Remove .Locked4 Virus (Fantom Ransomware) and Restore Files
THREAT REMOVAL

Remove .Locked4 Virus (Fantom Ransomware) and Restore Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by Fantom Ransomware and other threats.
Threats such as Fantom Ransomware may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

Attention! This article will help you remove .locked4 Virus (Fantom ransomware) effectively. Follow the ransomware removal instructions given below carefully.

The Fantom ransomware cryptovirus is back with a new variant. The virus encrypts files with more than 1200 different extensions as in the past. The newly appended extension to the encrypted files is .locked4. A ransom sum is demanded from all victims, while a ProtonMail address is given for contacting the cybercriminals – namely [email protected]. See if you can try to restore some of your files with the ways outlaid at the end of this article.

Threat Summary

NameFantom Ransomware
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware will encrypt your files and demand payment. A ProtonMail address is given as a contact – [email protected]
SymptomsThe ransomware will encrypt over 1200 files with different extensions while placing the .locked4 extension after their names. A ransom note with instructions will be shown on your screen after the encryption process is done.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Fantom Ransomware

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Fantom Ransomware.

.Locked4 Virus (Fantom Ransomware) – Infection

The latest variant of the Fantom ransomware is possible to spread in a few ways. Spam emails are believed to be the most used way for spreading this virus. A spam email like that usually is being composed of a brief description that tries to convince you that is of big importance. Furthermore, victims usually open an attached file, which is presented as useful or having more information related to the letter. Those attachments might look harmless, but upon opening, such a file can drop the payload of the virus and infect your computer. One of these files is on VirusTotal:

Websites for file-sharing or social media could be utilized to spread the Fantom ransomware variant further. The cyber crooks might have put a file containing a malicious script on those networks. Opening the file will release the payload of the ransomware, and your system will be infected shortly after. Avoid any suspicious emails, links, and files as prevention from these attacks. When you are about to open a file you downloaded, check its signatures first, along with its size and scan it with a security tool. You can read more ransomware tips for prevention in our forum.

.locked4 Virus (Fantom Ransomware) – Information

The Fantom ransomware cryptovirus is back with a newer variant. The latest iteration of the Fantom ransomware was discovered by the malware researcher Karsten Hahn.

Right after the infection, the payload file will create files on your personal computer. Those files will launch a fake update. You can see the fake Windows update screen right here below:

The screen will be locked and disallow any interaction with it or different windows. If you see the screen shown in the above image, know that your files are in the process of being locked in the background. You might be able to close the screen using the Ctrl + F4 key combination. That will not stop the encryption process. The screen is detailed and even has a percentage counter to fake the spike in activity of your disk drives – to best imitate an update.

The Fantom ransomware can create entries in the Windows Registry, that allow it to auto-start with the boot of the Windows operating system. In support of that, the ransomware will not encrypt any files which have the following extensions:

→.sys, .dll, .exe, .ico, .link, .locked4, .purge, .frozen, .tmp, .temp, dll, ini, manifest, .com, .prx, .bin, .am, .dlm, .ngr

The following folders might also be ignored along with all files inside them:

→APPDATA, ProgramData, ProgramFiles, WINDOWS, APPDATA, Appdata, Application Data, intel, nvidia, Program Files, Program Files x86, Windows, RECYCLER, Recycle.Bin, Recycler, TEMP, Temp, Microsoft, RECYCLE.BIN

After encrypting the rest of the files set in the ransomware’s code, a note with the instructions for paying the ransom will appear on your desktop. That ransom note looks the same as the one in the last variant of the cryptovirus. It is contained in a file called ”RESTORE-FILES![random symbols].hta” and looks like the following:

stf-fantom-ransomware-crypto-virus-ransom-note

The newest variant of Fantom ransomware does not set a price for paying not unlike its predecessors. The claim for the deletion of your files from its servers after a while is still there. The criminals who made it once again are using the ProtonMail encrypted mail service and a BitMessage address:

Do NOT contact the cybercriminals asking for decryption. No guarantee exists that you will get your files back to normal and as you should know by now, that these crooks will keep making ransomware. Deciding to give them money for the potential unlocking of your files is a bad idea, because it will probably be used to build the next ransomware project. In conclusion, you might end up having your files locked again.

The latest version of the Fantom ransomware is believed to search to encrypt files with nearly 1,300 different extensions, just like before. The list is enormous, so all of those extensions are put in the below drop-down window:

Extensions List

All of the encrypted files will have one and the same extension appended to them, which is .locked4. The ransomware probably uses the RSA-2048 encryption algorithm as its past iterations. The ransomware still seems to be not decryptable.

The Fantom ransomware is very likely to delete the Shadow Volume Copies from the Windows operating system. Read below to learn of some ways in which you can try to restore some of your data.

Remove .locked4 Virus (Fantom Ransomware) and Restore Your Files

If your computer got infected with the Fantom ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance of spreading further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide provided below. To see in what ways you can try to recover your data, check the step titled 2. Restore files encrypted by Fantom ransomware.

Note! Your computer system may be affected by Fantom Ransomware and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as Fantom Ransomware.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove Fantom Ransomware follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove Fantom Ransomware files and objects
2. Find files created by Fantom Ransomware on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by Fantom Ransomware

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...