Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove TrumpLocker Virus and Restore .TheTrumpLockerf Files

The article will help you to remove TrumpLocker ransomware fully. Follow the ransomware removal instructions at the end of the article.

TrumpLocker is the new name for the old VenusLocker ransomware. This virus will even display a splash screen with a picture of Donald Trump as seen right here on the right, if the .exe file for it is run. The extension .TheTrumpLockerf will be appended to all files that get fully encrypted. AES is being used as the encryption algorithm and the ransomware stems from the HiddenTear/EDA2 project. The TrumpLocker virus creates quite the long ransom note. Keep on reading and see how you could try to potentially recover some of your files.

Threat Summary

NameTrumpLocker
TypeRansomware
Short DescriptionThe ransomware encrypts files on your computer and leaves a ransom message afterward.
SymptomsThe ransomware will encrypt your files and put the extension .TheTrumpLockerf on completely encrypted files and .TheTrumpLockerp to files which have only their first 1024 bytes encrypted.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by TrumpLocker

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss TrumpLocker.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

TrumpLocker Virus – Infection

TrumpLocker ransomware could spread its infection in multiple ways. A payload file which initiates the malicious script for the ransomware in question is seen before on the Internet. Your computer machine will get encrypted by the cryptovirus if its malicious script gets executed. You can preview one such payload dropper, uploaded to the VirusTotal service by malware researchers, from below here:

TrumpLocker ransomware might also be spreading its payload file on social media sites and file-sharing networks. Freeware that is spread on the Internet can be presented as helpful but could also hide the malicious script for this cryptovirus. Refrain from opening files after you have downloaded them, especially if they are coming from suspicious places like emails or links of unknown origin. Instead, you should scan the files with a security tool and check their size and signatures for anything that seems out of place. Read the ransomware prevention tips from the forum section to see how to avoid infection.

TrumpLocker Virus – Description

TrumpLocker ransomware is also a cryptovirus. The virus is a variant of VenusLocker ransomware and even uses the desktop background image of the original. All encrypted files will receive an extension, but the extension for each will be based on whether they got fully encrypted or not.

The malware usually waits a couple of minutes before doing anything. Afterward, a whole procedure of actions starts to ensue. At first a splash screen is shown with a photo showing Donald Trump smiling and the caption “YOU ARE HACKED!!”, as you can see right here:

The TrumpLocker ransomware makes entries in the Windows Registry to achieve a higher form of persistence. The thing that happens is that the registry entries guarantee that the ransomware will start automatically with every launch of the Windows Operating System.

The following files will be created:

  • ”C:\Users\User_name\Desktop\What happen to my files.txt” – contains the text with the ransom note instructions.
  • ”C:\Users\User_name\bg.jpg” – the picture that is going to be placed as your Desktop background

The Desktop wallpaper that is placed as a background after file encryption look like this:

The message left on it reads the following:

You are hacked
Your personal files are encrypted
To decrypt and recover all your files, you need to pay 50 US dollars for decryption service.
1. Exchange 50 USD (or equivalent local currencies) to Bitcoins, and then send these Bitcoins to our Bitcoin receiving address: 1N82pq3XovKoJYqUmTrRiXftpNHZyu4jyv
2. Send your Personal ID to our official email: [email protected]
3. You will receive your private key to recover your files within one working day.
For detailed information, please refer to the dialog or “What happen to myfiies.txt” on your desktop.

The ransom note will be placed inside a .txt file after the encryption process is complete. The file with the ransom note is called What happen to my files.txt. That text is also going to be loaded in a window screen that looks like the following:

The What happen to my files.txt file contains the full ransom note message and it looks like this:

The note reads the following:

——— Trump Locker ———
Unfortunately, you are hacked.
1. What happened to my files?
Your personal files, including your photos, documents, videos and other important files on this computer, have been encrypted with RSA-4096, the strongest encryption algorithm. RSA algorithm generates a public key and a private key for your computer. The public key was used to encrypt your files a moment ago. The private key is necessary for you to decrypt and recover your files. Now, your private key is stored on our secret Internet server. And there is no doubt that no one can recover your files without your private key.
For further information about RSA algorithm, please refer to https://en.wikipedia.org/wiki/RSA_(cryptosystem)
2. How to decrypt my files?
To decrypt and recover your files, you have to pay 50 US Dollars for the private key and decryption service. Please note that you have ONLY 72 HOURS to complete your payment. If your payment do not be completed within time limit, your private key will be deleted automatically by our server. All your files will be permanently encrypted, and nobody can recover them. Therefore, it is advised that you’d better not waste your time, because there is no other way to recover your files except making a payment.
3. How to pay for my private key?
There are three steps to make a payment and recover your files:
1). For the security of transactions, all the payments must be completed via Bitcoin network. Thus, you need to exchange 50 US dollars (or equivalent local currencies) to Bitcoins, and then send these Bitcoins (about 0.045 BTC) to the following address. 1N82pq3XovKoJYqUmTrRiXftpNHZyu4jyv
2). Send your personal ID to our official email: [email protected]
Your personal ID is cc673bcfcf644d2c1a88893cb0ff8fa7
3). You will receive a decryptor and your private key to recover all your files within one working day.
4. What is Bitcoin?
Bitcoin is an innovative payment network and a new kind of money. It is based on an open-source cryptographic protocol that is independent of any central authority. Bitcoins can be transferred through a computer or a smartphone withour an intermediate financial institution.
5. How to make a payment with Bitcoin?
You can make a payment with Bitcoin based on Bitcoin Wallet or Based on Perfect Money. You can choose the way that is more convenient for you.
About Based on Bitcoin Wallet
1) Create a Bitcoin Wallet. We recommend Blockchain.info (https://blockchain.info/)
2) Buy the necessary amount of Bitcoins. Our recommendations are as follows.
LocalBitcoins.com — the fastest and easiest way to buy and sell Bitcoins.
CoinCafe.com — the simplest and fastest way to buy, sell and use Bitcoins.
BTCDirect.eu — the best for Europe.
CEX.IO — Visa / MasterCard
CoinMama.com — Visa / MasterCard
HowToBuyBitcoins.info — discover quickly how to buy and sell Bitcoins in your local currency.
3) As mentioned above, send about 0.045 BTC (equivalent to 50 USD) to our Bitcoin receiving address.
4) As mentioned above, and then, send us your personal ID via email, you will receive your private key soon.
About Based on Perfect Money
1) Create a Perfect Money account. (https://perfectmoney.is)
2) Visit to PMBitcoin.com. (https://pmbitcoin.com/btc)
Input our Bitcoin receiving an address in the \“Bitcoin Wallet\” textbox.
input 100 in the \“Amount\” textbox, the amount of Bitcoin will be calculated automatically.
click \“PAY\” button; then you can complete your payment with your Perfect Money account and local debit card.
6. If you have any problem, please feel free to contact us via official email.
Best Regards
The Trump Locker Team

Ransom note source: Infected users

The ransomware is reported to be a stem of the HiddenTear. You can read more about the HiddenTear/EDA2 open-source project from the corresponding article in the blog.

You should NOT under any circumstances consider paying the crooks behind TrumpLocker ransomware, and you should not contact them either. Your files may not get restored, and nobody could guarantee that. Furthermore, giving money to these criminals will likely motivate them to distribute other ransomware viruses or do more criminal activities.

The TrumpLocker ransomware encrypts files differently than VenusLocker. Each of the files that get encrypted will receive an extension appended to the end of their names. The only difference is that some files get only their first 1024 bytes encrypted and receive an extension slightly different to others. Here is how that stands:

  • Files that get fully encrypted receive the extension .TheTrumpLockerf
  • Files that get partially encrypted (only their first 1024 bytes) receive the extension .TheTrumpLockerp

Here is a list with all extensions that will get encrypted with the .TheTrumpLockerf extension:

→.xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, xlsb, .xla, .xlam, .xll, .xlw, .txt, .ini, .php, .html, .css, .py, .c, .cpp, .cc, .h, .cs, .log, .pl, .java, .doc, .dot, .docx, .docm, .dotx, .dotm, .msg, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .class, .jar, .csv, .xml, .dwg, .dxf, .asp, .rtf, .wpd, .docb, .wps

Here is a list with all extensions that will get encrypted with the .TheTrumpLockerp extension:

→.idx, .kwd, .lp2, .ltr, .man, .mbox, .msg, .nfo, .now, .odm, .oft, .pwi, .rng, .rtx, .run, .ssa, .text, .unx, .wbk, .wsh, .7z, .arc, .ari, .arj, .car, .cbr, .cbz, .gz, .gzig, .jgz, .pak, .pcv, .puz, .rev, .sdn, .sen, .sfs, .sfx, .sh, .shar, .bkf, .ade, .adpb, .dic, .cch, .ctt, .dal, .ddc, .ddcx, .dex, .dif, .dii, .itdb, .itl, .kmz, .lcd, .lcf, .mbx, .mdn, .clr, .dbx, .jc, .potm, .ppsm, .prc, .prt, .shw, .std, .ver, .wpl, .xlm, .yps, .1cd, .bck, .html, .bak, .odt, .pst, .log, .mpg, .mpeg, .odb, .wps, .xlk, .mdb, .dxg, .wpd, .wb2, .dbf, .ai, .3fr, .arw, .srf, .sr2, .bay, .shr, .sqx, .tbz2, .tg, .tlz, .vsi, .wad, .war, .xpi, .z02, .z04, .zap, .zipx, .zoo, .ipa, .isu, .jar, .js, .udf, .adr, .ap, .aro, .asa, .ascx, .ashx, .asmx, .odf, .odp, .ods, .pab, .pkb, .pkh, .pot, .potx, .pptm, .psa, .qdf, .qel, .rgn, .rrt, .rsw, .rte, .sdb, .sdc, .sds, .sql, .stt, .tcx, .thmx, .txd, .txf, .upoi, .vmt, .wks, .wmdb, .xl, .xlc, .xlr, .xlsb, .xltx, .ltm, .xlwx, .mcd, .cap, .cc, .cod, .cp, .cpp, .cs, .csi, .dcp, .dcu, .dev, .dob, .dox, .dpk, .dpl, .dpr, .dsk, .dat, .csv, .xml, .spv, .grle, .sv5, .game, .slot, .aaf, .aep, .aepx, .plb, .prel, .prproj, .eat, .ppj, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .svg, .as3, .as, .dsp, .eql, .ex, .f90, .fla, .for, .fpp, .jav, .java, .lbi, .owl, .pl, .plc, .pli, .pm, .res, .rsrc, .so, .swd, .tpu, .tpx, .tu, .tur, .vc, .yab, .aip, .amxx, .ape, .api, .mxp, .oxt, .qpx, .qtr, .xla, .xlam, .xll, .xlv, .xpt, .cfg, .cwf, .dbb, .slt, .bp2, .bp3, .bpl, .asp, .indd, .asr, .qbb, .bml, .cer, .cms, .crt, .dap, .htm, .moz, .svr, .url, .wdgt, .abk, .bic, .big, .blp, .bsp, .cgf, .chk, .col, .cty, .dem, .elf, .ff, .gam, .grf, .h3m, .h4r, .iwd, .ldb, .lgp, .lvl, .map, .md3, .mdl, .nds, .pbp, .ppf, .pwf, .pxp, .sad, .sav, .scm, .scx, .sdt, .spr, .sud, .uax, .umx, .unr, .uop, .usa, .usx, .ut2, .ut3, .utc, .utx, .uvx, .uxx, .vmf, .vtf, .w3g, .asf, .pdf, .xls, .docx, .xlsx, .mp3, .waw, .jpg, .jpeg, .txt, .rtf, .doc, .rar, .zip, .psd, .tif, .wma, .gif, .bmp, .ppt, .pptx, .docm, .xlsm, .pps, .ppsx, .ppd, .eps, .png, .ace, .djvu, .tar, .cdr, .max, .wmv, .avi, .wav, .mp4, .pdd, .php, .aac, .ac3, .amf, .amr, .dwg, .dxf, .accdb, .mod, .tax2013, .tax2014, .oga, .ogg, .pbf, .ra, .raw, .saf, .val, .wave, .wow, .wpk, .3g2, .3gp, .3gp2, .3mm, .amx, .rpt, .avs, .bik, .dir, .divx, .dvx, .evo, .flv, .qtq, .tch, .rts, .rum, .rv, .scn, .srt, .stx, .svi, .swf, .trp, .vdo, .wm, .wmd, .wmmp, .wmx, .wvx, .xvid, .3d, .3d4, .3df8, .pbs, .adi, .ais, .amu, .arr, .bmc, .bmf, .cag, .cam, .dng, .ink, .ini, .jif, .jiff, .jpc, .jpf, .jpw, .mag, .mic, .mip, .msp, .nav, .ncd, .odc, .odi, .opf, .qif, .xwd, .abw, .act, .adt, .aim, .ans, .asc, .ase, .bdp, .bdr, .bib, .boc, .crd, .diz, .dot, .dotm, .dotx, .dvi, .dxe, .mlx, .err, .euc, .faq, .fdr, .fds, .gthr, .w3x, .wtd, .wtf, .ccd, .cd, .cso, .disk, .dmg, .dvd, .fcd, .flp, .img, .isz, .mdf, .mds, .nrg, .nri, .vcd, .vhd, .snp, .crw, .cr2, .dcr, .kdc, .erf, .mef, .mrw, .nef, .nrw, .orf, .raf, .rwl, .rw2, .r3d, .srw, .x3f, .der, .pem, .pfx, .p12, .p7b, .p7c, .jfif, .exif, .docb, .xlt, .xltm, .xlw, .ppam, .sldx, .sldm, .class, .db, .pdb, .ptx, .pef

The encryption which is utilized by the ransomware is believed to be AES as that is the encryption algorithm used by the HiddenTear variants and VenusLocker ransomware.

A really long list with exclusions is encoded inside the TrumpLocker virus:

→Program Files, Program Files (x86), Windows, Python27, Python34, AliWangWang, Avira, wamp, Avira, 360, ATI, Google, Intel, Internet Explorer, Kaspersky Lab, Microsoft Bing Pinyin, Microsoft Chart Controls, Microsoft Games, Microsoft Office, Microsoft.NET, MicrosoftBAF, MSBuild, QQMailPlugin, Realtek, Skype, Reference Assemblies, Tencent, USB Camera2, WinRAR, Windows Sidebar, Windows Portable Devices, Windows Photo Viewer, Windows NT, Windows Media Player, Windows Mail, NVIDIA Corporation, Adobe, IObit, AVAST Software, CCleaner, AVG, Mozilla Firefox, VirtualDJ, TeamViewer, ICQ, java, Yahoo!

The above list contains all names of folders, which are to be excluded from the encryption process.

The TrumpLocker cryptovirus is reported by HybridAnalysis to delete the Shadow Volume Copies from the Windows operating system by utilizing the following command:

→vssadmin.exe delete shadows /all /Quiet

Read on through and check out what type of ways you can try to potentially restore some of your files.

Remove TrumpLocker Ransomware and Restore .TheTrumpLockerf Files

If your computer got infected with the TrumpLocker ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Manually delete TrumpLocker from your computer

Note! Substantial notification about the TrumpLocker threat: Manual removal of TrumpLocker requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove TrumpLocker files and objects
2.Find malicious files created by TrumpLocker on your PC

Automatically remove TrumpLocker by downloading an advanced anti-malware program

1. Remove TrumpLocker with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by TrumpLocker
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.