ArmaLocky Ransomware

What is ArmaLocky Ransomware?

ArmaLocky Ransomware is another crypto-threat that was first detected as MlsoSvc.exe by specialists working in the cyber security field at the beginning of September, 2017. At that time, it was not a prevalent threat yet. It was not prevalent at the time of writing either, but we cannot promise that this will not change soon, so, theoretically, anyone can encounter ArmaLocky Ransomware. If you are reading this article not out of curiosity, but because you have detected this ransomware infection on your computer, we want that you know that you cannot do much to get these encrypted files back. Yes, you can try purchasing the private key and decryption software from cyber criminals, but there are still no guarantees that you could decrypt your data, so do not even bother sending money to the owner of this threat. What we recommend doing instead is going to delete that ransomware infection so that it could not encrypt more personal files. ArmaLocky Ransomware might create its entry in the Run registry key, specialists at anti-spyware-101.com say, but it is still not one of those ransomware infections that drop a bunch of files, block system utilities, or lock the screen completely, so its removal should not be anything very complicated.

Where does ArmaLocky Ransomware come from?

There are two possible ways how ArmaLocky Ransomware entered your system. First, you could have allowed it to enter the system yourself by opening a spam email and then downloading its malicious attachment. Second, it could have entered your system because your RDP configuration is unsafe. These are definitely not all methods used to distributed ransomware infections. There are cases when users download these threats from the web themselves because some of them are spread masqueraded as decent software. Since ransomware infections are one of the sneakiest malicious applications, you should have a security application enabled on your system 24/7. You can no longer be careless either because a number of infections successfully enter users’ PCs because they are not cautious enough.

What does ArmaLocky Ransomware do?

You do not need to be an expert to notice that ArmaLocky Ransomware has successfully entered your system because, like its predecessor Locky Ransomware, it starts working right away following the successful entrance. That is, it encrypts pictures, documents, videos, and other files by appending .armadilo1 to them. Also, you should find on your Desktop two new files _Locky_HELP_.html and _ReadMe_.txt containing the same text – the ransom note. If you read it, you will get an answer to the question why you cannot open a bunch of your files – they have all been encrypted using RSA-4096 and AES-256 ciphers. You will also find out that you can decrypt your files only with a private key and a special decryption tool that is stored on a server belonging to cyber criminals. Without a doubt, users will not be given that key and a program for free. They could only purchase it from cyber criminals. If you are planning on doing that, make a payment as soon as possible because the key will be destroyed after 72 hours. Of course, we do not think that paying money to malicious software developers is the best solution to the problem and we do not encourage you to do that because there are no guarantees that it will be possible to decrypt files after sending the required money to cyber criminals. There are not many alternative ways to decrypt files, but there is still one thing you can do to restore the encrypted data for free. You can restore your files from a backup instead of purchasing the special tool and key from malicious software developers. Unfortunately, you can do nothing if you have never backed up your files.

How to remove ArmaLocky Ransomware

You will not unlock your files by eliminating the ransomware infection from your system, but you cannot keep it on your computer either because it might strike again thus leaving more personal files corrupted. The manual removal of ArmaLocky Ransomware will be quite quick because only suspicious recently downloaded files and ransom notes dropped by this threat will have to be erased. Also, you should go to check the Run registry key just in case. Of course, you will not need to do anything yourself if you decide to delete ArmaLocky Ransomware automatically. In such a case, launching the scanner will be your only task.

ArmaLocky Ransomware removal guide

Check the Run registry key

1. Press Win+R.
2. Type regedit.exe and click OK.
3. Move to HKCU/Software/Microsoft/Windows/Current Version/Run.
4. Check all Values and delete the one (it should be named Locky) associated with ArmaLocky Ransomware (keep in mind that you will not necessarily find it there).
5. Close Registry Editor.

Delete files

1. Open Explorer (press Win+E).
2. Delete all recently downloaded suspicious files from %USERPROFILE%\Desktop and %USERPROFILE%\Downloads.
3. Remove _ReadMe_.txt and _Locky_HELP_.html from %USERPROFILE%\Desktop and %APPDATA%.
4. Clear Recycle bin. Download Removal Tool100% FREE spyware scan and
   tested removal of ArmaLocky Ransomware*