Atchbo Ransomware

What is Atchbo Ransomware?

Atchbo Ransomware is one scary infection because when it slithers in it silently encrypts all of your personal files. Once that is done, the threat also locks the screen to make it impossible for you to terminate malicious files, remove the infection, or even see which files were corrupted. While there are many threats that pose as file-encryptors – they often lock screens just so that users could not see that files are safe – this is not one of them. This ransomware is real, and it was created for the sole purpose of forcing you into paying the ransom. Although this ransom is not very big (between 40-60 USD, depending on the conversion rates), paying it is not what Anti-Spyware-101.com researchers would ever recommend because your input is unlikely to help you decrypt your personal files. All victims, including those who have their personal files backed up and those who might end up losing their files, must delete Atchbo Ransomware. The operation might be lengthy and complicated, but it must be performed right now.

How to delete Atchbo Ransomware

Exolock ransomware is the predecessor of Atchbo Ransomware, and since our research team has already reviewed this malicious threat, it was not hard to understand how this new version works as well. The one thing that is still unclear is the distribution of this malware because cyber criminals can use different methods, and they can shift from one method to the next to maximize the prevalence. Of course, since corrupted spam email attachments are used in most cases by most file-encrypting and ransom-demanding software, it is safe to say that you have to be particularly careful about suspicious spam messages. If you execute the launcher of Atchbo Ransomware without realizing it, the process cannot be stopped because the threat is silent at first. On top of that, it creates a copy of itself in %APPDATA% (might be called “ExoGUI.exe”), which guarantees successful encryption even if you delete the original file. Once files are encrypted, a unique extension – .exo – is added to their names, but you cannot see this because your PC is locked. If you try launching Task Manager to kill the process locking the screen, your PC is likely to crash.

The ransom note that shows up on the screen indicates that you must pay a ransom of 0.007 Bitcoin to get your files decrypted. The message suggests purchasing Bitcoins at anycoindirect.eu/en/buy/bitcoins, and it lists 1HYUJkWT6ndCZzs4PsdFKgkM2agXidPgEv as the Bitcoin Address to which the sum should be sent. It appears that no one has sent money to this address yet. The strange thing is that different information is presented via a file called “UnlockYourFiles[numbers].txt”. If you manage to unlock the screen, you will find this file in all directories where files are encrypted. According to this file, you need to send 0.01 Bitcoin to 12y9boJMf7UF3WRb5SReWTPdh7B8Gjxrnk to get your files back. Clearly, something is not right. All in all, the cyber criminals behind Atchbo Ransomware expect you to pay the ransom, but they do not need to help you with the decryption once they receive it, which is why it is unlikely that you would get anything out of paying the ransom. The bad news is that your files will not be decrypted even if you remove Atchbo Ransomware successfully. If you end up losing files, let this be a lesson that backing up data is crucial.

How to delete Atchbo Ransomware

If you have never rebooted your operating system into Safe Mode, you might find the instructions below quite difficult to follow at first. But if you follow the process one step at a time, you should be able to successfully reboot the system and then follow the instructions to remove Atchbo Ransomware. If you desire to use anti-malware software – which is a wonderful idea; especially if you want the added protection this software can give you – you still need to reboot into Safe Mode with Networking. If you use this software, you will not need to find and eliminate malicious components, scan your system to check for leftovers, or worry about how you act online. Even if you are cautious, letting malware in is very easy, and if anti-malware tools are not set up to guard you, all kinds of threats could wreak havoc without your notice.

Reboot Windows to Safe Mode or Safe Mode with Networking

Windows XP, Windows Vista, or Windows 7:

1. Restart the PC, wait for the BIOS screen to show, and start tapping the F8 key.
2. Choose Safe Mode or Safe Mode with Networking using arrow keys and tap Enter.

Windows 8, Windows 8.1, or Windows 10:

1. Open the Power menu:
   • Windows 8: access the Charm Bar, click Settings and choose Power.
   • Windows 10: move to the Taskbar, click the Windows button, and click Power.
2. Click Restart while pressing down the Shift key on the keyboard.
3. Go to the Troubleshoot menu, then move to Advanced options, and select Startup Settings.
4. Click Restart and then tap F4 (Safe Mode) or F5 (Safe Mode with Networking).

Remove the ransomware

1. Find the {random name}.exe launcher of the ransomware.
2. Right-click and Delete the file.
3. Tap Win+E to launch Explorer and then enter %APPDATA% into the bar at the top.
4. Right-click and Delete the copy of the launcher (e.g., ExoGUI.exe).
5. Right-click and Delete all copies of the UnlockYourFiles[numbers].txtfile. It could be found here as well:
   • %ALLUSERSPROFILE%\Start Menu\Programs
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs
   • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs
6. Tap Win+R to launch RUN and then enter regedit.exe to launch Registry Editor.
7. Navigate to HKCU\SOFTWARE\Microsoft\Windows\Current  Version\Run.
8. Delete the {random name} value that represents the malicious launcher’s  copy.
9. Delete the keys called ExoGUI_RASMANCS and ExoGUI_RASAPI32in these paths:
   • HKLM\SOFTWARE\Microsoft\Tracing\
   • HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\.
10. Empty Recycle Bin and then immediately install a malware scanner to inspect your operating system. Download Removal Tool100% FREE spyware scan and
    tested removal of Atchbo Ransomware*