be a commonly used type of file like an archive, document, image, or PDF. Beware and practice caution before you download and open files from received emails even when they seem legitimate as hackers often pose as representatives of well-known companies, services, websites and even governmental institutions. This way they attempt to trick you into infecting your system with devastating infections like EVIL LOKCER ransomware.

EVIL LOKCER Ransomware – Overview

Once EVIL LOKCER ransomware’s payload is started on the system it initiates a sequence of system modifications that help it to evade detection and complete the attack. The analyses of this threat sample reveal that is designed to infect 64-bit system versions. In order to get all malicious files needed for the infection process, the ransomware is likely to connect its command and control server and then download them from there. Meanwhile, other files with self-execution functionalities are created directly on the system during the attack.

There are several folders that may store malicious files after the attack and they are:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%
  • %Windows%

Further, it becomes clear that the ransomware terminates certain system processes probably in attempt to remain undetected by active security measures or become able to execute some of the malicious files that imitate legitimate processes.

During the attack EVIL LOKCER accesses the Registry Editor where low-level settings for the operating system are stored. There the ransomware is able to add values under the Run and RunOnce sub-keys and ensure its persistent presence on the system. These keys manage the automatic execution of all processes essential for the smooth system performance. So by adding its malicious values there the ransomware becomes able to run on each system start.
Following encryption, EVIL LOKCER drops a file named !_HOW_RECOVERY_FILES_!.txt and opens it to inform victims about its presence and impact. The text in this ransom message reads:

>>>>>>>>>>>>>>>>>>>>>>>>>>>> EVIL LOCKER <<<<<<<<<<<<<<<<<<<<<<<<<<<< HELLO, DEAR FRIEND! 1. [ ALL YOUR FILES HAVE BEEN ENCRYPTED! ] Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the decryption program. 2. [ HOW TO RECOVERY FILES? ] To receive the decryption program write on our e-mail: or And in subject write your ID: ID-[redacted 6 hex char] We send you full instruction how to decrypt all your files. 3. [ FREE DECRYPTION! ] Free decryption as guarantee. We guarantee the receipt of the decryption program after payment. To believe, you can give us up to 3 files that we decrypt for free. Files should not be important to you! (databases, backups, large excel sheets, etc.) >>>>>>>>>>>>>>>>>>>>>>>>>>>> EVIL LOCKER <<<<<<<<<<<<<<<<<<<<<<<<<<<<

Hackers do not reveal how much the decryption ransom is but no matter how much they demand we strongly advise all victims to refrain from contacting or paying them. No matter what they promise they are malicious intenders who can trick you into paying them the ransom and skip sending you a decryption solution.

EVIL LOKCER Ransomware – Encryption Process

The primary goal of EVIL LOKCER crypto virus is to encode predefined types of files and make them inaccessible. It is likely that the following files are encrypted by this ransomware:

  • Audio files
  • Video files
  • Document files
  • Image files
  • Backup files
  • Banking credentials, etc

During encryption, the original code of all target files is modified with the help of a strong cipher algorithm. So at the end of the process corrupted files could not be accessed. Additionally, the specific extensions .[].EVIL are appended to the original names of encrypted data.

EVIL LOKCER cryptovirus could also be set to erase all the Shadow Volume Copies from the Windows operating system with the help of the following command:

→vssadmin.exe delete shadows /all /Quiet

The execution of the above-stated command makes the effects of the encryption process more efficient as it eliminates one of the prominent ways to restore your data. If a computer device was infected with this ransomware and your files are locked, read on through to find out how you could potentially restore some files back to their normal state.

Remove EVIL LOKCER Ransomware and Restore .EVIL Files

Below you could find how to remove EVIL LOKCER step by step. To remove the ransomware manually you need to have a bit of technical experience and ability to recognize traits of malware files. Beware that ransomware is a threat with highly complex code that plagues not only your files but your whole system. So as recommended by security researchers you need to utilize an advanced anti-malware tool for its complete removal. Such a tool will keep your system protected against devastating threats like EVIL LOKCER and other kinds of malware that endanger your online security.

After you remove the ransomware make sure to check the “Restore Files” step listed in the guide below. But before you take any further actions, don’t forget to back up all encrypted files to an external drive in order to prevent their irreversible loss.

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for three years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share