Remove FilesL0cker RAN$OMWARE (.locked Еxtension)

Remove FilesL0cker RAN$OMWARE (.locked Еxtension)

FilesL0cker RAN$OMWARE ransom note english chinese

This is an article that provides specific details on FilesL0cker RAN$OMWARE. In it, you will also find a step-by-step guide that helps for the removal process of all currently running malicious files from the system. Since your data is of paramount importance we included alternative recovery approaches that could potentially restore .locked files.

FilesL0cker RAN$OMWARE is a crypto virus that encrypts all important files with strong cipher algorithm and demands ransom payment for their decryption. A trait of all encrypted files is the specific extension .locked appended to their names. As revealed by security experts the ransomware is primarily targeting English and Chinese speaking users. At this point, hackers demand a ransom of 0.18 BTC in order to provide the decryption key. The extortion happens with the help of ransom message that is contained in the file #DECRYPT MY FILES#.txt. In case that you are victim of this ransomware, this article will reveal you how to remove it and potentially restore encrypted files.

Threat Summary

NameFilesL0cker RAN$OMWARE
TypeRansomware, Cryptovirus
Short DescriptionA ransomware virus that aims to evade detection and encrypt files stored on the infected computer. It enables hackers to demand a ransom for decryption solution.
SymptomsImportant files are locked and renamed with .locked extension. They remain unusable and a ransom of 0.18 BTC is demanded.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by FilesL0cker RAN$OMWARE


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss FilesL0cker RAN$OMWARE.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

FilesL0cker RAN$OMWARE – Distribution

As reported by security researchers active attack campaigns are currently spreading FilesL0cker RAN$OMWARE primarily across English and Chinese speaking countries. However, its distribution campaigns could be set against users worldwide. The infection payload of this files virus like many others may be spread with the help of malspam e-mail campaigns. E-mails used for malicious purposes usually contain one or more of the following components:

  • A link that lands on compromised web page set to download and execute the infection file directly on the PC.
  • A malicious file attachment masked as a legitimate document and uploaded in a .rar or .zip archive. Such a file could be set to evade detection and this way tricks you into allowing the ransomware to start on your PC.

In addition, fake software installers, fake update notifications, compromised software setups, files shared on forums and other techniques may download and activate the ransomware module.

Variants of

This article is dedicated to Skype malware, often referred to as simply Skype virus. Skype virus is a generic name for all types of Skype-related malware.
Skype viruses may be also part of the distribution scheme of this FileLocker ransomware. By exploiting some security flaws of the software hackers could deliver their malicious code directly through this channel.

FilesL0cker RAN$OMWARE – Infection Overview

For the infection to begin FilesL0cker RAN$OMWARE needs to start its payload on the system. The file is called Windows Update.exe and its purpose is to trigger a sequence of malicious actions that enable the ransomware to reach the encryption stage.
Among the impacts caused by this ransomware could be heavy system settings modifications, registry changes and manipulation of various legitimate processes. In order to complete the attack FilesL0cker RAN$OMWARE should generate or drop additional malicious files except the payload. Where it may store these files are some important system folders among which are:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%
  • %Windows%

When predefined registry keys are affected the ransomware could become able to run its malicious files on each system start which in turn enables it to encrypt all newly created files. Affected sub-keys are usually Run and RunOnce as they manage the initial execution process of all system files and processes essential for the proper system load. How the ransomware compromises them is by adding special values associated with its harmful files.

For instance, the final stage when FilesL0cker RAN$OMWARE informs victims about its presence is realized by manipulation of RunOnce sub-key functionalities. Certain values support the display of its ransom note on the screen. Below you could see more details about the ransom note.

How it looks like:

FilesL0cker RAN$OMWARE ransom note english chinese

What it states:

All your important files have been encrypted!
If you understand the importance of the situation
Please read the “#DECRYPT MY FILES#.txt” on the desktop to contact us

The message presented by this note is also illustrated in Chinese. The indicated file #DECRYPT MY FILES#.txt contains the following message:

FilesL0cker RAN$OMWARE
All your important files(database,documents,images,videos,music,etc.)have been encrypted!and only we can decrypt!
To decrypt your files,follow these steps:
1.Buy 0.18 Bitcoin
2.Send 0.18 Bitcoin to the payment address
3.Email your ID to us,after verification,we will create a decryption tool for you.
Email:[email protected]
Your ID:_

In addition, FilesLocker ransomware could open a notification window to present the following information:

All your important files have been encrypted!
If you understand the importance of the situation
Please read the “#DECRYPT MY FILES#.txt” on the desktop to contact us
All your important files are encrypted!
#What happened?
All your important files(database, documents, images, videos, music, etc.)have been encrypted!and only we can decrypt!
To decrypt your files, you need to buy the decryption key from us. We are the only one who can decrypt the file for you.
Trying to reinstall the system and decrypting the file with a third-party tool will result in file corruption,which means no one can decrypt your file.(including us), if you still try to decrypt the file yourself, you do so at your own risk!
#Test decryption
As a proof,you can email us 3 files to decrypt,and we will send you the recovered files to prove that we can decrypt your files.
#How to decrypt
1. Buy 0.18 Bitcoin
2. Send 0.18 Bitcoin to the payment address
3. Email your ID to us, after verification, we will create a decryption tool for you.
Remember, bad things have happened, now look at your determination and action!
Your ID

fileslocker ransomware screen ransom message sensorstechforum

We advise you to refrain from following these instructions as you could still have your files corrupted and useless even after you pay hackers the demanded ransom of 0.18 BTC.

FilesL0cker RAN$OMWARE – Encryption Process

Soon after all needed system modifications are made the crypto virus FilesLocker continues with the main infection stage – data encryption. For it, the ransomware utilizes strong cipher algorithm that scan predefined system drives for commonly used types of files. Each time it detects a match, it performs an encoding process that leaves the file out of order.

As of the types of files that may be encrypted by FilesLocker ransomware they may be all your:

  • Audio files
  • Video files
  • Document files
  • Image files
  • Backup files
  • Banking credentials, etc

Corrupted files could be recognized by the extension .locked that is appended to their original names.

Remove FilesL0cker RAN$OMWARE and Restore .locked Files

Below you could find how a step-by-step removal guide that could be helpful in attempting to FilesL0cker RAN$OMWARE. Since the manual removal approach demands a bit of technical knowledge and experience with recognizing malicious traits, the guide provides an automatic approach as well. Beware that ransomware is a threat with highly complex code that plagues not only your files but your whole system which in turn limits its regular and secure usage. So let’s begin with the removal..

Unfortunately, at this point, there is no evidence of any free decryption tool that works for this ransomware. The good news is that there are some alternative data recovery methods that may be helpful in restoring .locked files. So make sure to get familiar with the details listed under our “Restore Files” step. Beware that before the beginning of a recovery process you should back up all encrypted files to an external drive and this way prevent their irreversible loss.

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for three years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share