This article aims to help you remove iLock ransomware virus from your PC and hopefully restore some of your encrypted files.
The iLock ransomware, previously spotted in 2016 has returned with a new version. Being one of the first ransomware viruses that are themed in an Anonymous style, the virus aims to intimidate the user by dropping a WARNING-OPEN-ME.txt where the the virus asks the user to pay a hefty ransom fee in order to decrypt the encrypted files. Despite this being the case and the TOR payment page reported to not be working, malware researchers advise not to pay any ransom and instead remove iLock yourself and try to restore the files. Keep reading to learn more about iLock ransomware and learn how to eliminate it plus try and
get the files back.
Threat Summary
| Name | iLock |
| Type | Ransomware |
| Short Description | The malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals. |
| Symptoms | The user may witness ransom notes and “instructions” linking to a web page and a decryptor. Files are no longer openable. |
| Distribution Method | Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner. |
| Detection Tool |
See If Your System Has Been Affected by iLock
Download Malware Removal Tool |
| User Experience | Join our forum to Discuss iLock. |
| Data Recovery Tool | Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. |
How Does The iLock Virus Spread
In order to cause an infection, the cyber-criminals behind the iLock threat may have used an advanced spamming kit, which is basically a mixture of tools to successfully spam different types of phishing e-mails across computers worldwide. The tools included may be:
- A list of e-mail accounts that are not blocked by spam filters and are tested for e-mail attachments being sent.
- A list of distribution malware, like exploit kits’, obfuscators and documents with malicious macros.
- A pre-set list of socially engineered e-mails that may copycat original e-mails from FedEx, Amazon, E-bay, a bank, AliExpress plus many other well-known websites and services. This is created to hook the user into opening the attachment.
All of these tools combined with multiple online servers that conduct the spamming may end up increasing the infection rate of the iLock ransomware. Despite that they may work, one of it’s TOR-based web page has been reported on Twitter to not being able to be opened.
iLock Ransomware – Post-Infection
Once the user has opened the malicious attachment, if he does not have sufficient anti-malware protection, the iLock ransomware successfully drops the following file in the %SystemDrive% directory:
→ C:\Users\admin\Documents\Visual Studio 2013\Project\iLock\encrypter\obj\Debug\encrypter.pdb
In addition to this, iLock may also modify the following registry entries to make encrypter.pdb run on system startup:
→HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
After having modified the registry keys, the virus may also delete any backups and shadow copies of the infected computer, using the vssadmin command in administrative mode:
The files encrypter.pdb attacks and scrambles are many. Amongst them are different file types associated with:
- Videos.
- Images.
- Microsoft Office documents.
- Adobe Reader files.
- Database files.
- Files associated with any backups. (backup image files)
- Virtual machine files.
- Other files associated with often used software.
The virus is very careful to skip encrypting important Windows files, since they may damage the whole system. After encryption the virus drops the following ransom note:
The wallpaper on the affected computer is also changed, depending on the language or region:
Remove iLock Virus and Restore The Files
After you have been attacked with this virus, there is not much you can do, but remove it, experts say. The best advisable method for removal is to use an advanced anti-malware tool, such as the one in the instructions below which will also protect your computer in the future as well.
To try and restore the encrypted files, your first deed of the day should be to back them up i.e. create multiple copies on other drives. After this you can feel free to risk them by trying the alternative methods for file decryption, which we have gladly provided in step “2. Restore files encrypted by iLock” below.
Manually delete iLock from your computer
Note! Substantial notification about the iLock threat: Manual removal of iLock requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.
1. For Windows 7,XP and Vista.
2. For Windows 8, 8.1 and 10.
Fix registry entries created by iLock on your PC.
Automatically remove iLock by downloading an advanced anti-malware program
1. Install SpyHunter to scan for and remove iLock.
Back up your data to secure it against infections and file encryption by iLock in the future.
STOPZilla Anti Malware
