Rans0mlocked Ransomware

What is Rans0mlocked Ransomware?

You know you came across Rans0mlocked Ransomware if your personal files are marked with .owned extension. Apparently, the malicious application should append the extension to each enciphered file. The goal of locking all data is to make the user pay the malware’s creators for the decryption tool. It is understandable you want to recover your data and could be considering such an option, but before you come to a decision, we would advise reading our report first. Further, in the article, we will discuss not only the threat’s working manner or its removal, but also why it might be dangerous to deal with the hackers. Below the text, there are deletion instructions as well, so if you came here only to find away how to eliminate Rans0mlocked Ransomware, you could slide below and follow the provided steps.

Where does Rans0mlocked Ransomware come from?

Our specialists at Anti-spyware-101.com believe the malware might be already inactive, so it is possible it could be no longer distributed. Thus, it makes it harder to find out how Rans0mlocked Ransomware might have been spread. Probably the two most popular ransomware distribution methods are sending launchers via Spam emails or sharing them through harmful file-sharing web pages. This is why security specialists always advise users to check suspicious data downloaded from the Internet first instead of opening it right away. If the file appears to be suspicious or infected, a legitimate antimalware tool should warn you about possible risks and help you get rid of it safely.

How does Rans0mlocked Ransomware work?

Rans0mlocked Ransomware works right from the directory where its launcher was downloaded and opened. However, unlike other similar threats, it additionally created a power-shell script that allows the malware to auto-start with the computer's operating system. In other words, it does not matter if you close the infection's window, it will be opened once again when the computer is rebooted. The mentioned power-shell script could be titled as persist.ps1, and it should be placed in a randomly named folder in the C:\Users\User\AppData\Roaming directory.

Soon after the malicious application settles in, it should complete its second task which is your data’s encryption. As the process takes place, the malware enciphers each targeted file with AES cryptosystem. Also, as we said in the beginning, Rans0mlocked Ransomware should mark all affected files with an additional extension, for example, forest.jpg.owned, party.avi.owned, and so on. It looks like the threat’s creators could be asking to pay around 0.1 BTC. At the moment of writing 0.1 bitcoins is approximately 169 US dollars. The sum may not look significant for some of the malware’s victims, but given there is a chance you could lose the whole amount completely in vain, it might be worth to consider such option more carefully.

Our researchers say the malicious application’s server is currently down, which means the infection should be unable to connect to it. Unfortunately, this server is most like where the threat is keeping unique decryption keys needed to unlock enciphered users’ files. Therefore, if it cannot connect to it, the chances are the decryption might be impossible even after paying the ransom. This is why we recommend erasing the infection instead of funding its creators.

How to remove Rans0mlocked Ransomware?

If you take a look at the steps provided below this paragraph you could erase Rans0mlocked Ransomware manually; all you have to do is carefully follow the given instructions. Nevertheless, even with detailed instructions, the task of deleting the malware manually could appear to be too difficult for some of you. Fortunately, there is no need to worry as instead of removing the malicious application manually, you could employ a legitimate antimalware tool and use its automatic tools to deal with the threat faster.

Erase Rans0mlocked Ransomware

1. Press Windows key+E.
2. Copy and paste the following locations into the Explorer one by one:
   %TEMP%
   %USERPROFILE%\desktop
   %USERPROFILE%\downloads
3. Find the malware’s launcher (a suspicious file you had opened before the infection appeared).
4. Select the suspicious file and press Shift+Delete.
5. Locate this directory: %APPDATA%
6. Find a randomly titled folder (e.g. 684qds); inside of it, you should find a file named as persist.ps1.
7. Select this folder and click Shift+Delete.
8. Exit the Explorer.
9. Reboot the computer. Download Removal Tool100% FREE spyware scan and
   tested removal of Rans0mlocked Ransomware*