Zyklon Locker

What is Zyklon Locker?

Irresponsible Internet surfing may result in your computer becoming infected with a Trojan-type infection called Zyklon Locker. Removing this application is of utmost importance because its developers demand that you pay a ransom to get the files that it encrypts back in one piece. As its name implies, this program’s main purpose is extract money from you and its encryption will permanently damage your files if you refuse to pay. However, you should not pay the ransom because the greedy cyber criminals demands too much and there is no guarantee that they will deliver you the key needed to decrypt them.testtesttest

How does Zyklon Locker work?

When this ransomware infects a computer it drops its files in three locations. The first location is C:\Users\user\AppData\Roaming which should contain a folder named Xrxoeoa (randomized name.) this file should contain free files named Cigrmkwhrrxoeoaon.dll, Ponmsiyyks.exe, and Rlesvxamvenagx @ZL@LjiCw@ZL@ .xml.zyklon. The second location is C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup which should host a copy of Ponmsiyyks.ink (this name is also randomized). The last location is C:\Users\user\AppData\Local\Temp which should contain a folder titled either RarSFX0 or RarSFX. This folder is supposed to host temporary files.

Once all files are dropped, this ransomware will scan you computer for file formats of interest. This ransomware will not touch system files, but scan for file formats that include but are not limited to .ashx, .aspx, .cert, .class, .docm, .docx, .dotm, .dotx, .gdoc, .html, .jpeg, and .json. After encrypting these file formats, it will add an extension to them which should read image1_2_n @ZL@LjiCw@ZL@ .jpg.zyklon.

After the encryption process is complete, Zyklon Locker will change the desktop wallpaper to a ransom note with white text in a black background. Also, it will generate two files named UNLOCK_FILES_README_e4f.html and UNLOCK_FILES_README_e4f.txt on the desktop that contain instructions on how to purchase the decryption key. Our malware researchers have found that this ransomware uses the AES-256 encryption cipher consisting of 32 characters. This is a very strong encryption and there are no tools that could crack it.

If you decide to purchase the decryption key, then you will have to pay 0.65 BTC (approximately 263.25 EUR/ 299 USD.) However, this ransomware sets a deadline for paying it and if you miss it, then the ransom will triple. As a results you might be ordered to pay 1.95 BTC (approximately 789.75/897 USD.) Now, you have to ask yourself whether your files are worth this amount of money. Whatever the case may be, we do not recommend attempting to pay the ransom because you might not get the decryption key anyway.

Where does Zyklon Locker come from?

Obviously, this ransomware was created by some crafty software developers that have turned to the life of crime because software such as Zyklon Locker is illegal around the globe. The ransom payment instructions are featured on two identical websites named http://gatewayq1{.}ru/e4f5da84df and http://paymentgatewaya{.}ru/e4f5da84df. The domain name .ru indicates that these websites are hosted on a Russia-based server, so the developers might come from Russia as well. However, this is just speculation because it is next to impossible to find where they are based at.

As far as this ransomware’s distribution methods go we can tell you a bit more. Our malware researchers have discovered that this infection is being distributed using email spam. Its developers have set up a server that sends email spam to email addresses acquired from shady third parties. The email might contain a malicious self-extracting archive or a direct link to this ransomware download website. Therefore, you should not open email attachments that come from unknown sources. You should always read the email first to determine whether it is legitimate.

How to remove Zyklon Locker?

There are two ways you can remove Zyklon Locker. The first one is to delete its files manually by going to each of the three files. After deleting them you must empty the Recycle Bin. The second method is much easier. You get download a program called SpyHunter that will delete all traces of this infection and continue to protect your PC from future infections. Again, we do not recommend paying the ransom because you might not get the decryption key.

Removal Guide

  1. Press the Windows+E keys on your keyboard.
  2. Enter the following addresses in the Explorer window’s address bar.
    • C:\Users\{user}\AppData\Local\Temp\{RarSFX0 or RarSFX}
    • C:\Users\{user}\AppData\Roaming\Xrxoeoa {randomized folder name}
    • C:\Users\{user}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ponmsiyyks.ink {randomized file name}
  3. Delete all files in these folders.
  4. Empty the Recycle Bin.
100% FREE spyware scan and
tested removal of Zyklon Locker*

Leave a Comment

Enter the numbers in the box to the right *