StalinLocker Wiper

StalinLocker Wiper has been categorized as a ransomware infection by specialists working at pcthreat.com; however, it is not a typical ransomware infection for sure. Specialists say that this infection works as a screen-locker and data wiper instead. That is, it does not encrypt users’ personal files. It simply locks screens and then, if the correct unlock code is not entered within 10 minutes, deletes almost all files from the affected computer. It will not only remove your pictures, documents, music, videos, and other personal files. As our specialists have observed during the analysis, this malicious application also encrypts system files making the computer unusable. Yes, StalinLocker Wiper is a malicious infection that might become your worst nightmare, so do whatever it takes to prevent it from slithering onto your computer. It is advisable not to open any suspicious email attachments and make sure that credentials of the Remote Desktop Protocol you use are not weak. If it is already too late for prevention, i.e. it has successfully slithered onto your computer, you have only 10 minutes to erase it from your computer. If you fail to do this, your Windows OS will be ruined. Continue reading to get more knowledge about the StalinLocker Wiper removal.

Once the malicious file representing StalinLocker Wiper is executed by the user, a screen-locking window is opened on Desktop. Then, the ransomware infection places USSR_Anthem.mp3 to %USERPROFILE%\Appdata\Local and plays it. You will hear the anthem of the USSR. The window StalinLocker Wiper places on victims’ Desktops contain a picture of Stalin and a quotation about the Soviet Union taken from an old book, so we suspect that the author of this malicious application is a big fan of the communist regime. The ransomware infection gives users only 10 minutes to unlock the screen. You should try to enter numbers you get by subtracting 1922.12.30 (the establishment of the USSR) from the date of the ransomware infection execution. Remember, you have only 10 minutes until your computer is wiped out. If the unlock code does not work, i.e. your screen stays encrypted, it does not mean that there is no way to remove the ransomware infection from the system. You can boot into Safe Mode with Networking and erase StalinLocker Wiper either manually or automatically. Its manual removal might be a bit complicated since it creates more than one malicious component on the affected computer.

If you have read the first paragraph of this report attentively, you must already know how StalinLocker Wiper is distributed. It seems that the majority of users encounter it because they open a malicious attachment from a spam email. Also, this infection might easily slither onto the computer if users use RDPs whose credentials are weak, or they are unprotected. Once StalinLocker Wiper enters the system, it drops a copy of itself to %LOCALAPPDATA% (or %USERPROFILE%\Local Settings\Application Data). To continue working even after the system restart, it creates a Value in the Run registry key. It also tries to create an entry in Task Scheduler, but it fails to do so. Also, you will find fl.dat dropped in %LOCALAPPDATA%. This file stores the time left for entering the unlock code, so nothing will change even if you restart your computer. The only way to stop the timer is to delete the ransomware infection or enter the correct unlock code.

It will not be easy to remove StalinLocker Wiper from the system, but you should hurry to do this as soon as possible because all your files will be wiped out after 10 minutes. If the screen is not unlocked when you enter the code, you should boot into Safe Mode with Networking and then delete the ransomware infection manually or download an antimalware scanner from the web and then use it to clean your system. Make sure the malware remover you use is fully reliable. If you could not remove StalinLocker Wiper on time, i.e. it has wiped out your PC and it cannot even load up, you should use a Windows repair disc or simply reinstall your operating system. There is nothing else you could do to fix your computer and use it normally again in this case.

Delete StalinLocker Wiper

1. Enter the unlock code (subtract 1922.12.30 from the date of launching the ransomware infection).
2. Open Windows Explorer.
3. Access %LOCALAPPDATA% (or %USERPROFILE%\Local Settings\Application Data if you use an older version of Windows).
4. Delete stalin.exe and fl.dat.
5. Close Explorer.
6. Launch Registry Editor (tap Win+R, insert regedit, and press Enter).
7. Move to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
8. Delete the Value named Stalin.
9. Remove all recently downloaded suspicious files from your computer.
10. Empty Recycle Bin.

Fix disabled Windows Explorer and Task Manager

1. Press Win+R.
2. Type regedit and click OK.
3. Move to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
4. Locate the Shell Value.
5. Double-click on it.
6. Type explorer.exe in the Value data field and click OK.
7. Go to HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System.
8. Right-click anywhere on the window.
9. Select New and then click DWORD Value to create a new Value.
10. Create a Value with a name DisableTaskMgr and type 0 as its Value data.
11. Close Registry Editor.