Atchbo Ransomware

If your system gets infected with Atchbo Ransomware, you might have lots of trouble as the threat not only encrypts user’s data but also locks the device's screen. Unfortunately, for now, the malicious application remains to be undecryptable, which means if you do not want to risk your savings and have no backup files to replace damaged data, the encrypted files might be lost forever. Nonetheless, we would still advise you to eliminate the malware instead of paying a ransom to its creators. The sum is not precise, and there is always a chance the hackers could trick you; thus users who do not wish to lose their money in vain should simply erase Atchbo Ransomware and gain back the control of their PC. The instructions placed below the article should help you with this task. Of course, if they appear to be too difficult, you can always download a reliable antimalware tool and leave this job to it.

Atchbo Ransomware could travel with harmful software installers, email attachments, and other suspicious data downloaded from the Internet. Thus, it may infect the computer after the user unknowingly opens the malicious file. According to our researchers, the malware settles in by placing its launcher’s copy in the %APPDATA% directory. Additionally, it might create quite a few Registry and Startup entries we will mention in the removal instructions. It might be useful to say the malicious application is most likely a new variant of an older threat called Exolock Ransomware. Probably because of this most of Atchbo Ransomware created files and entries are named ExoGUI.exe, ExoGUI_RASAPI32, and so on.

Once, it settles in the malware should start encrypting all important user’s data. During this process, the targeted files are locked and marked with an additional extension called .exo, for example, flower.jpg.exo, list.doc.exo, etc. Then Atchbo Ransomware should drop a copy of a file called UnlockYourFiles{*random number}.txt (e.g., UnlockYourFiles2.txt) in each directory containing encrypted data. The text in these files is called a ransom note as it contains a message in which the hackers demand to pay the ransom and give instructions on how to do it. However, soon after this the malicious application should lock user’s screen and display almost the same but slightly different version of the mentioned ransom note just on top of the screen. Therefore, the user might be able to see these text files only after unlocking the screen.

The main difference between the message in the ransom note and one displayed on the locked screen is that one of it says the user has to pay 0.007 Bitcoins, while the other one states the ransom is 0.01 Bitcoin. Also, the message on the screen warns the user not to turn it off or shut down the computer or else the encrypted files will be erased, and as a result, all hopes to recover them will be lost. Our researchers say these threats are empty since they did not notice any files disappearing after they removed the malware. We would advise you to erase Atchbo Ransomware too, as there are no guarantees the data will be decrypted even if you figure out how much to pay and transfer the ransom. The hackers can always ask for more money or just take the amount you sent, without doing their end of the deal; after all, it is impossible to take the money back.

Users who choose to remove Atchbo Ransomware should follow at least the first part of the instructions added below the text. They will explain how to restart the device in Safe Mode with Networking. Then users can choose if they want to keep following the instructions and delete the malicious application manually or install a reliable antimalware tool and get rid of it with automatic features. It seems to us the second option should be easier, especially for inexperienced users, so if the instructions look too challenging do not hesitate to employ a legitimate security tool.

Restart your system in Safe Mode with Networking

Windows 8/Windows 10

1. Press Win+I and tap the Power button.
2. Press and hold the Shift key and click Restart.
3. Select Troubleshoot and choose Advanced Options.
4. Pick Startup Settings and press Restart.
5. Press the F5 key and restart your system.

Windows XP/Windows Vista/Windows 7

1. Open Start, press Shutdown options and click Restart.
2. Press and hold the F8 key when your computer is restarting.
3. Select Safe Mode with Networking from Advanced Boot Options window.
4. Tap Enter and log on to your computer.

Eliminate Atchbo Ransomware

1. Press Win+E.
2. Navigate to %APPDATA%
3. Look for a file belonging to the malware; it might be named ExoGUI.exe.
4. Right-click this file and press Delete.
5. Go to the listed directories:
   %ALLUSERSPROFILE%\Start Menu\Programs
   %APPDATA%\Microsoft\Windows\Start Menu\Programs
   %USERPROFILE%\Microsoft\Windows\Start Menu\Programs
   %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs
   %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs
6. Search for Startup entries that could be related to the malicious application, right-click them and select Delete.
7. Then check your Downloads, Temporary files, and Desktop directories.
8. See if you can find the malicious file you might have launched before the system got infected.
9. Right-click it and choose Delete.
10. Close File Explorer.
11. Press Win+R, type regedit and click OK.
12. Navigate to HKCU\SOFTWARE\Microsoft\Windows\Current Version\Run
13. Look for a value name with a value data pointing to C:\Users\User\AppData\Roaming\ExoGUI.exe
14. Right-click this value name and press Delete.
15. Search for these locations:
    HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing
    HKLM\SOFTWARE\Microsoft\Tracing
16. Find keys titled ExoGUI_RASAPI32 and ExoGUI_RASMANCS in both of the mentioned directories.
17. Erase the four of them by right-clicking them separately and pressing Delete.
18. Close Registry Editor.
19. Empty Recycle bin.