Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove KillerLocker Virus and Restore .rip Files

stf-killerlocker-ransomware-killer-locker-crypto-virus-ransom-desktop-screen-clown-timer

A ransomware cryptovirus called KillerLocker was recently discovered in the wild. The ransom note it shows is written in Portuguese and gives 48 hours for victims to contact the cybercriminals. The virus states in its ransom message that it uses a 256-bit AES algorithm for encryption. All locked files will get the extension .rip appended to them. To see how to remove the ransomware and how you can try to restore your data, read the article to the end.

Threat Summary

NameKillerLocker
TypeRansomware, Crypto-Virus
Short DescriptionThe ransomware will encrypt your files with an AES 256-bit encryption. Then it will display a ransom note with desktop wallpaper of a clown in it.
SymptomsThe ransomware will display a ransom message in Portuguese and lock files with the .rip extension appended to them.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by KillerLocker

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss KillerLocker.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

KillerLocker Virus – Infection Spread

KillerLocker ransomware might infect computers using different spread methods. Spam emails could be spreading its payload file. These types of emails will try to make you believe that something important is attached to that email. In actuality, the attachment will look like a legitimate document or an archived one, but upon opening it, the malicious code inside the file will infect you with the virus.

Looking inside the file, the original name of it is “KillerLocker.exe.” You can see the detections of it on the VirusTotal website:

stf-killerlocker-ransomware-killer-locker-crypto-virus-total-detections-exe

More infection methods for KillerLocker might be at play – ones that use social media sites or file sharing networks, perhaps. The ransomware creator could have put the malicious payload file on similar platforms and use them to infect more unsuspecting users. When you are browsing the Web, try to be more careful. Refrain from opening files in suspicious e-mails, or links for that matter. Scanning files with security software and checking for their signatures and size is always a good idea. You should read some tips for ransomware prevention in our forum topic.

KillerLocker Virus – In Depth

The KillerLocker ransomware virus has been recently found by malware researchers in the wild. It might be a possible variant of the Jigsaw Ransomware as the design of the desktop screen which shows after file decryption is very similar.

After the KillerLocker virus drops its payload file, it can create entries in the Windows Registry so that it can remain persistent. Such entries are set in a way to make the malware start automatically with every boot of the Windows operating system. What happens next is that your files get encrypted, after which the screen with the ransom message shows on your desktop. The whole ransom note is written in Portuguese except a small fraction and contains information about the payment.

stf-killerlocker-ransomware-killer-locker-crypto-virus-ransom-desktop-screen-clown-timer

The original text in Portuguese reads:

Todos os seus arquivos foram criptografados com uma criptografia AES 256 BIT Muito forte. Realize o pagamento em: 000-00 /00 até 48 horas

Key: _______ Decrypt Files

Você não pode fazer nada sobre isso e sua chave serão eliminadas em 48 horas. Arquivos encrypt

A rough translation of that message in English would look like the following:

All your files are encrypted with an AES 256-BIT Very strong. Perform payment: 000-00 /00 to 48 hours

Key: _______ Decrypt Files

You cannot do anything about it and your key will be deleted within 48 hours. Encrypted files count

The KillerLocker ransomware gives you only 48 hours of time to decrypt your data, but no specific amount of Bitcoins or another currency is given. No contact email address is provided in the desktop image either, so the ransomware is either still in development, or there is an additional file somewhere along the encrypted files. Either way, you shouldn’t even be thinking of paying the cybercriminals. Nobody can guarantee that you will recover your files after payment. The crooks will simply use that money to fund a new ransomware project and possibly put some amount aside for other criminal activities.

The following file types will become encrypted:

→.jpg, .pdf, .doc, .docm, .docx, .xls, .xlsm, .xlsx

The encrypted file list is incomplete, but files with the above extensions will surely become locked. Other document and picture file types are probably encrypted. Those are the most important files for a Windows user, so that is only logical. The encrypted files will have the .rip extension appended to them, after their file name. So, a .jpg file won’t be renamed but will become .jpg.rip.

The ransomware uses 256-bit AES encryption algorithm or at least that is stated in the ransom message. The KillerLocker ransomware is very likely to erase all Shadow Volume Copies from the Windows operating system. Read further to see how you can try to restore parts of your data, if not all of it.

Remove KillerLocker Virus and Restore .rip Files

If your computer got infected with the KillerLocker ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by KillerLocker.

Manually delete KillerLocker from your computer

Note! Substantial notification about the KillerLocker threat: Manual removal of KillerLocker requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove KillerLocker files and objects
2.Find malicious files created by KillerLocker on your PC

Automatically remove KillerLocker by downloading an advanced anti-malware program

1. Remove KillerLocker with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by KillerLocker
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.