.exo (ExoLock) Files Virus – How to Remove and Restore Files

.exo (ExoLock) Files Virus – How to Remove and Restore Files

This article aims to help you by showing how to remove the 2.0 variant of ExoLock ransomware and restore .exo encrypted files.

A new ransomware infection has resurfaced as the second variant of ExoLock ransomware. The virus, also dubbed by it’s other name Atchbo Ransomware2.0v aims to encrypt the files on your computer and demands a payment of 0.007 BitCoin to get them restored back to a working state, according to @malwrhunterteam. To further scare off victims of this malware to make the ransom payoff, the .exo files ransomware drops a .txt file named UnlockYourFiles.txt, which has instructions on how to transfer money into a BitCoin wallet and make the payment to the cyber-criminals who are behind the ransomware. If your computer has been infected by this ransomware, reccomendations are to read this article and learn the methods to remove it and try to get your encrypted files back without having to pay the ransom.

Threat Summary

Name.exo Ransomware
TypeRansomware, Cryptovirus
Short DescriptionNew variant of ExoLock ransomware. Encrypts the files on your computer after which demands a ransom payoff of 0.007 BTC to get them back.
SymptomsThe files on your PC are encrypted with an added .exo file extension, the wallpaper is changed and a text file is added.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .exo Ransomware

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .exo Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.exo Files Ransomware – Infection Methods

When it comes to this variant of ExoLock ransomware, there may be different methods that exist for infection. The main one which is used in over 80% of the ransomware infections nowadays is called malspam and it uses spam e-mails with malicious attachments or web links that lead to such to infect your PC. Such e-mails often claim that they come from reputable companies, such as:

  • FedEx.
  • PayPal.
  • DHL.
  • Amazon.
  • AliExpress.
  • Your bank.

The e-mails usually contain false statements in them that aim to convince you into opening the e-mail attachment, such as:

  • This is the receipt from your new purchase. The product will be delivered in 2-3 days.
  • Suspicious activity in your bank account has been detected. Open the attachment for full banking transfer history.
  • Please refer to the following order receipt attached and make the payment. Deadline for payment 24 hours.

In addition to via spam e-mails, the malicious executable, belonging to .exo ransomware can also be encountered to be disguised as:

  • Fake setups.
  • Fake game cracks.
  • Key generator.
  • Program license activators.

ExoLock Ransomware – More Information

The .exo files virus is a variant of the ExoLock ransomware, which previously came out back in September with low infection rate. The virus is from the file encryption type, which means that it renders the files on your PC no longer to be able to be opened, until you pay the cyber-crooks behind it a hefty ransom fee in BitCoin.

When the malicious executable which distributes this virus infects your computer, you may not notice it, because it has software obfuscators which aim to conceal it from antivirus programs. During the infection, the virus automatically connects to a distribution site and downloads it’s malicious payload on your computer. The payload may have more than one malicious files of the following file types:

→ .dll, .tmp, .exe, .vbs, .wsf, .js, .bat

The files may be located In the following Windows directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%
  • %Windows%
  • %Documents and Settings%

Among the files dropped is an image which is later set as the wallpaper of the infected computer. It looks like the following:

Along with the wallpaper, the .exo files virus also drops a .txt file ransom note, named UnlockYourFiles.txt. It has the following ransom message in it:

BTC Address: {ID}
All files have ben infected ! ! !
Get decrypt your files in 4 steps
1. Go to www.anycoindirect.eu/en/buy/bitcoins
2. Pay 0.01 bitcoins to the BITCOIN Address below
3. Once confirmed your files will be decrypted
4. And you can enjoy your computer ! ! !

In addition to making sure that you know of it’s presence on your computer system, the ExoLock 2.0 ransomware may also set registry entries in the Run and Run once Windows registry sub-keys, which have the following locations:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

Among the malicious activities of .exo files virus may also be to execute as an administrator commands in Windows Command Prompt which delete the backed up files (Shadow Volume Copies) on your Windows machine. The commands are as follows:

→ process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”

.exo Ransomware – How Does It Encrypt

ExoLock ransomware reportedly may use the AES encryption cipher to render the files on your computer no longer able to be opened. This cipher generates a unique asymmetric key which us used for the decryption. However since these keys are concealed, the only way for direct decryption is to pay the cyber-crooks, which is highly-inadvisable.

The files which are targeted for encryption by Exolock ransomware have been reported to be:

  • Videos.
  • Images.
  • Music.
  • Backup file formats.
  • Archives.
  • Virtual Drive type of files.
  • Files, related to often used programs.
  • Documents.

The encryption process done by .exo files virus is programmed in a way so that it does not affect critical Windows files that may damage your OS. It also does not encrypt the whole file, but only portion of it’s code, enough to make it no longer able to be opened. This eventually results in the files looking like the following:

Remove .exo Files Ransomware and Restore Encoded Files

If you want to remove this ransomware virus, we advise you to follow the removal instructions below. They are specifically created to help you delete the virus step-by-step either manually or automatically. For maximum effectiveness, security experts strongly advise to download an advanced anti-malware software which will automatically scan for and remove all related files and objects created by .exo ransomware on your computer and protect it against future infections without having to reinstall your OS.

In addition to this, be advised that if you want to recover your files, there are other solutions instead of paying the ransom to cyber-extortionists you cannot trust. We have suggested several alternative methods which may help you restore some or most of your encrypted files in step “2. Restore files encrypted by .exo Ransomware” below.

Manually delete .exo Ransomware from your computer

Note! Substantial notification about the .exo Ransomware threat: Manual removal of .exo Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove .exo Ransomware files and objects
2. Find malicious files created by .exo Ransomware on your PC

Automatically remove .exo Ransomware by downloading an advanced anti-malware program

1. Remove .exo Ransomware with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by .exo Ransomware
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.