WickedLocker is the name of a new ransomware cryptovirus based on the open-source HiddenTear project. All encrypted files will have the extension .locked appended to them. After it locks your files it demands 1 Bitcoin as payment. To see how to remove the ransomware and how you can try to restore your files, read the article to the end.
|Short Description||The ransomware will encrypt your files and then display a ransom note with instructions for payment. It demands 1 Bitcoin for unlocking your files.|
|Symptoms||All encrypted files will get the extension .locked appended to them.|
|Distribution Method||Spam Emails, Email Attachments|
See If Your System Has Been Affected by WickedLocker
Malware Removal Tool
|User Experience||Join Our Forum to Discuss WickedLocker.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
WickedLocker Virus – Distribution Tactics
The WickedLocker ransomware could use different tactics to enter your computer machine. The payload file might be spread with spam emails. The spam emails usually have an attached file and are written in a way to make you feel that they are important including their attachment. If you open the attached file, it will release the malicious script and infect your computer system.
WickedLocker ransomware might infect your computer device by using other tactics. The malware creators might be distributing their payload file via social media and file-sharing services. Refrain from opening files from suspicious emails, links or an unknown source. Before opening, you should scan those files with a security program and check their size and signatures. You should read the ransomware prevention tips from the topic in the forum.
WickedLocker Virus – Technical Analysis
Your files get encrypted and will all have the extension .locked being appended to every one of them after the encryption process is complete. The instructions with demands for payment are placed in multiple files spread on your computer, inside folders with encrypted files.
When the WickedLocker ransomware initiates its payload, it can create entries in the Windows Registry. That can make the ransomware more durable, and it could put it in different locations on your PC. Besides, the registry entries could make the cryptovirus launch automatically with each start of the Windows operating system.
You can view a screenshot of the file containing the ransom message done here:
The ransom note is put inside multiple files with the name READ_IT_[number].txt. It reads the following:
Your personal files are locked.
To unlock your files and work as normal you have to send 1 bitcoin to our wallet.
Send 1 BTC address
14wV6DktpJEzY5U2BiJwRpdaFFPn8kVn7S and send the transaction id to firstname.lastname@example.org
Apart from the ransom note, which is also put as a desktop background, there is a window that loads up after your files get encrypted. You can see its contents below:
Your personal files are locked!
Your personal files are locked.
To unlock your files and work as normal you have to send 1 bitcoin to our
Send 1 BTC to address [redacted] and press next >>.
1. Send 1 BTC to the following address:
2. Enter your email address:
3. Enter the Transaction ID:
4. Click Pay >>
<< Back Pay >>
You are asked to pay the sum of 1 Bitcoin. That amounts to 700 US dollars at the time of writing this article. The email Wickedhosting@gmx.com is used for contacting the cybercriminals. However, you should NOT think of contacting them or paying anything as that will only support the crooks. Nobody can guarantee you that by paying you will recover your files to their previous state, before the encryption.
The WickedLocker ransomware will encrypt files and append the .locked extension to every one of them. For the time being, a list with file extensions which the ransomware searches to encrypt is not available. Most of these files are probably documents, pictures, databases and other important files.
The WickedLocker virus is very likely to delete the Shadow Volume Copies from the Windows operating system by using the following command:
→vssadmin.exe delete shadows /all /Quiet
Continue to read and see what ways you can try out to hopefully restore your files.
Remove WickedLocker and Restore .locked Files
If your computer got infected with the WickedLocker ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by WickedLocker.
Manually delete WickedLocker from your computer
Note! Substantial notification about the WickedLocker threat: Manual removal of WickedLocker requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.