Click on screenshot to zoom
Danger level 7
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel

Zyklon Locker Ransomware

Zyklon Locker Ransomware is a dangerous threat to your computer and mainly to your files. This Trojan ransomware infection can encrypt your personal files and more in order to extort money from you for the private password to enable you to decrypt your files. There is no way for you to recover your files because there is no available tools on the web yet that could decipher this encryption, which may well be impossible. Therefore, getting hit by this ransomware can easily mean that you lose a lot of your precious files unless, of course, you are willing to risk paying the relatively high ransom fee these criminals demand or you have a backup copy of your files on a removable drive. You should be aware and consider that there is no guarantee to get this password even if you pay. There is one thing we are certain about, though: You should remove Zyklon Locker Ransomware from your system if you do not want to cause more damage to your files. Please remember that deleting this ransomware will not bring your files back to life.

We believe that it is possible to avoid Trojan ransomware infections if you are aware how these dangerous threats can infiltrate your computer. We have found that Zyklon Locker Ransomware mainly spreads in spam e-mails as an infectious file attachment. This means two things: one, you should not open any unfamiliar or suspicious e-mails and two, you should only click on and download attachments if you are sure they were sent to you specifically. These attached malicious files can look like an image, a video, or a document (.pdf or .docx) file. But this is just a deception because they are indeed executable malicious files.

There are at least three tricks criminals use to make sure that you actually download and run this attached file. First, the sender of the spam mail usually pretends to be a reputable or familiar company, an institution, or any other legitimate-looking entity. Second, the subject of these mails is also very deceiving since the main tactics for such a Trojan ransomware is to make you think that you are opening an important e-mail that has a “must-see” or useful attachment for you, which is the third part of the deception. It is possible that you are led to believe that you are sent an urgent invoice to settle or a legal document to check out. These criminals can get very creative when it comes to misleading computer users. Simply downloading this infection may not even be the biggest issue as you may still be able to delete Zyklon Locker Ransomware without any damage done. However, if you run this malicious file, there will be no way back.

We have discovered that this threat is very similar to GNL Locker Ransomware. Once you execute the fake downloaded file, this infection searches your computer and the mapped drives for the following extensions: .accda, .accdb, .accdc, .accde, .accdp, .accdt, .accdu, .ashx, .aspx, .cert, .class, .docm, .docx, .dotm, .dotx, .gdoc, .html, .jpeg, .json, .laccdb, .ldif, .mpeg, .opml, .potx, .ppsx, .pptm, .pptx, .prproj, .save, .sqlite, .webm, .xlsm, .xlsx, and might also encrypt other popular document and image files. This threat uses the AES-256 algorithm, which is built into your Windows operating system. For this reason, it is possible that the whole process of encryption takes less than a minute. This algorithm is virtually impossible to crack. The criminals take this concept to another level by claiming that “it will take a computer over a billion years to crack this password”; not very promising outlook, as a matter of fact.

When the damage is done, this malware makes a random folder in the %Appdata% directory that could be called something like “Xrxoeoa.” In this folder it extracts three files: "Ponmsiyyks.exe," "Cigrmkwhrrxoeoaon.dll", and "Rlesvxamvenagx @ZL@LjiCw@ZL@ .xml.zyklon." Then, it also makes a folder in the %Temp% directory called either “RarSFX0” or “RarSFX1.” Zyklon Locker Ransomware infection creates an html and a text file on the desktop and in the documents directory with the decryption information called "UNLOCK_FILES_README_e4f.html" and "UNLOCK_FILES_README_e4f.txt." This ransomware does not block any programs from running and simply displays a short ransom note on black background that instructs you to open one of these files for further instructions.

From these files you learn that you have to pay 0.65 BTC (345 USD or 310 EUR at current rates) via Bitcoin in order to get the private password needed to decrypt your files. You are also told to visit one of two websites (e.g., “”) that contains all the information needed to do the transfer and the decryption. If you do not pay within 7 days, the ransom amount triples. Unfortunately, it is always risky to go for the transfer because even if these criminals do not want to scam you and they are willing to give you the password, it is possible that the connection between the infection on your PC and the Command and Control servers fail. This would mean that even if you transfer the money, you cannot get the password.

Your only true chance to be able to recover you files is if you make regular backup copies on an external drive. But before you start copying your files back onto your PC, you should remove Zyklon Locker Ransomware. So let us help you with this. We have included our instructions below this article. Please follow them step by step to make sure that all the mess is gone. Keep in mind that this will not decrypt your files. Right now there is no tool available on the net that could do that for you. In order to protect your computer from similar severe hits, you should consider installing a powerful up-to-date malware removal application.
How to remove Zyklon Locker Ransomware from Windows

  1. Press Win+E.
  2. Find the downloaded malicious file and bin it.
  3. Locate the main folder in %Appdata% with the random name like “Xrxoeoa” and delete it.
  4. Locate %Appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Ponmsiyyks.lnk (random name) and delete it.
  5. Locate and remove %Temp%\RarSFX0 or RarSFX1
  6. Empty your Recycle Bin.
  7. Restart your PC.
Download Spyware Removal Tool to Remove* Zyklon Locker Ransomware
  • Quick & tested solution for Zyklon Locker Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.