Attention! This article will help you remove .locked4 Virus (Fantom ransomware) effectively. Follow the ransomware removal instructions given below carefully.
The Fantom ransomware cryptovirus is back with a new variant. The virus encrypts files with more than 1200 different extensions as in the past. The newly appended extension to the encrypted files is .locked4. A ransom sum is demanded from all victims, while a ProtonMail address is given for contacting the cybercriminals – namely [email protected]. See if you can try to restore some of your files with the ways outlaid at the end of this article.
|Short Description||The ransomware will encrypt your files and demand payment. A ProtonMail address is given as a contact – [email protected]|
|Symptoms||The ransomware will encrypt over 1200 files with different extensions while placing the .locked4 extension after their names. A ransom note with instructions will be shown on your screen after the encryption process is done.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by Fantom Ransomware |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Fantom Ransomware.|
.Locked4 Virus (Fantom Ransomware) – Infection
The latest variant of the Fantom ransomware is possible to spread in a few ways. Spam emails are believed to be the most used way for spreading this virus. A spam email like that usually is being composed of a brief description that tries to convince you that is of big importance. Furthermore, victims usually open an attached file, which is presented as useful or having more information related to the letter. Those attachments might look harmless, but upon opening, such a file can drop the payload of the virus and infect your computer. One of these files is on VirusTotal:
Websites for file-sharing or social media could be utilized to spread the Fantom ransomware variant further. The cyber crooks might have put a file containing a malicious script on those networks. Opening the file will release the payload of the ransomware, and your system will be infected shortly after. Avoid any suspicious emails, links, and files as prevention from these attacks. When you are about to open a file you downloaded, check its signatures first, along with its size and scan it with a security tool. You can read more ransomware tips for prevention in our forum.
.locked4 Virus (Fantom Ransomware) – Information
Right after the infection, the payload file will create files on your personal computer. Those files will launch a fake update. You can see the fake Windows update screen right here below:
The screen will be locked and disallow any interaction with it or different windows. If you see the screen shown in the above image, know that your files are in the process of being locked in the background. You might be able to close the screen using the Ctrl + F4 key combination. That will not stop the encryption process. The screen is detailed and even has a percentage counter to fake the spike in activity of your disk drives – to best imitate an update.
The Fantom ransomware can create entries in the Windows Registry, that allow it to auto-start with the boot of the Windows operating system. In support of that, the ransomware will not encrypt any files which have the following extensions:
→.sys, .dll, .exe, .ico, .link, .locked4, .purge, .frozen, .tmp, .temp, dll, ini, manifest, .com, .prx, .bin, .am, .dlm, .ngr
The following folders might also be ignored along with all files inside them:
→APPDATA, ProgramData, ProgramFiles, WINDOWS, APPDATA, Appdata, Application Data, intel, nvidia, Program Files, Program Files x86, Windows, RECYCLER, Recycle.Bin, Recycler, TEMP, Temp, Microsoft, RECYCLE.BIN
After encrypting the rest of the files set in the ransomware’s code, a note with the instructions for paying the ransom will appear on your desktop. That ransom note looks the same as the one in the last variant of the cryptovirus. It is contained in a file called ”RESTORE-FILES![random symbols].hta” and looks like the following:
The newest variant of Fantom ransomware does not set a price for paying not unlike its predecessors. The claim for the deletion of your files from its servers after a while is still there. The criminals who made it once again are using the ProtonMail encrypted mail service and a BitMessage address:
- [email protected]
- https://bitmsg.me BM-2cTivRoWe5eXdZAt8PqxTJ6tqaQwoaNt6t
Do NOT contact the cybercriminals asking for decryption. No guarantee exists that you will get your files back to normal and as you should know by now, that these crooks will keep making ransomware. Deciding to give them money for the potential unlocking of your files is a bad idea, because it will probably be used to build the next ransomware project. In conclusion, you might end up having your files locked again.
The latest version of the Fantom ransomware is believed to search to encrypt files with nearly 1,300 different extensions, just like before. The list is enormous, so all of those extensions are put in the below drop-down window:
All of the encrypted files will have one and the same extension appended to them, which is .locked4. The ransomware probably uses the RSA-2048 encryption algorithm as its past iterations. The ransomware still seems to be not decryptable.
The Fantom ransomware is very likely to delete the Shadow Volume Copies from the Windows operating system. Read below to learn of some ways in which you can try to restore some of your data.
Remove .locked4 Virus (Fantom Ransomware) and Restore Your Files
If your computer got infected with the Fantom ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance of spreading further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide provided below. To see in what ways you can try to recover your data, check the step titled 2. Restore files encrypted by Fantom ransomware.