Remove KoreanLocker Ransomware – Restore .locked Files

Remove KoreanLocker Ransomware – Restore .locked Files

remove koreanLocker ransomware restore .locked files stf

This article provides removal instructions of koreanLocker ransomware as well as alternative data recovery methods for .locked files.

KoreanLocker ransomware uses strong cipher algorithms to encrypt target files and renders them out of order. Then it appends the extension .locked to all corrupted files. Another trait of KoreanLocker ransomware is the ransom note file README.txt dropped on the infected host. As the note is written in Korean, it is believed that the threat attacks primarily users who speak the language. Its primary aim is to extort a ransom payment from victims. The transfer of 1 BTC (currently $14,686) ransom is demanded to be transferred to a predefined address within 24 hours.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt particular files that store imortant information and demands a ransom for their decryption.
SymptomsThe ransomware appends the .locked file extension to the corrupted files.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by koreanLocker


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss koreanLocker.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

koreanLocker Ransomware – Delivery Ways

The analyses of koreanLocker ransomware infection reveal that it is triggered by an executable file called hidden-tear.exe. There are several methods that hackers may use to drop the file on the system. The most preferred are believed to be spam emails disguised as important messages sent by bank organizations, popular websites and even governmental entities. In general, such emails are trying to convince you to download an attached file and open it as soon as possible because it contains important information. The attachments as you may guess carry out the malicious script that causes koreanLocker ransomware infection.

The hackers may also inject the file hidden-tear.exe on various web pages and set them to initiate an automatic download whenever a user lands on that page. The links of the corrupted pages may be posted as hyperlinks in an email message, send on popular social media channels or used for malvertising.

koreanLocker Ransomware – More Information

As koreanLocker ransomware may need additional components to fulfill the infection it may establish a connection with its command and control server and then drop more malicious files. Some of the files can serve it to gather system-related information and keep a record of it on its server. The crooks may use the data to deliver other malware and obtain valuable information about you.

The folders that may contain malicious files related to koreanLocker ransomware are:

  • %Temp%
  • %Windows%
  • %AppData%
  • %Roaming%
  • %User’s Profile%

The registry sub-keys that control the execution of all essential system processes may also be compromised by the ransomware. By adding new values in them it can assure the execution of its own malicious files whenever the operating system is powered on. Furthermore, the functionalities of the Run and RunOnce registry keys are likely to be used for the ransom note as it should appear on the PC screen at the end of the infection. Below you can see the exact location of these keys:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

The ransom note is dropped on the Desktop in a text file called README.txt. The content in it is written in Korean. The entire message reads the following:

—————— koreanLocker Ransomware ——————
당신의 컴퓨터가 랜섬웨어에 감염되었습니다
당신의 개인적 파일, 예를들어 사진, 문서, 비디오 외 다른 중요한 문서들이 RSA-2048이란 강력한 암호화 알고림즘을 이용하여 암호화 되었습니다
당신의 개인키는 우리의 서버에 생성되어 저장되었습니다
그렇게되면 그 누구도 당신의 파일을 영원히 복호화 할 수 없습니다
그리고 장담하건데 개인키가 없이는 절대 복호화가 이루어지지 않습니다
다시한번 말하지만 비트코인을 지불하는것 외해 복호화 할 수 있는 방법은 존재하지 않습니다
당신에게 할당된 비트코인 주소를 반드시 확인하세요. 한글자라도 틀리게 입력하여 보내시면 복구가 되지 않고 당신의 비트코인은 사라지게됩니다
당신은 ’24시간’안에 지불하셔야합니다
당신의 개인ID(personal ID)를 반드시 확인하세요
만약 그 시간안에 지불하지 않으면 당신의 개인키는 자동적으로 우리의 서버에서 지워지게됩니다
비트코인 주소:1HB5XMLmzFVj8ALj6mfBsbifRoD4miY36v
비트코인 지갑을 생성하시고 우리의 비트코인 주소로 1비트코인(1BTC)를 보내주시면 됩니다.
세가지 스텝을 따라 당신의 파일을 복구하세요
시간을 낭비하시지 마세요
암호화된 파일들이 속한 폴더 안의 설명 문서 (.txt)는 바이러스가 아닙니다 설명 문서 (.txt)가 파일들의 암호 해독을 도와드릴 것입니다.
암호화된 파일들이 속한 폴더에서 파일 복원에 관한 설명 문서 (.txt)를 보실 수 있습니다
우리는 착한사람들은 아닙니다. 하지만 이야기한 부분에 있어서는 반드시 지킵니다
최악의 상황은 이미 발생했으며 앞으로 파일들의 운명은 귀하의 판단과 빠른 조치에 달려있음을 명심하시기 바랍니다
1).지불은 비트코인 만으로만 가능합니다. 따라서 1비트코인(1BTC)를 비트코인 거래소를 통하여 구매하세요. 그 후 화면(랜섬노트)비트코인 주소(Bitcoin Address)로 1비트코인(1BTC)를 송금하세요
2).당신의 개인 ID(Personal ID)를 아래의 공식 메일주소로 보내주세요
3).지불을 완료하시고 메일을 보내시주시면 당일의 메일로 복호화툴과 개인키를 보내드립니다
4) 비트코인을 송금하시고 메일로 개인ID(Personal ID)를 코리아 공식메일 주소로 보내주세요
개인키(Private Key)는 당신의 파일을 복호화하여 복구하는데 아주 중요한 키 입니다
공개키(Public key)는 당신의 파일을 암호화하는데 사용되었습니다
암호화된 파일들이 속한 폴더 안의 설명 문서 (.txt)는 바이러스가 아닙니다 설명 문서 (.txt)가 파일들의 암호 해독을 도와드릴 것입니다.
비트코인 주소:1HB5XMLmzFVj8ALj6mfBsbifRoD4miY36v
Officail Mail:
Best Regards
Korean Ransomware Team
—————— koreanLocker Ransomware ——————

With the help of a translation tool, it gets clear that in English the message reads:

—————— koreanLocker Ransomware ——————
Your computer is infected with Ransomware
Your personal files, such as photos, documents, videos and other important documents, are encrypted using strong encryption algorithms called RSA-2048
Your private key is created and stored on our server
 No one can decrypt your files forever.
And I guarantee you will never be able to decrypt without a private key.
Again, there is no way to pay for a bit coin and decode it
Be sure to check the bit coin address assigned to you. If you send it wrong, it will not be recovered and your bit coin will disappear
You have to pay in ’24 hours’
Be sure to check your personal ID
If you do not pay within that time, your private key will be automatically deleted from our server
Please keep in mind
Bit coin address: 1HB5XMLmzFVj8ALj6mfBsbifRoD4miY36v
Create a bit coin purse and send us a bit coin (1BTC) to our bit coin address.
Follow the three steps to restore your files
Do not waste your time.
The explanatory document (.txt) in the folder to which the encrypted files belong is not a virus Explanation document (.txt) will help you decrypt the files.
You can see a document (.txt) about restoring files in the folder where the encrypted files belong
We are not good people. But in a part of the story,
Please note that the worst has already happened and that the fate of the files will depend on your judgment and quick action.
Additional information:
1) Payment is only possible with bit coin. Therefore, please purchase 1-bit coin (1BTC) through BITC. Then transfer the 1-bit coin (1BTC) to the screen (Random Note) bitcoin address
Please send your personal ID to the official e – mail address below.
3) .Please complete the payment and send us an e-mail, and we will send your decryption tool and private key to the e-mail of the day
4) Please send a bit coin and mail your personal ID to Korea official e-mail address.
Private key is the key to decrypting and recovering your files
The public key was used to encrypt your file
Official address:
Official address:
Official address:
The explanatory document (.txt) in the folder to which the encrypted files belong is not a virus Explanation document (.txt) will help you decrypt the files.
Bit coin address: 1HB5XMLmzFVj8ALj6mfBsbifRoD4miY36v
Officail Mail:
Best Regards
Korean Ransomware Team
—————— koreanLocker Ransomware ——————

The message uses emotional triggers hoping that more infected users will pay the ransom immediately. However, it is better to disbelieve what hackers state and try to overcome the threat by yourself. Otherwise, you risk losing both your .locked files and an amount of $14,686.

koreanLocker Ransomware – Encryption Process

The primary aim of koreanLocker ransomware is to locate all target files and modify their original code with the help of strong cipher algorithm. Afterward, it appends the extension .locked to all of them and renders them useless. Being a Hidden Tear variant the koreanLocker ransomware is likely to encrypt the following types of files:

→.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .hwp, .pdf, .php, .asp, .aspx, .html, .xml, and .psd

In addition, koreanLocker crypto virus is likely to delete the Shadow Volume Copies stored on the system and eliminate one of the possible wat to recover .locked files. This can happen after the following command is entered in the CommandPrompt:

→vssadmin.exe delete shadows /all /Quiet

Remove koreanLocker Ransomware and Restore .locked Files

To remove koreanLocker ransomware you can follow the step-by-step removal guide provided below. The guide provides help for the removal of all malicious files and objects associated with koreanLocker ransomware. Due to the complexity of ransomware code, security specialists always recommended the help of an anti-malware tool. Such a tool will easily locate all ransomware files so you can then delete them with a few mouse clicks.

Before you continue with the recovery step make sure to back up all corrupted .locked files and keep them on an external drive.

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for four years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share