Zyklon Locker

These days there is no shortage of ransomware-type Trojans ready to infect your computer and ruin your day. Unfortunately, this new ransomware called Zyklon Locker will encrypt your personal files and demand that you pay a ransom. We urge you not to pay it because the cyber criminals might not hold their end of the bargain. Thus, we recommend that you remove it from your computer using the instructions we have provided at the end of this description. However, before you do that, you might want to find out more about it, so we invite you to continue reading.

While collecting information and researching this ransomware, we found that its developers use an age-old tactic to distribute it around the web. To be more specific, Zyklon Locker is distributed using email spam. Cyber criminals have set up a server that sends email spam to random email addresses. We do not know how they obtain these addresses, but that is not a crucial piece of information at this point. The email may appear as legitimate and may resemble a business letter. The emails come with attachments that may come in the form of a fake executable disguised as a PDF, .rar archive, or Microsoft Word file. If you open the attached file, then this ransomware’s files will drop its files on your computer in C:\Users\user\AppData\Roaming\{randomly named folder}. We have found that this ransomware consists of three files named Ponmsiyyks.exe, Cigrmkwhrrxoeoaon.dll, Rlesvxamvenagx @ZL@LjiCw@ZL@ .xml.zyklon. Furthermore, this infection will create a folder in C:\Users\user\AppData\Local\Temp\{folder name RarSFX0 or RarSFX1} where it stores temporary files.

Zyklon locker is very similar to GNL Locker Ransomware that we have written about not so long ago. For all, we know they might even come from the same developers. However, fundamentally, all ransomware is very similar as they all use some encryption algorithm to encrypt your files and force you to pay the ransom. In the case of this particular ransomware, it uses the AES-256 algorithm to encrypt your files. It encrypts a long list of file formats that include the likes of .docx, .dotx, .html, .jpeg, .json, .laccdb, .ldif, .mpeg, .opml, .potx, .ppsx, .pptm, .pptx, .prproj, .sqlite, .webm, .xlsm, and .xlsx. It scans for files that are most likely to contain valuable personal information for which the victim would be ready to pay a large sum of money. Therefore, it does not block any programs from running and does not affect the files of the operating system. After scanning your computer for files to encrypt, it will go to work. While encrypting them, it will add an image1_2_n @ZL@LjiCw@ZL@ .jpg.zyklon extension to each encrypted file. After the encryption is complete, Zyklon Locker will change your desktop wallpaper and generate two files called NLOCK_FILES_README_e4f.html and NLOCK_FILES_README_e4f.txt that it places on the desktop and Documents folder.

The information presented in these files is nearly the same. In general, both of these files contain instructions on how to pay the ransom. Let us take a look at how this process is supposed to be performed. However, we do not recommend that you follow these steps because you might not receive the decryption password necessary to restore your precious files. First and foremost, Zyklon Locker sets a deadline that you have to meet. Otherwise, the ransom will increase. We have found that at first it will demand that you pay 0.65 BTC (around 263 EUR or 299 USD). Clearly that is a substantial sum of money, but the ransomware can increase threefold up to 1.95 BTC (around 789 EUR or 897 USD) if you fail to pay on time. Zyklon Locker’s developers provide you with detailed instructions on how to pay the ransom at http://gatewayq1{.}ru/e4f5da84df and http://paymentgatewaya{.}ru/e4f5da84df. In case these websites do not work, the developers have provided with an alternative payment method. You should not pay the ransom because the cyber criminals might not keep their word and give you the decryption password. Also, by paying you will only finance the development of more sophisticated ransomware that will be released in the future.

In closing, this ransomware has a clear objective – to infect your computer and encrypt your valuable personal files and then demand that you pay a ransom to get them back. Its developers supply its victims with payment alternatives and provide tech support to make sure that they get your money. We urge you not to give them the satisfaction of taking your hard-earned cash and delete Zyklon Locker from your computer using our removal guide. We also recommend that you scan your PC with SpyHunter — our featured anti-malware tool that will detect any additional malicious files.

How to get rid of this ransomware

1. Simultaneously press the Windows+E keys.
2. In the address bar of the resulting window, enter the following addresses.
   • C:\Users\user\AppData\Roaming\Xrxoeoa
   • C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup {random name (e. g. Ponmsiyyks.lnk)}
   • C:\Users\user\AppData\Local\Temp\{RarSFX0 or RarSFX}
3. Delete the contents of these folders