Apollolocker Ransomware

Apollolocker Ransomware is an infection that appears to be targeted at users who live in Turkey. That is the assumption our research team makes because the ransom demands that this ransomware displays are in Turkish. We are still analyzing this infection as there are still many questions to answer, but we already have some information for you that should help you understand it better. Unfortunately, this threat is a real file-encryptor, and it can corrupt your most valued personal files once it slithers in. Once the files are encrypted, they should be given the “.locked” file extension. This extension can be linked to various other threats, including Unikey Ransomware, XAMPP Ransomware, and DeadSec-Crypto Ransomware. So, if you find your files corrupted, and the “.locked” extension is attached to them, you have to look at other things to determine which threat you are dealing with. When it comes to the ransomware we are discussing in this report, you have to look at the ransom note. To learn more about it, as well as how to remove Apollolocker Ransomware, continue reading the report.

When Apollolocker Ransomware slithers into your operating system – at this point, we are yet to determine how this infection spreads – it goes after GIF, XML, PNG, TXT, HTML, JPG, ASPX, and various other types of files. Our researchers have discovered that the infection should only encrypt files in these directories: %APPDATA%, %LOCALAPPDATA%, %USERPROFILE%\Desktop, %USERPROFILE%\Downloads, and %USERPROFILE%\Documents. Once the files are encrypted, Apollolocker Ransomware creates its ransom notes. “DOSYALARI-KURTAR 1.txt” and “DOSYALARI-KURTAR 2.txt” are the two ransom note files that the infection creates on the Desktop. According to the information within them, you need to buy special software to get your files decrypted. The price of this allegedly functional decryptor is 500 USD, but if you do not purchase within 20 days, the ransom goes up to 1000 USD. The link to the purchase page is represented via the TXT files, but it is also separately introduced to you via “DOSYALARI-KURTAR 1.url” and “DOSYALARI-KURTAR 2.url” files. According to the information on this page, the ransom must be transferred to the 3PGEYXeKGnJXGfSBgMFCDXwFSpRGE3AvEQ Bitcoin Address. So far, no one has transferred any money to this address.

Theoretically, if you transferred the money asked in return of a file decryption program, you should receive it. The reality is different. In fact, it is highly unlikely that anyone would get a tool or a key they needed even if they paid the bigger ransom (1000 USD). That is because the creator of Apollolocker Ransomware is just as unreliable as all other ransomware creators, and, from experience, we can tell you that they never abide by their own rules. If you pay the ransom, cyber criminals end up getting what they want, and so they do not need to waste their time communicating with you or providing you with solutions. Due to this, our research team cannot recommend paying the ransom. Of course, you have to decide for yourself what you want to do and what kinds of risks you are willing to take. Hopefully, you do not need to think about this at all because all of your most valued files are backed up, and you can transfer them back onto your PC after you delete Apollolocker Ransomware and the corrupted files.

As you can see, there are not many steps in the removal guide below. That, however, does not mean that you can definitely get Apollolocker Ransomware deleted yourself. The launcher of this file could be placed anywhere, and its name could be unique in every case. Due to this, we cannot really show you where to look for it. Needless to say, if you cannot get rid of the launcher, you might be unable to remove Apollolocker Ransomware yourself. An automated anti-malware tool can help you greatly in this case. If you decide to try eliminating the infection manually, it is recommended that you also employ a legitimate malware scanner. You can get this tool for free, and it is important that you use it because it can help you find the leftovers that you might fail to remove yourself manually. Should you want to discuss the threat further, or you have any specific questions, we suggest using the comments section.

Apollolocker Ransomware Removal

1. Launch RUN by tapping keys Win+R.
2. Enter regedit.exe and click OK to access Registry Editor.
3. Navigate to HKCU\Control Panel\Desktop.
4. Double-click the value named WallPaper.
5. Empty the value data if it points to desktodsadasdasp.bmp.
6. Launch Task Manager by tapping keys Ctrl+Shift+Esc.
7. Move to the Processes tab and find the malicious process (be careful about this).
8. Right-click the process and select Open File Location to find the malicious .exe file.
9. Go back to the Task Manager, select the unwanted process, and click End process.
10. Go to the malicious .exe file, right-click it, and choose Delete.
11. Right-click and Delete these files from the Desktop:
    • DOSYALARI-KURTAR 1.txt
    • DOSYALARI-KURTAR 2.txt
    • DOSYALARI-KURTAR 1.url
    • DOSYALARI-KURTAR 2.url
12. Empty Recycle Bin.