Remove PokemonGO Ransomware and Restore .locked Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove PokemonGO Ransomware and Restore .locked Files

STF-pokemongo-ransomware-pokemon-go-virus-happy-pikachu-screensaver

PokemonGO now has a ransomware virus counterpart – an executable file with the name PokemonGo.exe and an icon of the Pikachu pokemon. Fans of the latest trend in the gaming world might be tricked to open the file and find their files encrypted. Based on the HiddenTear project, this ransomware will also put the .locked extension to encrypted files as other similar viruses.

Read the full article to see how to remove the ransomware and possibly decrypt your files.

Threat Summary

NamePokemonGO
TypeRansomware
Short DescriptionThe ransomware encrypts all important files and displays a ransom note, giving out instructions on paying the ransom.
SymptomsThe ransomware will encrypt files with and put the .locked extension to each file.
Distribution MethodSpam Emails, File Sharing Networks, .Exe Files
Detection Tool See If Your System Has Been Affected by PokemonGO

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss PokemonGO.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

PokemonGO Ransomware – Infection Spread

STF-pokemongo-ransomware-pokemon-go-virus-icon-executable-sad-pikachu

PokemonGO ransomware spreads with an executable file named PokemonGo.exe as you can see in the picture on the right. It uses an icon of the pokemon Pikachu, which is emblematic for the world of these “pocket monsters”, that the game is about. Thus, the clever wrapper of the ransomware can trick hundreds if not thousands of people into opening it. The .exe file could be found across spam mail distributing electronic letters with malicious attachments, for instance.

File-sharing services and social media networks might also be used, as well as exploit kits in the future. Be careful with your online activity and avoid suspicious mails, websites, links and files.

PokemonGO Ransomware – A Detailed Look

PokemonGO ransomware is based on the HiddenTear project. It is named after the very popular Pokémon GO video game that became a worldwide phenomenon earlier this summer. The ransom note is written in Arabic. Thus, it is possible that mainly Arabic countries are targeted. In the past, the Arab world had banned all Pokemon games but has embraced the latest Pokemon Go craze. Thus, it is understandable that many people might search for it from Arab speaking countries. That does not exclude the possibility of other people to get their PCs compromised.

PokemonGO ransomware will create a user account named “Hack3r” on a compromised computer as you can see below:

STF-pokemongo-ransomware-pokemon-go-virus-hack3r-account

The following key in the Windows registry will be created, in accordance with the user profile:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList “Hack3r” = 0

The following Windows registry key will also be created, which makes the ransomware more persistent and starts it with each loading of the Windows Operating System:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “PokemonGo”

On top of it all, the PokemonGO ransomware makes an Autorun.inf file, which will automatically start the ransomware upon the connection of any removable drive to the computer. This is what is found inside that file:

[AutoRun] OPEN=PokemonGo.exe
ICON=PokemonGo.exe

The ransomware was found in the wild by the malware researcher Michael Gillespie. It is thought that the virus might still be in development or could be tweaked more in the near future, but it looks nasty enough from now.

The PokemonGO ransomware places the .locked file extension on each of the encrypted files. After that process is complete, the file هام جدا.txt is placed on the desktop, containing the ransom instructions. The name of the file is translated as “very important”. The ransomware creates a screensaver with the same text as the ransom message:

STF-pokemongo-ransomware-pokemon-go-virus-happy-pikachu-screensaver

The text from that ransom note reads:

(: لقد تم تشفير ملفاتكم, لفك الشفرة فلكسي موبيليس للعنوان التالي [email protected] وشكرا على كرمكم مسبقا

It is in Arabic, but a rough English translation of the ransom note will look like the following:

(: Your files have been encrypted, decoding on Falaksa Mobilis following address [email protected] and thank you in advance for your generosity.

As you can see from the ransom note, it is written in Arabic. Only an email is left as a contact with the cyber criminals. Possibly the price is negotiable, but you shouldn’t be liable to such extortion. Do not pay the criminals, as this will only motivate them and support their illegal actions. No guarantee exists that you will get your files back.

→.asp, .aspx, .csv, .doc, .docx, .txt, .xls, .xlsx, .xml, .htm, .html, .sln, .sql, .mdb, .mht, .odt, .pdf, .rtf, .php, .pptx, .ppt, .psd, .png, .jpg, .gif

All these file extension types are the most widespread ones used for storing the personal information of users. They will be encrypted with the .locked extension as other similar HiddenTear ransomware viruses do. The PokemonGO ransomware utilizes an AES 256-bit algorithm for the encryption.

PokemonGO ransomware is not reported to delete the Shadow Volume Copies from the Windows operating system, but it is a very probable outcome.

Remove PokemonGO Ransomware and Restore .locked Files

If your computer machine got infected with the PokemonGO ransomware, you should have some experience in removing malware. You should get rid of this ransomware as quickly as possible before it encrypts other files and spreads deeper in the network you use. The recommended action for you is to remove the ransomware effectively by following the step-by-step instructions manual provided down below.

Manually delete PokemonGO from your computer

Note! Substantial notification about the PokemonGO threat: Manual removal of PokemonGO requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove PokemonGO files and objects.
2. Find malicious files created by PokemonGO on your PC.
3. Fix registry entries created by PokemonGO on your PC.

Automatically remove PokemonGO by downloading an advanced anti-malware program

1. Remove PokemonGO with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by PokemonGO in the future
3. Restore files encrypted by PokemonGO
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.