Takahiro Locker is the name of a ransomware, which has its ransom message written in Japanese. Despite that, Japanese users might not be the only ones targeted. The ransomware seeks to encrypt files with a small number of extensions, but ones with the most important data to users. To see how to remove this ransomware and what can try to restore your files, you should read this article to its end.
|Short Description||The ransomware encrypts files asks for a ransom of 3 Bitcoins.|
|Symptoms||The ransomware locks mainly documents and pictures among media files. It creates a ransom note written in Japanese.|
|Distribution Method||Spam Emails, Email Attachments, Executable Files|
|Detection Tool|| See If Your System Has Been Affected by Takahiro Locker |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Takahiro Locker.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Takahiro Locker Ransomware – Delivery
Takahiro Locker ransomware has an .exe file which delivers its payload. That executable file is delivered in a couple of ways. One of the ways is if the file is dropped by other malware, and another – if the user downloaded the file without knowing about it. Malicious websites, social media networks, and file-sharing services can all be the source of download.
Spam emails are not excluded from delivering this ransomware infection. Inside emails, there could be malicious code – either as an attachment or in the body of the email. Downloading an attachment or simply opening an email might download the malware executable of Takahiro Locker. Be very careful around spam emails and files with an unknown origin if you want to avoid not getting infected.
Takahiro Locker Ransomware – Technical Overview
Takahiro Locker is how this ransomware is called. That is the name showing in the lock screen after file encryption. It is believed that is Japanese in origin but might also target other Japanese speakers across the world.
Below is a list with the most popular names of Takahiro Locker shown as detections in anti-malware programs:
- Trojan.Win32.Scar.nzln (Kaspersky)
- Trojan.GenericKD.3222895 (BitDefender)
- W32/Scar.NZLN!tr (Fortinet)
- Ransom_TAKALOCKER.A (TrendMicro)
Once the payload is unleashed, the ransomware will make new folders on the compromised computer and create the following directory:
Inside it will copy itself under the name “Update.exe”, and this will look exactly like a temporary update for the Google Chrome browser. After that, two registry entries will be made inside the Windows Registry.
→HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Google Chrome Update Check = %User Temp%\Google\Chrome\Update.exe
→HKEY_CURRENT_USER\Software\Google\Update\SEND SENDING = [random address]
The first registry entry integrates an auto-start mechanism in Windows so that the ransomware can launch with each boot of the Operating System. The second string in the registry will probably send information to the malware owner via some electronic address.
You can see this error show up on your screen at some point later (Image on the right). The error message says: “WARNING RUNNING KILL ME! ”. The message serves as an initiation for the plot of the ransom note. It is all part of the scare plan to trick you into paying the ransom. Afterward, Takahiro Locker ransomware will start encrypting files.
The encrypted files are usually documents and pictures, but it can lock other files people use on a daily basis. Once the encryption is done, a ransom note is created, and this lock screen pops up:
The ransom note on the lock screen is written in Japanese, but a rough translation reads:
this is Tang, a Lawyer.
You have made an illegal file transfer, so I have locked your PC.
To unlock your files, you need to pay 3 Bitcoins within 3 days.
You need to have 30,000 Japanese Yen, to transfer them to Bitcoins and send them to me.
If you don’t pay within 3 days, the key for decryption will be deleted from where the server is stored and the data of your PC can no longer be returned.
Click the button “Next”.
As we see from the note above, the price of the ransom 3 Bitcoins. And the threat of not sending a decryption key if the ransom is not paid within 3 days is probably true.
Everything from the error message to the ransom note is very cleverly made. In most countries the trick might work, because governments watch about file downloads, and this action is punishable by law. Having strict laws about downloads might work in the few countries which speak Japanese – Japan, Palau, Brazil, United States, Peru, Philippines, France.
Do NOT pay the ransom if you recognize that you have been hit with this ransomware. Paying will only supply the malware creators with money, which will probably be used for other criminal acts. No proof exists that the decrypter tool given for money will even work.
Takahiro Locker is detected on VirusTotal from a lot of security programs:
The Takahiro Locker ransomware locks files with extensions related to documents, pictures, torrents, videos, music and archives. The extensions that the ransomware seeks to encrypt are very specific and small in number, but are what people still use to store their important data. The encrypted extensions are these:
→.txt, .jpg, .png, .bmp, .zip, .rar, .torrent, .7z, .sql, .pdf, .tar, .mp3, .mp4, .flv, .lnk, .html, .php
Interestingly enough, Takahiro Locker does not tamper with any files in these locations:
- Program Files
- the Recycle Bin
Takahiro Locker ransomware probably also deletes Shadow Volume Copies from the Windows Operating System.
Remove Takahiro Locker Ransomware and Restore Encrypted Files
If your PC is infected with the Takahiro Locker ransomware, you should have experience in removing malware. You should get rid of the ransomware as soon as possible before it has the chance to continue encrypting files or spread deeper in your network. We recommend that you follow the step-by-step instructions provided down here.