Exolock Ransomware

Exolock Ransomware is a new ransomware-type application that was first spotted in the first half of September 2017. It uses the Advanced Encryption Standard (AES) to encrypt your files and then demands money to decrypt them. The cybercriminals demand you pay 0.01 BTC (37.19 USD) for a decryption tool/key. That might not be much money, but the problem is that your files might not be decrypted after you pay. Therefore, we recommend that you remove this malicious application instead of paying the ransom. It can infect your PC secretly, so if you want to fend off applications like this one, you ought to get an anti-malware program. For more detailed information, we invite you to continue reading.

While there is no concrete information on how Exolock Ransomware is distributed, we suspect that its developers may use fake emails to get it onto your PC. They may have set up an email server dedicated to sending deceptive emails to random people. The emails can be disguised as something they are not in order to trick you into opening the attached file that is usually a PDF file. If you open that file, your PC can become infected with this ransomware, and it will begin encrypting your files.

The sample we have tested only works partially. Once you launch its executable, the operating system crashes on Windows 7 and the PC restarts on Windows 10. When you boot up your PC again, your files will be already encrypted. We have found that this ransomware uses the AES encryption method which is the most common method used by ransomware. This ransomware was configured to encrypt many file formats, so it can affect your pictures, videos, audios, documents, executable files, and so on. It adds an “.exolocked” file extension o each encrypted file, but does not change its original name.

Once the encryption is complete, Exolock Ransomware is set to display a lock screen that demands you pay 0.01 BTC to decrypt your files. You have to send the ransom to 1HYUJkWT6ndCZzs4PsdFKgkM2agXidPgEv. The note warns you that if you close this ransomware’s process or shut down your PC, it will delete your files. Whether you want to risk paying the ransom is up to you because the sum of money asked is not that large. However, it is possible that the cybercriminals will not send you the decryption tool/key once you have paid. Therefore, you should consider getting rid of this ransomware.

Indeed, it is often the case when cybercriminals do not keep their word and trick people into sending them money. Therefore, you should not trust the developers of Exolock Ransomware and remove this ransomware as soon as possible. To achieve this, we recommend you use an anti-malware program such as SpyHunter or our manual removal guide that includes the most likely places where this ransomware may reside. Still, if you cannot locate and identify the malicious executable, please use an anti-malware program.

Removal Guide

1. Press Windows+E keys.
2. Enter the following file paths in the address of File Explorer.
   • %USERPROFILE\Desktop
   • %USERPROFILE%\Downloads
   • %WINDIR%\Syswow64
   • %WINDIR%\System32
   • %APPDATA%
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
   • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
   • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
   • %TEMP%
3. Find the executable file, right-click it and click Delete.
4. Right-click the Recycle Bin and click Empty the Recycle Bin.