Rans0mlocked Ransomware

The ransom note left by the Rans0mlocked Ransomware creators might claim your computer has been blocked. Actually, the computer should still run normally even after the device is infected. However, the malicious application can encrypt various personal files, and as a result, you might be unable to access them. Sadly, deleting the threat will not undo the damage. Yet it is still advisable to eliminate it. Despite what Rans0mlocked Ransomware’s creators promise, there are no guarantees you will get to decrypt any data after paying the ransom, especially when the malware’s server is down. It is where the software’s developer should hide your unique decryption key, but since the server is down, it is probably impossible to retrieve it. Therefore, we advise you not to trust the hackers behind the malicious application and find another way to get at least some data back. Just before using backup files or uploading copies from removable media devices it is important to erase the infection first. You can do it either with the instructions located below the text or with a reliable antimalware tool.

At the moment there is still no information on how this threat could be distributed, although our researchers say there are a couple of possible scenarios. For example, the malware might be distributed through infected email attachments that might be sent to users via Spam. Then, there is also a chance Rans0mlocked Ransomware could be distributed through malicious software installers, fake update files, and so on. Some hackers even manage to obtain the user’s password or exploit any other security vulnerabilities to get access to the system and launch the harmful application on their own, although it does not seem like it could be the case with this infection.

For now, it is simply too early to say which particular distribution method could be used to spread Rans0mlocked Ransomware. In any case, it is most likely that users who encounter the threat are too careless with data downloaded or received from the Internet. If the file sent via email does not seem to be too important, we would advise you not to open. Of course, if you believe it is necessary we recommend scanning the suspicious file with a legitimate antimalware tool first. Plus, it would be wise to keep away from questionable file-sharing sites or any unreliable web pages that offer installers, updates, setup files, etc.

According to our specialists, Rans0mlocked Ransomware settles in by creating a folder called 684qds or similarly in the %APPDATA% directory. Inside of the folder, there should be a particular power-shell script called persist.ps1. This script is created so that the malware could relaunch itself after you restart the computer; meaning the infection would keep announcing its presence every time you turn on the PC. The threat should do this by placing a pop-up window on your screen. For the first time, it is supposed to be displayed only after the infection finishes encrypting targeted data. We believe the malicious application could be after personal user’s data, e.g. pictures, photos, videos, archives, etc. Each affected file should be marked by placing a specific extension at the end of their names, e.g. sky.jpg.owned, text.docx.owned, and so on.

The displayed message may demand to pay a ransom if the user wants to undo the damage done by Rans0mlocked Ransomware. For instance, the asked sum might be 0.1 BTC or around 170 US dollars. The ransom may not be the smallest or highest amount ever asked by ransomware creators, but still, you should not pay it if you do not want to lose it in vain. As we mentioned, in the beginning, the malware’s server seems to be unavailable, so decrypting files could be impossible because the required decryption key should be placed on this server. We doubt the server will be ever available again; thus, we advise you not to risk your money and concentrate on how to erase the malicious application.

Once you remove Rans0mlocked Ransomware, you could try to recover encrypted files while using backup copies, recovery tools, or other possible options. To delete the infection manually, you should get rid of the folder belonging to the threat and the malicious file you had launched before the malware appeared on the system. For more detailed instructions simply have a look at the removal steps located below. As for less experienced users, we would advise employing a trustworthy antimalware tool since it would not only help them erase the harmful program but also keep the system safe from future threats.

Eliminate Rans0mlocked Ransomware

1. Press Win+E.
2. Navigate to the folder where the malicious file infected with the ransomware was saved, e.g. %TEMP%, %USERPROFILE%\desktop, %USERPROFILE%\downloads, etc.
3. Locate the threat’s installer, right-click it and press Delete.
4. Copy and paste the following directory %APPDATA% into the Explorer.
5. Click Enter and find a suspicious folder called 684qds or similarly; it should contain a file called persist.ps1.
6. Right-click the malware’s folder and select Delete.
7. Close the Explorer.
8. Empty Recycle bin.
9. Restart the PC.