Remove GNL Locker Ransomware and Restore .locked AES-512 Files - How to, Technology and PC Security Forum |

Remove GNL Locker Ransomware and Restore .locked AES-512 Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

ransom-note-gnl-locker-sensorstechforumRansomware, called GNL Locker(German-Netherlands Locker) which uses the never seen before AES-512 encryption algorithm has been spotted out in the wild. The dangerous malware encrypts the user files adding a .locked file extension to them. After this, it has been reported to drop several files which are its ransom note, demanding around 200 euros in them. Since the GNL Locker ransomware may spread via a Trojan.Downloader, experts advise users to be extremely careful what they download on their hard drives and what malicious URLs they are clicking on. In case you have been affected by this ransomware, it is strongly recommended to take immediate actions into removing it and restoring your files using alternative methods such as the ones posted after this article.

Threat Summary

NameGNL Locker
Short DescriptionThe ransomware encrypts files and may use the AES-512 cipher. Asks a ransom money of around 200 euros(0.6 BTC) for decryption.
SymptomsFiles are encrypted with .locked file extension and become forbidden for access. The ransomware drops a “UNLOCK_FILES_INSTRUCTIONS” ransom note.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by GNL Locker


Malware Removal Tool

User ExperienceJoin our forum to Discuss GNL Locker Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

GNL Locker – How Did I Get Infected

To infect user systems, this ransomware is reported by affected users to use a malicious .exe file which is reportedly a Trojan.Downloader types of malware. This threat then downloads a malicious .bat file from one of the C&C (Command and Control) servers of the cyber-criminals. However, so far there is no information on the methods of distribution of the malware and whether it uses attachments or malicious URLs and how is the spam sent out to infect users with GNL Locker.

However, researchers believe that the malicious .exe may pose as an installer of a program posted on suspicious websites. Not only this but it may be featured as an attachment on spammed e-mails that may resemble different legitimate services, for example:

  • FedEx.
  • eBay.
  • PayPal.
  • Government branches.
  • Banking executives.
  • Amazon.
  • Services or sites, the user, has registration in.

Users who have not yet been infected should avoid spam messages of the following character or use e-mailing software that has spam blocking features in it and e-mail provider with anti-malware checks.

GNL Locker In Detail

Once GNL Locker has been downloaded onto the computer of the user, the ransomware (also known as crypto-malware) begins to set up for file encryption. For starters, it may drop malicious modules in the following file folders, and those executables, temporary files or DLL’s may have random names, for example:

commonly used file names and folders

After it does that, similar to TeslaCrypt ransomware, GNL Locker may modify the registry entries of the infected computer so that it is automatically started when you turn on the infected system and boot Windows:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

GNL Locker – The AES Encryption

After doing so, this ransomware may initiate the file encryption procedure. It may either be done via using a combination of AES and RSA encryption ciphers or as the ransomware writers claim in the ransom message, GNL may use the immensely strong AES-512 encoding cipher. Until recently, experts have considered AES-512 to be an algorithm that is simply too big and too long and in many cases obsolete since the size of the key was 512 bit. They have found that AES-256 and 192 keys were sufficient. However, with the recent developments in cryptography the AES-512 has become an even more discussed subject in the cryptography field. As the researcher Adam Caudill believes, the older algorithms may be rendered obsolete soon if a method for their decryption has been discovering (if it already hasn’t been).

So the bottom line is that GNL Locker, in fact, may for the first time use the immensely strong AES-512 key which is quite interesting. But there is also the other version – it may just claim to use it to scare off users into paying the ransom. In fact, user who has paid the actual ransom have stated that they have gotten their files back which is quite suspicious because developing ransomware that uses AES-512 and returning the files 100% healthy may be a bit tricky. For it to work successfully, one must use officially proposed encryption process designs whose code and functionality were tested.

GNL Locker – The Final Stage of Infecting Your PC

Once it has successfully infected your computer, GNL Locker Ransomware changes the name of your encrypted files with the .locked file extension, just like Locky ransomware and it renames the files with random names, just like CryptoWall 4.0 Ransomware, for example:

→ 1298d12g!!.txt.locked

In addition to that GNL drops the ransom note. It consists of two files:


The .txt file aims to notify the user into opening the HTML ransom document, for example:

→ Open UNLOCK_FILES_INSTRUCTIONS.html with your internet browser to see the instructions.

The HTML document itself has the ransom note that demands money to unlock the files:

→ “Your files are locked / encrypted
You can unlock your files by paying requested amount{amount usually around 200 Euros}
All your important files are encrypted using an unique 32 characters AES-512 ({for some variants 256}) password. (it will take a computer over a billion years to crack this password.
Lucky for you it is possible to get all your files back!
In order to unlock your files you will have to purchase the private password for this computer For more information navigate to your personal unlocking page below.
Warning! You must pay the specified amount before {Deadline date} or the amount you have to pay will TRIPLE!
Important information
Your UID: {unique identification number}
Use one of the links below to pay and receive instructions for unlocking your files.
{three tor web links}
If none of the above websites work follow the steps below.
1.Download the Tor Browser Bundle
2.Start the Tor Browser Bundle
3.Enter {tor web link} in the website address bar of the Tor Browser Bundle.”

Not only this but the malware is different to track, because it usually may use different encryption strengths, like AES-256 for some computers and 512 for others, as infected users on BleepingComputer forums have reported.

DNL Locker – Conclusion, Removal, and File Restoration Alternatives

The bottom line is that this is what appears to be a sophisticated ransomware, and it is most likely a part of a RaaS(“ransomware as a service” scheme), because different variants of it exist, demanding different payments and claiming to use different ciphers. This points out that GNL Ransomware may have been sold on deep web black markets.

The best way to get rid of this ransomware is to isolate it in safe mode. This is why we have provided instructions below which you can feel free to follow and hopefully they may help you to get permanently rid of this threat.

If you want to decrypt your files however, we have to note that currently direct decryptor has not been released. This is due to the uniqueness of the keys being used. The only realistic options to get all your files back are to (i)wait for researchers to discover a flaw in the code of the virus itself (we will post an update here) or (ii) try the alternative methods for file restoration (“Restore files encrypted by GNL Locker” below)that may restore even a small portion of your files. They include using Shadow Copies in case you have a backup set up on your Windows device, using File restoration software and the technical option of sniffing out information about the encryption.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share