What is RandomLocker ransomware? And how does it carry out its attack?
RandomLocker ransomware is a new crypto-malware that has emerged on the 27th day of April 2018. It is designed to lock files in a targeted device and demands ransom from its victims. It uses the .rand extension in marking the files it encrypts.
Once the malicious payload of RandomLocker ransomware is executed in the system, it will begin to carry out its attack by scanning the entire drive of the infected computer looking for certain files to encrypt. These files are commonly generated by users like images, documents, audio files, videos, database and so on. After it is able to achieve the encryption, a ransom note is displayed on the screen stating:
“Oops, your files have been encrypted!
Encryption was produced using the unique key generated for this computer.
To decrypt files, you need to obtain the private key.
The single copy of the private key, with will allow you to decrypt the files, is located on a secret server on the internet;
The server will destroy the key within 24 hours after encryption completed.
Payment has to be made within 24 hours
To retrieve the private key, you need to pay 10$ in BTC
Bitcoins have to be sent to this address: 3GPg3tgwZakR5uTELzjMJRj1NarxHH9YdJ
After you’ve sent the payment send us an email to [email protected] with subject: UNLOCK ***
If you are not familiar with bitcoin you can buy it from here:
SITE: www localbitcoin.com
After we confirm the payment, we will send the private key so you can decrypt your system.
—
FILES DELETED IN
**:**:**
About Bitcoin
How to buy bitcoins?
Show Encrypted Files
Contact Us
[***] [Decrypt]”
RandomLocker ransomware only asks for a small amount of ransom but that doesn’t mean that you should go ahead and pay it. No matter how small the amount is, resorting to paying the ransom is certainly not a good idea. The best way to deal with crypto-malware threats like RandomLocker ransomware is by terminating it from the system as soon as possible and try out other alternative ways to recover the affected files without spending even a cent.
How does RandomLocker ransomware proliferate?
RandomLocker ransomware proliferates using the most common method of distributing ransomware threats which is via spam emails. These spam emails usually contain an infected attachment used to download and install the ransomware into the system. These infected attachments are mostly documents with macro scripts so when you open a document you’ve downloaded from your email and it prompts you to enable macros, you shouldn’t do so as it might only install the crypto-malware in your system. To avoid ransomware threats in the future, you must always keep your system and your AV programs up-to-date.
Use the removal guide prepared below in terminating RandomLocker ransomware from your computer.
Step 1: Open Windows Task Manager by pressing Ctrl + Shift + Esc at the same time.
Step 2: Go to both the Application and Processes tabs and look for any suspicious applications and processes affiliated to RandomLocker ransomware and then kill them.
Step 3: Open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Look for RandomLocker ransomware or any suspicious program and then uninstall it/them.
Step 5: Hold down Windows + E keys simultaneously to open File Explorer.
Step 6: Navigate to the following directories:
- %USERPROFILE%\Desktop
- %USERPROFILE%\AppData\Local\Temp
- %USERPROFILE%\downloads
- %TEMP%
Step 7: Look for the malicious files created by the ransomware like the malicious macro-enabled document you’ve downloaded recently, delete them all and then close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use an efficient program like [product-name], this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 8: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 9: Navigate to the following paths:
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKCU\SOFTWARE
- HKCU\SOFTWARE\WOW6432Node
Step 10: Under the paths listed above, look for registry values created by RandomLocker ransomware and delete it.
Step 11: Close the Registry Editor
Step 12: Empty all the contents of Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if RandomLocker ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
After you’ve covered the steps provided above, you need to continue the removal process of RandomLocker ransomware with the help of a reliable program like [product-name]. How? Follow the advanced removal steps below.
Perform a full system scan using [product-code]. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
- After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
- Once the installation process is completed, run [product-code] to perform a full system scan.