This article will help you remove Evil Lock Virus totally. Follow the ransomware removal instructions given at the end of this article.
Evil Lock Virus is a new version of the Evil ransomware. Your files will get encrypted and receive the .evillock extension this time. Afterward, the Evil cryptovirus puts files with a ransom message on your PC, and some of them are placed on your Desktop. Read on to see what ways you could try out to see if you can potentially restore some of your files.
|Short Description||The ransomware encrypts files on your computer and displays a ransom message afterward.|
|Symptoms||The ransomware will encrypt your files and put the .evillock extension on each of them.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by Evil Lock |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Evil Lock.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Evil Lock Virus – Distribution Methods
Evil Lock ransomware might also be distributing that payload file on social media sites and file-sharing services. Freeware applications found on the Internet can be presented as beneficial but also could be hiding the malicious script for this cryptovirus. Do not open files when you download them, especially if they come from suspicious sources, such as links and e-mails. First, you should scan the files with a security tool, and check their size and signatures for anything that seems out of place. You should read the ransomware preventing tips in the forum section.
Evil Lock Virus – Detailed Description
Evil Lock Virus is also a cryptovirus and the new variant for Evil Ransomware. The new iteration of the virus has changes in the ransom note and puts a different extension to encrypted files. All files on your computer machine while appending the .evillock extension to them when the process finishes.
Evil ransomware creates the following files on an infected system:
The last file written above contains a list with the file that the ransomware has encrypted and is located in the following directory:
Evil Lock ransomware could make entries in the Windows Registry aiming to achieve a high level of persistence. Such registry entries are typically designed in a way that will keep the virus automatically starting with each boot of the Windows Operating System.
The ransom note appears right after the encryption process is finished. The note provides the demands of the cyber criminals, such as the ransom price, along with all other instructions for decrypting your files. The note is contained in a file called HOW_TO_DECRYPT_YOUR_FILES.html which is copied to your desktop. A .txt file containing the same text is also created and put inside your disk drives. You can preview how the ransom note looks from the picture below:
That ransom note reads the following:
Your UID: [Redacted] As you can see some of your files have been encrypted!
Encryption was made using a unique strongest AES key.
If you want restore your files you need to BUY the key, it costs 0.3 BTC.
Send me your ID to firstname.lastname@example.org
Just google how to buy bitcoins in your country. You have only 3 days to deadline!
After, your key will be deleted!
List of encrypted files
P.S. I can decrypt one encrypted file as evidence that there is decrypt
The ransomware developers of the Evil Lock virus have clearly stated their demands in the ransom note. The e-mail suggests that they want people to believe that Kazakhstan is the source of this malware. The cybercriminals claim that they will decrypt your files if you pay, but that may not be the case. Once they receive your money, they may want you to pay more or never even contact you. You should NOT in any circumstance pay them. Your files might not get restored, nd nothing can guarantee that. In addition, giving money to the criminals will most likely just motivate them to continue doing criminal acts.
Here you can see the full list with file extensions that the Evil Lock ransomware seeks to encrypt.
→.3fr, .accdb, .ai, .arw, .bay, .cdr, .cer, .certs, .cr2, .crt, .crw, .dbf, .dcr, .der, .dng, .doc, .dwg, .dxf, .dxg, .eps, .erf, .img, .indd, .jpg, .kdc, .mdb, .mdf, .mef, .mrw, .nef, .nrw, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pef, .pem, .pfx, .ppt, .psd, .pst, .ptx, .pub, .r3d, .raf, .raw, .rtf, .rw2, .rwl, .sr2, .srf, .srw, .wb2, .wpd, .wps, .x3f, .xlk, .xls
All of the files that become encrypted will receive the same extension appended to each one of them, which is .evillock. The encryption algorithm that is utilized is AES or at least that is what is stated inside the ransom note message.
The Evil Lock cryptovirus is likely to erase the Shadow Copies from the Windows operating system by using the following command:
→vssadmin.exe delete shadows /all /Quiet
Continue to read and find out what kind of ways you can try out to potentially restore your files.
Remove Evil Lock Virus and Restore .evillock Files
If your computer got infected with the Evil Lock ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.