Remove iLock Ransomware and Restore AES-256 Encypted Files - How to, Technology and PC Security Forum |

Remove iLock Ransomware and Restore AES-256 Encypted Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article aims to help you remove iLock ransomware virus from your PC and hopefully restore some of your encrypted files.

The iLock ransomware, previously spotted in 2016 has returned with a new version. Being one of the first ransomware viruses that are themed in an Anonymous style, the virus aims to intimidate the user by dropping a WARNING-OPEN-ME.txt where the the virus asks the user to pay a hefty ransom fee in order to decrypt the encrypted files. Despite this being the case and the TOR payment page reported to not be working, malware researchers advise not to pay any ransom and instead remove iLock yourself and try to restore the files. Keep reading to learn more about iLock ransomware and learn how to eliminate it plus try and
get the files back.

Threat Summary



Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions” linking to a web page and a decryptor. Files are no longer openable.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by iLock


Malware Removal Tool

User ExperienceJoin our forum to Discuss iLock.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does The iLock Virus Spread

In order to cause an infection, the cyber-criminals behind the iLock threat may have used an advanced spamming kit, which is basically a mixture of tools to successfully spam different types of phishing e-mails across computers worldwide. The tools included may be:

  • A list of e-mail accounts that are not blocked by spam filters and are tested for e-mail attachments being sent.
  • A list of distribution malware, like exploit kits’, obfuscators and documents with malicious macros.
  • A pre-set list of socially engineered e-mails that may copycat original e-mails from FedEx, Amazon, E-bay, a bank, AliExpress plus many other well-known websites and services. This is created to hook the user into opening the attachment.

All of these tools combined with multiple online servers that conduct the spamming may end up increasing the infection rate of the iLock ransomware. Despite that they may work, one of it’s TOR-based web page has been reported on Twitter to not being able to be opened.

iLock Ransomware – Post-Infection

Once the user has opened the malicious attachment, if he does not have sufficient anti-malware protection, the iLock ransomware successfully drops the following file in the %SystemDrive% directory:

C:\Users\admin\Documents\Visual Studio 2013\Project\iLock\encrypter\obj\Debug\encrypter.pdb

In addition to this, iLock may also modify the following registry entries to make encrypter.pdb run on system startup:


After having modified the registry keys, the virus may also delete any backups and shadow copies of the infected computer, using the vssadmin command in administrative mode:

The files encrypter.pdb attacks and scrambles are many. Amongst them are different file types associated with:

  • Videos.
  • Images.
  • Microsoft Office documents.
  • Adobe Reader files.
  • Database files.
  • Files associated with any backups. (backup image files)
  • Virtual machine files.
  • Other files associated with often used software.

The virus is very careful to skip encrypting important Windows files, since they may damage the whole system. After encryption the virus drops the following ransom note:

The wallpaper on the affected computer is also changed, depending on the language or region:

Remove iLock Virus and Restore The Files

After you have been attacked with this virus, there is not much you can do, but remove it, experts say. The best advisable method for removal is to use an advanced anti-malware tool, such as the one in the instructions below which will also protect your computer in the future as well.

To try and restore the encrypted files, your first deed of the day should be to back them up i.e. create multiple copies on other drives. After this you can feel free to risk them by trying the alternative methods for file decryption, which we have gladly provided in step “2. Restore files encrypted by iLock” below.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share