ForceLocker Ransomware

If you live in a Russian-speaking region, you have to beware of ForceLocker Ransomware. Since this infection displays a notification in Russian, it is believed that its primary targets are Windows users who speak the language. There are many questions regarding the distribution of this threat, and there is not enough information to state that it is spread in one way or another. Of course, considering that most infections of this kind (e.g., Scarab Ransomware or TheDarkEncryptor Ransomware) are spread using corrupted spam emails, it is safe to say that the threat is likely to be proliferated in the same manner. Once the ransomware is in, it rushes to encrypt your files and introduce you to the ransom demands. Unfortunately, if this infection has invaded your operating system, it is most likely that you will not be able to recover your personal files. That is just how malicious ransomware is. That being said, you cannot just give up and do nothing. If you read this report, you will learn how to remove ForceLocker Ransomware, and we recommend taking care of that as soon as possible.

According to our research, ForceLocker Ransomware is a different version of the infamous ShellLocker Ransomware. While both of these infections work in the same way, they use unique ransom notes, and their targets appear to be different. Speaking of the similarities, both infections rename the files they encrypt. That means that you might have a hard time identifying the corrupted files. Besides renaming the files, the malware also adds the “.L0cked” extension at the end (e.g., ADVMUaAWC.L0cked). Just like most ransomware, ForceLocker Ransomware is concentrated on encrypting files you are less likely to be able to replace, which include photos, videos files, documents, PDFs, presentations, text files, etc. Hopefully, the threat encrypts files that you have stored on an external drive or an online cloud because that appears to be the only way out of this situation. If you are prepared like this, all you need to do is delete the malicious ransomware and then transfer the copies of your personal files back onto the PC. Unfortunately, that is not the reality that all victims will face. If your files are not backed up, take a mental note to start backing up data to ensure that you do not lose it in the future.

Naturally, ForceLocker Ransomware displays a message. It does that via a screen-size notification that appears to be launched from %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup. This notification paralyzes the screen, which is why the ransomware can be identified as a screen-locker as well. The information represented via the message informs that the files were encrypted using the AES-256 algorithm and that every file was encrypted using a unique key. The message also informs that the files will become undecryptable if you try to restart the computer or decrypt files yourself, as well as if you take a long time to take action. The only action you can take is email 5quish@mail.ru, which is an email address used by the developer of ForceLocker Ransomware. We cannot say what would happen if you initiated communication, but it is most likely that you would be asked to pay a ransom in return of a decryptor. Would the decryptor be provided to you and would it work? These are the two questions that you must ask yourself. Unfortunately, it is unlikely that you would get a tool capable of decrypting your files even if you paid the ransom and followed other demands.

When ForceLocker Ransomware slithers in, your operating system gets paralyzed, and all personal files get encrypted. Because of the paralysis, you might be unable to check which files were corrupted, as well as delete the threat manually. Luckily, you can access your operating system via Safe Mode (or Safe Mode with Networking). Once you reboot your operating system, you can delete ForceLocker Ransomware manually or install an anti-malware tool to have the threat eliminated automatically. The latter, of course, is the better option because besides removing malicious threats, this tool also can ensure trustworthy, full-time protection. If you do not take this security measure, you might be facing ransomware, Trojans, potentially unwanted programs, and other undesirable software pretty soon. Do you have anything else you want to discuss with us? Use the comments section below!

Reboot in Safe Mode/Safe Mode with Networking

Windows XP/Windows Vista/Windows 7:

1. Click the power button on the computer to restart it.
2. As soon as the BIOS screen loads, start tapping the F8 key to launch the boot options menu.
3. Using arrow keys select Safe Mode or Safe Mode with Networking and tap Enter.

Windows 8/Windows 10:

1. Open the Charm bar, click Settings, and then click Power (for Windows 8/Windows 8.1 users) or click the Windows logo on the Taskbar and then click Power (for Windows 10 users).
2. Simultaneously tap the Shift key on the keyboard and click Restart.
3. Move to the Troubleshooting menu and then to Advanced options.
4. Click Startup Settings and then click Restart to open a menu with different boot options.
5. Tap F4 for Safe Mode or F5 for Safe Mode with Networking.

ForceLocker Ransomware Removal

1. Launch Windows Explorer by tapping Win+E keys.
2. Enter %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup into the bar at the top.
3. Right-click and Delete the malicious .exe file (in our sample, it was named svchost.exe).
4. Right-click and Delete any other suspicious files you might have downloaded recently.
5. Empty Recycle Bin and then reboot the PC in normal mode.