What is Exolock ransomware? And how does it implement its attack?
Exolock ransomware is another crypto-malware Trojan that carries a typical ransomware attack – it encrypts the victim’s files and then demand ransom to decrypt them. Exolock arrives in the computer system using a malicious email attachment. Once it is opened, the ransomware is downloaded and installed on the compromised computer.
During its attack, Exolock appends the .exolocked file extension on each targeted data. It is currently unknown which type of cryptography Exolock ransomware uses. At the same time, it creates or modifies some old Registry entries in your system and injects malicious code into your legitimate system processes. Following data encryption, Exolock ransomware opens a program window that demands ransom and contains the following text:
“YOUR FILES HAVE BEEN ENCRYPTED
All files have been infected
Get decrypt your files in 4 steps
- Go to “www.anycoindirect.eu/en/buy/bitcoins”
- Pay 0.01 bitcoins to the bitcoin Address below
- Once confirmed your files will be decrypted
- And you can enjoy your computer
If you try to CLOSE this process or SHUTDOWN the computer, your files will be DELETED FOREVER!!!
AND CANT BE RECOVERED !!! Only way to RECOVER your files is to PAY 0.01 BTC
BTC Address: 1HYUjkWT6ndCZzs4PsdFKgkM2agXidPg
YOUR FILES HAVE BEEN ENCRYPTED
All files have been infected
Get decrypt your files in 4 steps
- Go to “www.anycoindirect.eu/en/buy/bitcoins”
- Pay 0.01 bitcoins to the bitcoin Address below
- Once confirmed your files will be decrypted
- And you can enjoy your computer
If you try to CLOSE this process or SHUTDOWN the computer, your files will be DELETED FOREVER!!!
AND CANT BE RECOVERED !!! Only way to RECOVER your files is to PAY 0.01 BTC
BTC Address: 1HYUjkWT6ndCZzs4PsdFKgkM2agXidPg”
On its ransom note, the authors of the crypto-malware informs their victims about the unpleasant situation they are now in and that the only way to get their files back is by paying the ransom. And to make them sound scarier and tough, they tell their victims that if they close the program windows or shut down their computer, all their files will be deleted. You should know better than to believe these crooks. Paying them won’t actually get you out of the mess you are in. In fact you might be in even bigger trouble as cyber crooks are known to ignore their victims once they got what they want. You can actually try a couple of alternative solutions to recover your files, unlike what these crooks claimed, there is still a way to recover your files without having to pay a single cent. This alternative method uses the shadow volume copies of the encrypted files to restore them. Manage your expectations though for this method is only effective if the Exolock haven’t deleted the shadow volume copies during the encryption process – as uncertain as it seems, it still worth a try as nothing.
How does Exolock ransomware spread its malicious infection?
As explained previously, Exolock arrives in your computer via malicious spam emails. This is a highly-favored distribution method by many ransomware developers and they often use a macro-enabled document as an attachment to the email. The macro-enabled document is responsible in dropping the ransomware in your system. Aside from that, Exolock ransomware can also infect your computer using exploit kits on compromised websites and fake downloads. That’s why you must always ensure that both your system and antivirus program are updated to increase your computer’s resistance against these kinds of attacks. And it would be wise of you stir clear of any suspicious emails no matter how interesting it seems.
Follow the set of detailed instructions below to eliminate Exolock ransomware.
Step 1: Restart your PC.
Step 2: Tap Ctrl + Shift + Esc to pull up Windows Task Manager and look for Exolock ransomware’s malicious process and end it.
Step 3: Open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Look for Exolock ransomware or any suspicious program and then Uninstall it/them.
Step 5: Tap Win + E keys to launch File Explorer.
Step 6: Navigate to the following locations below and look for Exolock ransomware’s malicious components and then delete all of them.
- %TEMP%
- %APPDATA%
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step 7: Close the File Explorer. Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 8: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 9: Navigate to the following path:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Step 10: Delete the registry keys and sub-keys created by Exolock ransomware.
Step 11: Close the Registry Editor and empty your Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Exolock ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
To make sure that nothing is left behind and that the Exolock is completely removed, use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the Safe Mode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.