Remove Evil Ransomware and Restore .fie0locked Files

Remove Evil Ransomware and Restore .fie0locked Files

This article will aid you to remove Evil ransomware effectively. Follow the ransomware removal instructions given at the end of the article.

Evil ransomware is the name of a cryptovirus which is written in JavaScript. Your files will get encrypted and receive the .fie0locked extension when the encryption process is complete. Afterward, the Evil cryptovirus creates files with a ransom message, one of which is placed on your desktop. Read below to check what ways you could try out and see if you can restore your data.

Threat Summary

NameEvil Ransomware
Short DescriptionThe ransomware encrypts files on your computer and displays a ransom message afterward.
SymptomsThe ransomware will encrypt your files and put the .fie0locked extension on each of them.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Evil Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Evil Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Evil Ransomware – Distribution Tactics

Evil ransomware could be distributed through different tactics. One of the payload files which execute the malicious script for the ransomware that infects your computer system has been spotted by researchers on the Internet. The ransomware also utilizes a JavaScript exploit that sends the OZV Trojan downloader. One of the payload files in question has been uploaded to Payload Security, and you can see an overview here:

Evil ransomware might also be distributing that payload file on social media sites and file-sharing networks. Freeware programs found on the Web can be promoted as beneficial but also could be hiding the malicious script for the cryptovirus. Do not open files when you download them, especially if they come from suspicious sources like links and emails. First, you should scan the files with a security tool, and also do a check on the size and signatures for each of the files for anything unusual. You might want to read the ransomware prevention tips given in the forum section of the site.

Evil Ransomware – In-Depth Analysis

Evil ransomware is also a cryptovirus. The name comes from its ransom note which reveals it as such. The ransomware will encrypt files on your computer machine while appending the .fie0locked extension to them when the process finishes.

Evil ransomware creates the following files on an infected system:

  • background.png
  • list.txt

The last file written above contains a list with the file that the ransomware has encrypted and is located in the directory:


Evil ransomware could make entries in the Windows Registry aiming to achieve persistence. Those registry entries are usually designed in a way that will start the virus automatically with each boot of the Windows Operating System.

The ransom note will appear right after the encryption process is set and done. The note provides the demands of the cyber criminals, such as the ransom price, along with all other instructions and demands for decrypting your files. The note is contained in a file called HOW_TO_DECRYPT_YOUR_FILES.html which is copied to your desktop. A .txt file containing the same text is also created and placed on your disk drives. You can see how the ransom note looks from the below screenshot:

That ransom note reads the following:

Your UID: [Redacted] Its evil ransomware. As you can see some of your files have been encrypted!
Encryption was made using a unique strongest AES key.
If you want restore your files you need to BUY (sorry, nothing personal, its just business) the private key, send me your UID to

The criminals who are behind the Evil virus have put their demands in the ransom note. The email suggests that they want people to believe that the virus originates from Kazakhstan. However, you should NOT in any circumstance pay them. Your files could not get recovered, as nobody could guarantee you that. Moreover, giving money to these criminals will most likely just motivate them further and financially support them.

Down below you can view the full list with file extensions that the Evil ransomware seeks to encrypt.

→.3fr, .accdb, .ai, .arw, .bay, .cdr, .cer, .certs, .cr2, .crt, .crw, .dbf, .dcr, .der, .dng, .doc, .dwg, .dxf, .dxg, .eps, .erf, .img, .indd, .jpg, .kdc, .mdb, .mdf, .mef, .mrw, .nef, .nrw, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pef, .pem, .pfx, .ppt, .psd, .pst, .ptx, .pub, .r3d, .raf, .raw, .rtf, .rw2, .rwl, .sr2, .srf, .srw, .wb2, .wpd, .wps, .x3f, .xlk, .xls

All of the files that become encrypted will receive the same extension appended to every one of them, which is .fie0locked. The encryption algorithm that is utilized is AES or at least that is what is suggested by the name of one of the files that infect computers with the ransomware virus.

The Evil cryptovirus is highly likely to erase the Shadow Copies from the Windows operating system by using the following command:

→vssadmin.exe delete shadows /all /Quiet

Read further to and find out what kind of ways you can try to potentially restore your files.

Remove Evil Ransomware and Restore .fie0locked Files

If your computer got infected with the Evil ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share