Remove MegaLocker Ransomware

Remove MegaLocker Ransomware

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article will aid you to remove MegaLocker ransomware efficiently. Follow the ransomware removal instructions provided at the end of the article.

MegaLocker is a cryptovirus. The virus encrypts your files and demands money as a ransom to get your files restored. Files will receive a custom extension, which is .crypted. The MegaLocker ransomware also targets servers, and will encrypt their contents to block all access to websites and domains ran from the servers. The virus leaves a text message with ransomware instructions as well as a desktop background pointing to the ransom note. Websites could be encrypted as well. Keep on reading the article and see how you could try to potentially recover some of your locked files.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts files on your computer system and demands a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will encrypt your files and leave a ransom note with payment instructions.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by MegaLocker


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss MegaLocker.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

MegaLocker Virus – Update April 2019

Update! A decryption tool is now available for the MegaLocker ransomware! The tool was created by Emsisoft and can be downloaded from the following link: Decryption Tool.

MegaLocker ransomware comes back haunting servers and trying to encrypt files needed for running websites and domains. The new variant has a ransom note similar to the original variant of MegaLocker, but using the extension .NamPoHyu. Victims call it the NamPoHyu virus as their files get locked with that name as their extension. NAS, iMac and Ubuntu Apache servers among others are targeted by this threat. You should remove the threat and then use backups if you have set some up.

MegaLocker Virus – Distribution Tactics

The MegaLocker ransomware might distribute itself via different tactics. A payload dropper which initiates the malicious script for this ransomware is being spread around the World Wide Web, and researchers have gotten their hands on a malware sample. If that file lands on your computer system and you somehow execute it – your computer device will become infected.

Freeware which is found on the Web can be presented as helpful also be hiding the malicious script for the cryptovirus. Refrain from opening files right after you have downloaded them. You should first scan them with a security tool, while also checking their size and signatures for anything that seems out of the ordinary. You should read the tips for preventing ransomware located at the corresponding forum thread.

MegaLocker Virus – In-Depth Analysis

MegaLocker is a virus that encrypts your files and opens a ransom note, with instructions inside it, about the compromised computer machine. The ransomware is also known as the .crypted Files Virus. The extortionists behind this threat want you to pay a ransom fee for the alleged restoration of your files, by first contacting them with an e-mail message.

MegaLocker ransomware might make entries in the Windows Registry to achieve persistence, and could launch or repress processes in a Windows environment. Such entries are typically designed in a way to start the virus automatically with each boot of the Windows Operating System.

The ransom note message itself is located inside a file called !DECRYPT INSTRUCTION.TXT:

The ransom note file has the following contents:

What happened to your files ?
All of your files were protected by a strong encryption with AES cbc-128 using MegaLocker Virus.
What does this mean ?
This means that the structure and data within your files have been irrevocably changed,
you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.
The encryption key and ID are unique to your computer, so you are guaranteed to be able to return your files.
What do I do ?
You can buy decryption for $800 for company and 250$ for private person.
But before you pay, you can make sure that we can really decrypt any of your files.
To do this, send us 1 random encrypted file to, a maximum of 5 megabytes, we will decrypt them
and we will send you back. Do not forget to send in the letter your unique id: 23CAEC83B8FF4ED5A89A8E19B0D7E85C
You can check the decryption of more than one file, but no more than 3.
To do this, send us two more letters with files, there should be only one file in each letter!
If you are a private person, then send your private photo (birthday, holidays, hobbies and so on),
this will prove to us that you are a private person and you will pay 250$ for decrypting files.
If you are not a private person – Do not try to deceive us!!!
Do not complain about these email addresses, because other people will not be able to decrypt their files!
After confirming the decryption, you must pay it in bitcoins. We will send you a bitcoin wallet along with the decrypted file.
You can pay bitcoins online in many ways: – payment by bank card
About Bitcoins:
If you have any questions, write to us at

The e-mail address given below is used for contacting the cybercriminals:


The message above, displayed by the MegaLocker ransomware virus indicates that your files are encrypted. You are demanded to pay a ransom sum to allegedly restore your files, after you contact the cybercriminals by email. However, you should NOT under any circumstances pay any ransom sum. Your files may not get recovered, and nobody could give you a guarantee for that. Adding to that, giving money to cybercriminals will most likely motivate them to create more ransomware viruses or commit different criminal activities. That may even result to you getting your files encrypted all over again after payment.

In the above screenshot you can see how an encrypted website (and domain) look after the MegaLocker ransomware has dealt its damage.

MegaLocker Ransomware – Encryption Process

The encryption process of the MegaLocker ransomware rather simple – every file that gets encrypted will become simply unusable. Files will get a custom extension when locked, which is .crypted. The newly added extension will be added as a secondary one, without changing the original, nor the file name.

A list with the targeted extensions of files which are sought to get encrypted is currently unknown. However, if the list becomes available, the article will get updated accordingly.

The files used most by users and which are probably encrypted are from the following categories:

  • Audio files
  • Video files
  • Document files
  • Image files
  • Backup files
  • Banking credentials, etc

The MegaLocker cryptovirus could be set to erase all the Shadow Volume Copies from the Windows operating system with the help of the following command:

→vssadmin.exe delete shadows /all /Quiet

In case the above-stated command is executed that will make the effects of the encryption process more efficient. That is due to the fact that the command eliminates one of the prominent ways to restore your data. If a computer device was infected with this ransomware and your files are locked, read on through to find out how you could potentially restore some files back to their normal state.

Remove MegaLocker Ransomware Virus

If your computer system got infected with the MegaLocker ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Tsetso Mihailov

Tsetso Mihailov

Tsetso Mihailov is a tech-geek and loves everything that is tech-related, while observing the latest news surrounding technologies. He has worked in IT before, as a system administrator and a computer repair technician. Dealing with malware since his teens, he is determined to spread word about the latest threats revolving around computer security.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share