What is RansomUserLocker ransomware? And how does it execute its attack?
RansomUserLocker ransomware is another file-encoding Trojan infection, which according to security experts seems like a new variant of the threat known as Korean Talk ransomware. This ransomware first emerged January 21, 2018. It is kind of similar to the VenusLocker ransomware which was also another ransomware created to target Korean users way back in 2017.
As soon as it enters a system it will encrypt files with these extensions:
.asp, .aspx, .bat, .bmp, .csv, .doc, .docx, .html, .hwp, .java, .jpg, .kys, .mdb, .mp3, .odt, .pdf, .php, .png, .ppt, .pptx, .psd, .rtf, .sln, .sql, .txt, .URL, .xls, .xlsx, .xml, .zip
RansomUserLocker ransomware makes use of both the AES and RSA encryption algorithm in damaging files. When the encryption is done, it will append the .RansomUserLocker extension on each one of the affected files. It then drops a “Read_Me.txt” file and delivers a program window titled “RansomUserLocker” which contains its ransom note in Korean. The following content is the ransom note translated from Korean to English:
“Your ID [44 RANDOM CHARACTERS]
- What’s wrong with your computer?
Your personal files, including your photos, documents, videos and other important files have been encrypted with RSA-4096, a strong encryption algorithm. The RSA algorithm generates public and private keys for your computer. The public key was used to encrypt files. A private key is needed to decrypt and restore files. Your private key is stored on our secret server. No one can recover your files without this key.
- How do I decrypt my files?
To decrypt and restore files, you must pay for the secret key and decryption. You only have 72 hours to make a payment. If payment is not made during this time, then your private key will be automatically deleted from our server. Do not waste your time, because there is no other way to recover your files, other than paying for foreclosures.
- How do I pay for my private key?
Follow these steps to pay and restore files:
1). Payment is possible only in bitcoins. Therefore, please buy 1 BTC, and then send it to the address below.
2). Send your ID (Personal ID) to our official email address below:
Official Mail: [email protected]
Be sure to check your personal information. Please refrain from insults and send me an email the same day.
Your personal ID is listed in the title of this screen.
3). You will receive a decryptor and private key to restore all files in one working day.
- How to find and buy bitcoins?
Buy and send 1 bitcoin to our bitcoin-purse: 1HB5XMLmzFVj8ALj6mfBsbitRoD4miY36v
Please buy bitcoins and send your ID by mail to our official email address.
We are not good people. But we must keep in the area where we do it.”
The authors of RansomUserLocker ransomware uses the [email protected] in communicating with its victims. However, it is not advised. If you are one of the unlucky users who got infected with this malware, you should not even think about contacting these crooks as they will only extort a big chunk of money from you and if you think that as soon as you pay the ransom that you’ll get the decryption key or software right away, that’s where you’re wrong. The thing is, despite paying the ransom, there is no guarantee that they will give you the decryption tool to recover your files. In fact, the possibility of you losing money over nothing is quite high as cyber crooks are not really known to keep their end of the bargain once they receive the payment. The best thing that you could do for now uses any backup copy of the affected files and wait until a free decryptor is available.
How does RansomUserLocker ransomware spread its malicious file(s)?
RansomUserLocker ransomware is being spread using a malicious file named “RansomUserLocker.exe” via spam emails, bogus download, fake software and updates and even malicious ads. To avoid getting infected by the same threat again, make sure that you avoid downloading any suspicious files over the internet especially if the source is unknown and can’t be trusted.
Use the removal guide below as a reference to delete RansomUserLocker ransomware from the infected PC.
Step 1: Launch the Task Manager by simply tapping Ctrl + Shift + Esc keys on your keyboard.
Step 2: Under the Task Manager, go to the Processes tab and look for any suspicious-looking process which takes up most of your CPU’s resources and is most likely related to RansomUserLocker ransomware.
Step 3: After that, close the Task Manager.
Step 4: Tap Win + R, type in appwiz.cpl and click OK or tap Enter to open Control Panel’s list of installed programs.
Step 5: Under the list of installed programs, look for RansomUserLocker ransomware or anything similar and then uninstall it.
Step 6: Next, close Control Panel and tap Win + E keys to launch File Explorer.
Step 7: Navigate to the following locations below and look for RansomUserLocker ransomware’s malicious components such as RansomUserLocker.exe and Read_Me.txt as well as other suspicious files and then delete all of them.
Step 8: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 9: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 10: Navigate to the following path:
Step 11: Delete the registry keys and sub-keys created by RansomUserLocker ransomware.
Step 12: Close the Registry Editor and empty your Recycle Bin.
It is important to make sure that nothing is left behind and that RansomUserLocker ransomware is completely wiped out from your system. To do that, use the following antivirus program.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. The installation will start automatically once a download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.