Rans0mLocked Virus – Remove and Restore .owned Files

Rans0mLocked Virus – Remove and Restore .owned Files

This article will aid you to remove the Rans0mLocked cryptovirus efficient. Follow the ransomware removal instructions provided at the bottom of the article.

Rans0mLocked ransomware is the name of a cryptovirus. The extension it puts to all files after encryption is .owned. A ransom note will pop-up inside a window with instructions on how to pay 0.1 to recover your files. Continue to read and find out what methods you could try to potentially recover some of your files.

Threat Summary

Short DescriptionThe ransomware encrypts files on your computer system and it shows a ransom note afterward.
SymptomsThis ransomware virus will encrypt your files and place the .owned extension on each one of them.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Rans0mLocked


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Rans0mLocked.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Rans0mLocked Ransomware – Distribution

The Rans0mLocked ransomware might be distributed by utilizing different methods. The payload dropper file which initiates the malicious script for the ransomware infection is seen circling the Internet. Malware researchers have found a sample of the payload which could infect users and you can preview its analysis on the VirusTotal service here below:

The Rans0mLocked ransomware might be using other ways to deliver the payload file, such as social media and file-sharing sites. Freeware applications found on the Web could be promoted as helpful but also could hide the malicious script for this virus. Before opening any files after you have downloaded them, you should instead scan them with a security program. Especially if they come from suspicious places, such as emails or links. Also, don’t forget to check the size and signatures of such files for anything that seems out of place. You should read the ransomware prevention tips given in the forum section.

Rans0mLocked Ransomware – In-Depth

The Rans0mLocked ransomware is a cryptovirus, which abuses PowerShell a lot. The intention of the ransomware authors was probably to launch another process of “powershell.exe” instead of running it multiple times and making a system’s resources used. See the proof below in a screenshot of the Task Manager:

After the Rans0mLocked ransomware encrypts your files, it will place the .owned extension to every one of them. Then, a ransom note will be displayed with payment instructions.

The Rans0mLocked ransomware could make new registry entries in the Windows Registry to achieve a higher level of persistence. Those entries are usually designed in a way that will start the virus automatically with every launch of the Windows Operating System, like in the example provided below, such as the example given here:


The ransom message will be placed inside your PC. The following window will pop up:

This is what the ransom message with instructions reads:

Your computer has been locked
Hello, your computer has been blocked to unblock it please follow the instructions –
– step 1 make you on https://www.coinbase.com/signup
– Sign up – buy (0.1 Bitcoins)
– Send the amount has shown bitcoin address
Click the button “How to use bitcoin?” to see a mote advanced guide.
Once the payment is done, click the button “Check”
button “Check”
button “How to use bitcoin?”

The Rans0mLocked virus demands a ransom of 0.1 Bitcoins which is the equivalent of 161 US dollars. However, you should NOT pay those crooks under any circumstances. Financially supporting the cybercriminals does not guarantee that you will restore your data back to normal and that might motivate them to make more viruses.

Rans0mLocked Ransomware – Encryption Process

No official list exists with file extensions that the Rans0mLocked ransomware seeks to encrypt and the article will be updated if such a list is found. All files which get encrypted will receive the .owned extension appended to them. The following files are most likely to get encrypted, as they are the most commonly used ones on the Windows OS:

→.7z, .bmp, .doc, .docm, .docx, .html, .jpeg, .jpg, .mp3, .mp4, .pdf, .php, .ppt, .pptx, .rar, .rtf, .sql, .tiff, .txt, .xls, .xlsx, .zip

The Rans0mLocked cryptovirus is highly likely to delete all Shadow Volume Copies from the Windows Operating System by executing the following command:

→vssadmin.exe delete shadows /all /Quiet

In case the command pointed out above is executed from the Windows Command Prompt, that will make the encryption process more efficient. Malware researchers state that they have found no flaws in the encryption, so decryption may not be possible at all, unless the ransomware developers themselves don’t release a decryptor or a master key. Keep reading to see what methods you can try out to potentially restore some of your data.

Remove Rans0mLocked Ransomware and Restore .Owned Files

If your computer got infected with the Rans0mLocked ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share