.exo (ExoLock) Files Virus – How to Remove and Restore Files

.exo (ExoLock) Files Virus – How to Remove and Restore Files

This article aims to help you by showing how to remove the 2.0 variant of ExoLock ransomware and restore .exo encrypted files.

A new ransomware infection has resurfaced as the second variant of ExoLock ransomware. The virus, also dubbed by it’s other name Atchbo Ransomware2.0v aims to encrypt the files on your computer and demands a payment of 0.007 BitCoin to get them restored back to a working state, according to @malwrhunterteam. To further scare off victims of this malware to make the ransom payoff, the .exo files ransomware drops a .txt file named UnlockYourFiles.txt, which has instructions on how to transfer money into a BitCoin wallet and make the payment to the cyber-criminals who are behind the ransomware. If your computer has been infected by this ransomware, reccomendations are to read this article and learn the methods to remove it and try to get your encrypted files back without having to pay the ransom.

Threat Summary

Name.exo Ransomware
TypeRansomware, Cryptovirus
Short DescriptionNew variant of ExoLock ransomware. Encrypts the files on your computer after which demands a ransom payoff of 0.007 BTC to get them back.
SymptomsThe files on your PC are encrypted with an added .exo file extension, the wallpaper is changed and a text file is added.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .exo Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .exo Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.exo Files Ransomware – Update November 2017

The .exo Files cryptovirus or also known as the ExoLock Ransomware is still circling around the Web, encrypting users’ files. The newest version allows for anybody to be able to make their own version of the malware using an application called “ExoBuilder” made by Exelic – probably the developer of the virus.

You can see how the builder looks like from the screenshot below:

Extensions which the ransomware can encrypt are revealed in the following list:

→.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, .wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psdv, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt, .jpeg, .dll, .md, .cpp, .h, .lib

An advice left in the notes of the ransomware builder suggests to leave out the .exe extension out of the list.

.exo Files Ransomware – Infection Methods

When it comes to this variant of ExoLock ransomware, there may be different methods that exist for infection. The main one which is used in over 80% of the ransomware infections nowadays is called malspam and it uses spam e-mails with malicious attachments or web links that lead to such to infect your PC. Such e-mails often claim that they come from reputable companies, such as:

  • FedEx.
  • PayPal.
  • DHL.
  • Amazon.
  • AliExpress.
  • Your bank.

The e-mails usually contain false statements in them that aim to convince you into opening the e-mail attachment, such as:

  • This is the receipt from your new purchase. The product will be delivered in 2-3 days.
  • Suspicious activity in your bank account has been detected. Open the attachment for full banking transfer history.
  • Please refer to the following order receipt attached and make the payment. Deadline for payment 24 hours.

In addition to via spam e-mails, the malicious executable, belonging to .exo ransomware can also be encountered to be disguised as:

  • Fake setups.
  • Fake game cracks.
  • Key generator.
  • Program license activators.

ExoLock Ransomware – More Information

The .exo files virus is a variant of the ExoLock ransomware, which previously came out back in September with low infection rate. The virus is from the file encryption type, which means that it renders the files on your PC no longer to be able to be opened, until you pay the cyber-crooks behind it a hefty ransom fee in BitCoin.

When the malicious executable which distributes this virus infects your computer, you may not notice it, because it has software obfuscators which aim to conceal it from antivirus programs. During the infection, the virus automatically connects to a distribution site and downloads it’s malicious payload on your computer. The payload may have more than one malicious files of the following file types:

→ .dll, .tmp, .exe, .vbs, .wsf, .js, .bat

The files may be located In the following Windows directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%
  • %Windows%
  • %Documents and Settings%

Among the files dropped is an image which is later set as the wallpaper of the infected computer. It looks like the following:

Along with the wallpaper, the .exo files virus also drops a .txt file ransom note, named UnlockYourFiles.txt. It has the following ransom message in it:

BTC Address: {ID}
All files have ben infected ! ! !
Get decrypt your files in 4 steps
1. Go to www.anycoindirect.eu/en/buy/bitcoins
2. Pay 0.01 bitcoins to the BITCOIN Address below
3. Once confirmed your files will be decrypted
4. And you can enjoy your computer ! ! !

In addition to making sure that you know of it’s presence on your computer system, the ExoLock 2.0 ransomware may also set registry entries in the Run and Run once Windows registry sub-keys, which have the following locations:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\

Among the malicious activities of .exo files virus may also be to execute as an administrator commands in Windows Command Prompt which delete the backed up files (Shadow Volume Copies) on your Windows machine. The commands are as follows:

→ process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”

.exo Ransomware – How Does It Encrypt

ExoLock ransomware reportedly may use the AES encryption cipher to render the files on your computer no longer able to be opened. This cipher generates a unique asymmetric key which us used for the decryption. However since these keys are concealed, the only way for direct decryption is to pay the cyber-crooks, which is highly-inadvisable.

The files which are targeted for encryption by Exolock ransomware have been reported to be:

  • Videos.
  • Images.
  • Music.
  • Backup file formats.
  • Archives.
  • Virtual Drive type of files.
  • Files, related to often used programs.
  • Documents.

The encryption process done by .exo files virus is programmed in a way so that it does not affect critical Windows files that may damage your OS. It also does not encrypt the whole file, but only portion of it’s code, enough to make it no longer able to be opened. This eventually results in the files looking like the following:

Remove .exo Files Ransomware and Restore Encoded Files

If you want to remove this ransomware virus, we advise you to follow the removal instructions below. They are specifically created to help you delete the virus step-by-step either manually or automatically. For maximum effectiveness, security experts strongly advise to download an advanced anti-malware software which will automatically scan for and remove all related files and objects created by .exo ransomware on your computer and protect it against future infections without having to reinstall your OS.

In addition to this, be advised that if you want to recover your files, there are other solutions instead of paying the ransom to cyber-extortionists you cannot trust. We have suggested several alternative methods which may help you restore some or most of your encrypted files in step “2. Restore files encrypted by .exo Ransomware” below.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share