This article provides removal instructions of koreanLocker ransomware as well as alternative data recovery methods for .locked files.
KoreanLocker ransomware uses strong cipher algorithms to encrypt target files and renders them out of order. Then it appends the extension .locked to all corrupted files. Another trait of KoreanLocker ransomware is the ransom note file README.txt dropped on the infected host. As the note is written in Korean, it is believed that the threat attacks primarily users who speak the language. Its primary aim is to extort a ransom payment from victims. The transfer of 1 BTC (currently $14,686) ransom is demanded to be transferred to a predefined address within 24 hours.
Threat Summary
| Name | koreanLocker |
| Type | Ransomware, Cryptovirus |
| Short Description | Aims to encrypt particular files that store imortant information and demands a ransom for their decryption. |
| Symptoms | The ransomware appends the .locked file extension to the corrupted files. |
| Distribution Method | Spam Emails, Email Attachments, Executable files |
| Detection Tool |
See If Your System Has Been Affected by malware
Download
Malware Removal Tool
|
User Experience | Join Our Forum to Discuss koreanLocker. |
| Data Recovery Tool | Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. |
koreanLocker Ransomware – Delivery Ways
The analyses of koreanLocker ransomware infection reveal that it is triggered by an executable file called hidden-tear.exe. There are several methods that hackers may use to drop the file on the system. The most preferred are believed to be spam emails disguised as important messages sent by bank organizations, popular websites and even governmental entities. In general, such emails are trying to convince you to download an attached file and open it as soon as possible because it contains important information. The attachments as you may guess carry out the malicious script that causes koreanLocker ransomware infection.
The hackers may also inject the file hidden-tear.exe on various web pages and set them to initiate an automatic download whenever a user lands on that page. The links of the corrupted pages may be posted as hyperlinks in an email message, send on popular social media channels or used for malvertising.
koreanLocker Ransomware – More Information
As koreanLocker ransomware may need additional components to fulfill the infection it may establish a connection with its command and control server and then drop more malicious files. Some of the files can serve it to gather system-related information and keep a record of it on its server. The crooks may use the data to deliver other malware and obtain valuable information about you.
The folders that may contain malicious files related to koreanLocker ransomware are:
- %Temp%
- %Windows%
- %AppData%
- %Roaming%
- %User’s Profile%
The registry sub-keys that control the execution of all essential system processes may also be compromised by the ransomware. By adding new values in them it can assure the execution of its own malicious files whenever the operating system is powered on. Furthermore, the functionalities of the Run and RunOnce registry keys are likely to be used for the ransom note as it should appear on the PC screen at the end of the infection. Below you can see the exact location of these keys:
→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
The ransom note is dropped on the Desktop in a text file called README.txt. The content in it is written in Korean. The entire message reads the following:
—————— koreanLocker Ransomware ——————
당신의 컴퓨터가 랜섬웨어에 감염되었습니다
당신의 개인적 파일, 예를들어 사진, 문서, 비디오 외 다른 중요한 문서들이 RSA-2048이란 강력한 암호화 알고림즘을 이용하여 암호화 되었습니다
당신의 개인키는 우리의 서버에 생성되어 저장되었습니다
그렇게되면 그 누구도 당신의 파일을 영원히 복호화 할 수 없습니다
그리고 장담하건데 개인키가 없이는 절대 복호화가 이루어지지 않습니다
다시한번 말하지만 비트코인을 지불하는것 외해 복호화 할 수 있는 방법은 존재하지 않습니다
당신에게 할당된 비트코인 주소를 반드시 확인하세요. 한글자라도 틀리게 입력하여 보내시면 복구가 되지 않고 당신의 비트코인은 사라지게됩니다
당신은 ’24시간’안에 지불하셔야합니다
당신의 개인ID(personal ID)를 반드시 확인하세요
만약 그 시간안에 지불하지 않으면 당신의 개인키는 자동적으로 우리의 서버에서 지워지게됩니다
명심하세요
비트코인 주소:1HB5XMLmzFVj8ALj6mfBsbifRoD4miY36v
비트코인 지갑을 생성하시고 우리의 비트코인 주소로 1비트코인(1BTC)를 보내주시면 됩니다.
세가지 스텝을 따라 당신의 파일을 복구하세요
시간을 낭비하시지 마세요
암호화된 파일들이 속한 폴더 안의 설명 문서 (.txt)는 바이러스가 아닙니다 설명 문서 (.txt)가 파일들의 암호 해독을 도와드릴 것입니다.
암호화된 파일들이 속한 폴더에서 파일 복원에 관한 설명 문서 (.txt)를 보실 수 있습니다
우리는 착한사람들은 아닙니다. 하지만 이야기한 부분에 있어서는 반드시 지킵니다
최악의 상황은 이미 발생했으며 앞으로 파일들의 운명은 귀하의 판단과 빠른 조치에 달려있음을 명심하시기 바랍니다
추가정보:
1).지불은 비트코인 만으로만 가능합니다. 따라서 1비트코인(1BTC)를 비트코인 거래소를 통하여 구매하세요. 그 후 화면(랜섬노트)비트코인 주소(Bitcoin Address)로 1비트코인(1BTC)를 송금하세요
2).당신의 개인 ID(Personal ID)를 아래의 공식 메일주소로 보내주세요
3).지불을 완료하시고 메일을 보내시주시면 당일의 메일로 복호화툴과 개인키를 보내드립니다
4) 비트코인을 송금하시고 메일로 개인ID(Personal ID)를 코리아 공식메일 주소로 보내주세요
***
개인키(Private Key)는 당신의 파일을 복호화하여 복구하는데 아주 중요한 키 입니다
공개키(Public key)는 당신의 파일을 암호화하는데 사용되었습니다
공식주소: www.bithumb.com
공식주소: www.coinone.com
공식주소: www.localbitcoins.com
암호화된 파일들이 속한 폴더 안의 설명 문서 (.txt)는 바이러스가 아닙니다 설명 문서 (.txt)가 파일들의 암호 해독을 도와드릴 것입니다.
비트코인 주소:1HB5XMLmzFVj8ALj6mfBsbifRoD4miY36v
Officail Mail: powerhacker03@hotmail.com
***
Best Regards
Korean Ransomware Team
—————— koreanLocker Ransomware ——————
With the help of a translation tool, it gets clear that in English the message reads:
—————— koreanLocker Ransomware ——————
Your computer is infected with Ransomware
Your personal files, such as photos, documents, videos and other important documents, are encrypted using strong encryption algorithms called RSA-2048
Your private key is created and stored on our server
No one can decrypt your files forever.
And I guarantee you will never be able to decrypt without a private key.
Again, there is no way to pay for a bit coin and decode it
Be sure to check the bit coin address assigned to you. If you send it wrong, it will not be recovered and your bit coin will disappear
You have to pay in ’24 hours’
Be sure to check your personal ID
If you do not pay within that time, your private key will be automatically deleted from our server
Please keep in mind
Bit coin address: 1HB5XMLmzFVj8ALj6mfBsbifRoD4miY36v
Create a bit coin purse and send us a bit coin (1BTC) to our bit coin address.
Follow the three steps to restore your files
Do not waste your time.
The explanatory document (.txt) in the folder to which the encrypted files belong is not a virus Explanation document (.txt) will help you decrypt the files.
You can see a document (.txt) about restoring files in the folder where the encrypted files belong
We are not good people. But in a part of the story,
Please note that the worst has already happened and that the fate of the files will depend on your judgment and quick action.
Additional information:
1) Payment is only possible with bit coin. Therefore, please purchase 1-bit coin (1BTC) through BITC. Then transfer the 1-bit coin (1BTC) to the screen (Random Note) bitcoin address
Please send your personal ID to the official e – mail address below.
3) .Please complete the payment and send us an e-mail, and we will send your decryption tool and private key to the e-mail of the day
4) Please send a bit coin and mail your personal ID to Korea official e-mail address.
***
Private key is the key to decrypting and recovering your files
The public key was used to encrypt your file
Official address: www.bithumb.com
Official address: www.coinone.com
Official address: www.localbitcoins.com
The explanatory document (.txt) in the folder to which the encrypted files belong is not a virus Explanation document (.txt) will help you decrypt the files.
Bit coin address: 1HB5XMLmzFVj8ALj6mfBsbifRoD4miY36v
Officail Mail: powerhacker03@hotmail.com
***
Best Regards
Korean Ransomware Team
—————— koreanLocker Ransomware ——————
The message uses emotional triggers hoping that more infected users will pay the ransom immediately. However, it is better to disbelieve what hackers state and try to overcome the threat by yourself. Otherwise, you risk losing both your .locked files and an amount of $14,686.
koreanLocker Ransomware – Encryption Process
The primary aim of koreanLocker ransomware is to locate all target files and modify their original code with the help of strong cipher algorithm. Afterward, it appends the extension .locked to all of them and renders them useless. Being a Hidden Tear variant the koreanLocker ransomware is likely to encrypt the following types of files:
→.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .hwp, .pdf, .php, .asp, .aspx, .html, .xml, and .psd
In addition, koreanLocker crypto virus is likely to delete the Shadow Volume Copies stored on the system and eliminate one of the possible wat to recover .locked files. This can happen after the following command is entered in the CommandPrompt:
→vssadmin.exe delete shadows /all /Quiet
Remove koreanLocker Ransomware and Restore .locked Files
To remove koreanLocker ransomware you can follow the step-by-step removal guide provided below. The guide provides help for the removal of all malicious files and objects associated with koreanLocker ransomware. Due to the complexity of ransomware code, security specialists always recommended the help of an anti-malware tool. Such a tool will easily locate all ransomware files so you can then delete them with a few mouse clicks.
Before you continue with the recovery step make sure to back up all corrupted .locked files and keep them on an external drive.
Gergana Ivanova
Highly motivated writer with 5+ years of experience writing for ransomware, malware, adware, PUPs, and other cybersecurity-related issues. As a writer, I strive to create content that is based on thorough technical research. I find joy in the process of creating articles that are easy to understand, informative, and useful. Follow me on Twitter (@IRGergana) for the latest in the field of computer, mobile, and online security.
Follow Me:
- Step 1
- Step 2
- Step 3
- Step 4
- Step 5
Step 1: Scan for koreanLocker with SpyHunter Anti-Malware Tool
Ransomware Automatic Removal - Video Guide
Step 2: Uninstall koreanLocker and related malware from Windows
Here is a method in few easy steps that should be able to uninstall most programs. No matter if you are using Windows 10, 8, 7, Vista or XP, those steps will get the job done. Dragging the program or its folder to the recycle bin can be a very bad decision. If you do that, bits and pieces of the program are left behind, and that can lead to unstable work of your PC, errors with the file type associations and other unpleasant activities. The proper way to get a program off your computer is to Uninstall it. To do that:
Follow the instructions above and you will successfully delete most unwanted and malicious programs.
Step 3: Clean any registries, created by koreanLocker on your computer.
The usually targeted registries of Windows machines are the following:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
You can access them by opening the Windows registry editor and deleting any values, created by koreanLocker there. This can happen by following the steps underneath:
Tip: To find a virus-created value, you can right-click on it and click "Modify" to see which file it is set to run. If this is the virus file location, remove the value.
Before starting "Step 4", please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.
Step 4: Boot Your PC In Safe Mode to isolate and remove koreanLocker
Step 5: Try to Restore Files Encrypted by koreanLocker.
Method 1: Use STOP Decrypter by Emsisoft.
Not all variants of this ransomware can be decrypted for free, but we have added the decryptor used by researchers that is often updated with the variants which become eventually decrypted. You can try and decrypt your files using the instructions below, but if they do not work, then unfortunately your variant of the ransomware virus is not decryptable.
Follow the instructions below to use the Emsisoft decrypter and decrypt your files for free. You can download the Emsisoft decryption tool linked here and then follow the steps provided below:
1 Right-click on the decrypter and click on Run as Administrator as shown below:
2. Agree with the license terms:
3. Click on "Add Folder" and then add the folders where you want files decrypted as shown underneath:
4. Click on "Decrypt" and wait for your files to be decoded.
Note: Credit for the decryptor goes to Emsisoft researchers who have made the breakthrough with this virus.
Method 2: Use data recovery software
Ransomware infections and koreanLocker aim to encrypt your files using an encryption algorithm which may be very difficult to decrypt. This is why we have suggested a data recovery method that may help you go around direct decryption and try to restore your files. Bear in mind that this method may not be 100% effective but may also help you a little or a lot in different situations.
Simply click on the link and on the website menus on the top, choose Data Recovery - Data Recovery Wizard for Windows or Mac (depending on your OS), and then download and run the tool.
koreanLocker-FAQ
What is koreanLocker Ransomware?
koreanLocker is a ransomware infection - the malicious software that enters your computer silently and blocks either access to the computer itself or encrypt your files.
Many ransomware viruses use sophisticated encryption algorithms to make your files inaccessible. The goal of ransomware infections is to demand that you pay a ransom payment to get access to your files back.
What Does koreanLocker Ransomware Do?
Ransomware in general is a malicious software that is designed to block access to your computer or files until a ransom is paid.
Ransomware viruses can also damage your system, corrupt data and delete files, resulting in the permanent loss of important files.
How Does koreanLocker Infect?
Via several ways.koreanLocker Ransomware infects computers by being sent via phishing emails, containing virus attachment. This attachment is usually masked as an important document, like an invoice, bank document or even a plane ticket and it looks very convincing to users.
Another way you may become a victim of koreanLocker is if you download a fake installer, crack or patch from a low reputation website or if you click on a virus link. Many users report getting a ransomware infection by downloading torrents.
How to Open .koreanLocker files?
You can't without a decryptor. At this point, the .koreanLocker files are encrypted. You can only open them once they are decrypted using a specific decryption key for the particular algorithm.
What to Do If a Decryptor Does Not Work?
Do not panic, and backup the files. If a decryptor did not decrypt your .koreanLocker files successfully, then do not despair, because this virus is still new.
Can I Restore ".koreanLocker" Files?
Yes, sometimes files can be restored. We have suggested several file recovery methods that could work if you want to restore .koreanLocker files.
These methods are in no way 100% guaranteed that you will be able to get your files back. But if you have a backup, your chances of success are much greater.
How To Get Rid of koreanLocker Virus?
The safest way and the most efficient one for the removal of this ransomware infection is the use a professional anti-malware program.
It will scan for and locate koreanLocker ransomware and then remove it without causing any additional harm to your important .koreanLocker files.
Can I Report Ransomware to Authorities?
In case your computer got infected with a ransomware infection, you can report it to the local Police departments. It can help authorities worldwide track and determine the perpetrators behind the virus that has infected your computer.
Below, we have prepared a list with government websites, where you can file a report in case you are a victim of a cybercrime:
Cyber-security authorities, responsible for handling ransomware attack reports in different regions all over the world:
Germany - Offizielles Portal der deutschen Polizei
United States - IC3 Internet Crime Complaint Centre
United Kingdom - Action Fraud Police
France - Ministère de l'Intérieur
Italy - Polizia Di Stato
Spain - Policía Nacional
Netherlands - Politie
Poland - Policja
Portugal - Polícia Judiciária
Greece - Cyber Crime Unit (Hellenic Police)
India - Mumbai Police - CyberCrime Investigation Cell
Australia - Australian High Tech Crime Center
Reports may be responded to in different timeframes, depending on your local authorities.
Can You Stop Ransomware from Encrypting Your Files?
Yes, you can prevent ransomware. The best way to do this is to ensure your computer system is updated with the latest security patches, use a reputable anti-malware program and firewall, backup your important files frequently, and avoid clicking on malicious links or downloading unknown files.
Can koreanLocker Ransomware Steal Your Data?
Yes, in most cases ransomware will steal your information. It is a form of malware that steals data from a user's computer, encrypts it, and then demands a ransom in order to decrypt it.
In many cases, the malware authors or attackers will threaten to delete the data or publish it online unless the ransom is paid.
Can Ransomware Infect WiFi?
Yes, ransomware can infect WiFi networks, as malicious actors can use it to gain control of the network, steal confidential data, and lock out users. If a ransomware attack is successful, it could lead to a loss of service and/or data, and in some cases, financial losses.
Should I Pay Ransomware?
No, you should not pay ransomware extortionists. Paying them only encourages criminals and does not guarantee that the files or data will be restored. The better approach is to have a secure backup of important data and be vigilant about security in the first place.
What Happens If I Don't Pay Ransom?
If you don't pay the ransom, the hackers may still have access to your computer, data, or files and may continue to threaten to expose or delete them, or even use them to commit cybercrimes. In some cases, they may even continue to demand additional ransom payments.
Can a Ransomware Attack Be Detected?
Yes, ransomware can be detected. Anti-malware software and other advanced security tools can detect ransomware and alert the user when it is present on a machine.
It is important to stay up-to-date on the latest security measures and to keep security software updated to ensure ransomware can be detected and prevented.
Do Ransomware Criminals Get Caught?
Yes, ransomware criminals do get caught. Law enforcement agencies, such as the FBI, Interpol and others have been successful in tracking down and prosecuting ransomware criminals in the US and other countries. As ransomware threats continue to increase, so does the enforcement activity.
About the koreanLocker Research
The content we publish on SensorsTechForum.com, this koreanLocker how-to removal guide included, is the outcome of extensive research, hard work and our team’s devotion to help you remove the specific malware and restore your encrypted files.
How did we conduct the research on this ransomware?
Our research is based on an independent investigation. We are in contact with independent security researchers, and as such, we receive daily updates on the latest malware and ransomware definitions.
Furthermore, the research behind the koreanLocker ransomware threat is backed with VirusTotal and the NoMoreRansom project.
To better understand the ransomware threat, please refer to the following articles which provide knowledgeable details.
As a site that has been dedicated to providing free removal instructions for ransomware and malware since 2014, SensorsTechForum’s recommendation is to only pay attention to trustworthy sources.
How to recognize trustworthy sources:
- Always check "About Us" web page.
- Profile of the content creator.
- Make sure that real people are behind the site and not fake names and profiles.
- Verify Facebook, LinkedIn and Twitter personal profiles.