This article has been created in order to help you by explaining how you can remove the RSod lockscreen ransomware and how to gain access to your files.
A fake BSOD locker ransomware has been detected by security researchers. The virus aims to lock the screens of infected computer, making it impossible to gain access to your encrypted files. The malware executes a file which aims to tamper with various different processes in the Firmware of the computer and may lock the system via overwriting it’s master boot record MBR. If your PC has been infected by the RSod PC_Locker ransomware, we recommend that you read this article to learn how to remove RSod PC_Locker from your PC and get access to your files.
|Short Description||Locks the screen on the victim’s computer after which may alter data in the Master Boot Record.|
|Symptoms||You can no longer access your computer and you see a screen which states that there is error on your computer.|
|Distribution Method||Spam Emails, Email Attachments, Executable files|
|Detection Tool|| See If Your System Has Been Affected by RSod PC_Locker |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss RSod PC_Locker.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
RSod PC_Locker – How Did I Get It
The main methods via which these types of screenlockers are infecting computers are several:
- Via malicious e-mail spam messages.
- Via various different forms of files, pretending to be leigitimate.
The cyber-criminals who are spreading such lockscreen viruses, they aim to use EternalBlue exploits and other types of exploits, similar to what the Petya.A virus used to infect computers. These types of infection files may also come as a result of opening a malicious e-mail attachment as a result of receiving spam mails in your inbox. These types of malspam messages often pretend as if they are coming from big companies from the likes of DHL, FedEx, PayPal and they aim to trick victims into believing that the attachment is an important document that they need, to see, like a receipt or any other form of invoice or banking statement.
RSod Ransomware – More Information
As soon as you get infected by the RSod ransomware virus, the malware may immediately drop a malicious executable, which causes your computer to misbehave and display the following message:
The second part of the infection by this virus is to execute a malicious file that may encrypt the Master Boot Record of the infected PC. In addition to this, the malware may also generate scheduled tasks that may force reset your computer and it may generate a unique identifier for the attacker who refers to himself as “Francesco” to see. In addition to this, the virus may also display the following pop-ups:
How to Try and Recover Drives By RSod Ransomware
Unfortunately, unlike other viruses who encrypt MBR and are decryptable, this is not the case with this variant. This is why, we have decided to create theoretical instructions to help you try and recover at least some of your important files.
Here is what you will need to have for the instructions:
- A screwdriver, corresponding to your desktop/laptop.
- A secure computer that is scanned for malware and cleaned and has a proper ransomware protection.
First of all, you should choose the safe computer from which to scan your files to be a powerful Windows machine which is also secured. This is why we recommend following these steps to secure it:
1. Download an ransomware and malware protection program.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter
2. Download a relevant ransomware protection program.
3. Download a relevant cloud backup program that backups copies of your files on a secure server and even if your computer is affected you will stay protected. For more information you can also check another methods to safely store your data here.
After securing the test PC, you should prepare it for the decryption process which will most likely be lengthy. This is why we recommend changing the power settings so that your decryption computer does not automatically hibernate or sleep while left decrypting the drive.
→ Step 1: Click on the battery icon in your system tray (next to the digital clock) in Windows and then click on More Power Options.
Step 2:The Power options menu will appear. In your power plan click on Change Plan Settings.
Step 3: In your plan’s settings make sure you set “Turn off the display” and “Put computer to sleep” to “Never” from the drop down minutes menu.
Step 4: Click on Save Changes and close it.
For the recovery process, we have outlined several often-met drive migration scenarios which can be possible between different computers:
- From Laptop to Laptop with no extra components.
- From Desktop to Desktop with no extra components.
- From Laptop to Desktop with a SATA cable if the Desktop has an outdated chipset.
- From Desktop to Laptop with a SATA cable if the Laptop has a newer chipset.
To simplify the process, we recommend you to choose machines that do not require any extra cables or components for the drive to run on them. In case you do not have such possibility, we recommend using an external SATA-USB adapter.
Step 1: Remove battery and power from your laptop. For desktop computers, please remove eliminate the power from the contact.
Step 2: Using the screwdriver, unscrew the case which carries the hard drive. For laptops, you should follow these steps:
Step 3: Remove the hard drive again with the screwdriver. It will look similar to the one on the picture below:
Step 4: Plug-in the hard drive on a secure computer which has an internet connection and Windows installed and screw it in firmly. If connected directly, the hard drive should be detected by the OS as a separate partition, similar to the picture below:
Step 5: After you have connected the drive, you may be able to open it. But if it’s not openable, this is because it’s sectors are encrypted. However, because only the MBR may or may not have been modified by RSod ransomware, you may have a chance to recover the files from the drive as you were scanning a lost partition. If you can access the drive but you fail to access the %User Profile% directory where your files are, be advised that you can use AntiWinLocker or similar software which will enable you to gain access to that directory from another PC.
Note that if the partition is broken or un-openable, one way to go around this is to use data recovery programs have support for scanning broken partitions, but we recommend you to try the following:
Step 6: Remove the malware by scanning the partition with an anti-malware software after which you can put the cleared hard drive back into your PC.
Conclusion and Updates
We will continue to monitor the situation with RSod ransomware and update if more information about this ransomware variant coming out. Follow this web page or our blog news letter by e-mail for more information to come soon. In the meantime, we strongly advise you to update your Windows systems and secure them properly against malware. To learn more about security your PC and data in the future, we recommend reading the following materials:
→Related:Ransomware Protection Tips