FilesLocker-Christmas Ransomware

It is quite common to have several ransomware infections from the same family. Or to have one program as a base and then a few others based on it. FilesLocker-Christmas Ransomware is one of those programs that have been based on some other application, but now it causes a lot of problems on its own. The bottom line is that you need to remove FilesLocker-Christmas Ransomware from your system, and then decrypt your files as soon as possible. Luckily, a public decryption tool is available for this infection, and you will be able to get your files back even if you do not have a file back-up.

Judging from what we have found during our research, FilesLocker-Christmas Ransomware is based on the FilesLocker Ransomware infection that was first discovered in December 2018. It is clear that the people behind FilesLocker-Christmas Ransomware used the code of the previously released infection because they are practically identical save for their ransom notes and wallpapers. FilesLocker-Christmas Ransomware has a Russian version of the ransom note added, which shows that the criminals are trying to target a far wider audience because this ransomware now “speaks” English, Russian, and Chinese.

Since this infection targets users in different countries, it employs the most popular ransomware distribution method that can reach users almost anywhere. That is spam email attachments. Although spam mails often get sorted into the Junk folder these days, there are still email service providers who do not have such sophisticated algorithms, and the spam mail lands into the main inbox. What’s more, these spam emails often look like notifications from online stores and even financial institutions. So, users might think that they are responding to official requests and so on.

However, if you do not have an account in a particular bank, and you receive a notification from it, it is a very good indication that something is not right. Also, if you haven’t bought anything recently, but you receive an online shopping invoice, it most certainly means that someone is trying to scam you. What’s more, you can always double check with the store, the bank, or any other institution that supposedly has sent you the email. Finally, if you think that you must open the attached file at once, you can always scan it with a security tool of your choice. This way, you will definitely be sure whether the file in question is safe or not.

On the other hand, if FilesLocker-Christmas Ransomware manages to enter your system, it will behave just like its predecessor. When the program is launched, it will encrypt your files, and then it will launch all three ransom notes in three languages. The file names for these ransom notes are #DECRYPT MY FILES#.TXT, #РАСШИФРОВЫВАТЬ МОИ ФАЙЛЫ#.TXT, and #解密我的文件#.TXT. The files are dropped on your Desktop and the %HomeDrive% directory. The infection also displays a program’s window that can be closed via Task Manager, and it changes the desktop background into the wallpaper that it drops on your Desktop.

FilesLocker-Christmas Ransomware also opens your default browser and loads a pastebin link that informs you about the infection. If that weren’t enough, this version also uses the text-to-speech feature, too. Once the encryption is complete, it plays the audio that says “Hello, Merry Christmas, Attention! Your documents, images, databases and other important files have been encrypted!” several times.

Luckily, it is possible to decrypt the files locked by FilesLocker-Christmas Ransomware without purchasing the decryption key from these criminals. In fact, we would never advise doing that in the first place. You just need to retain the ransom notes and then look for the publicly available decryption tool that you will find if you use the FilesLocker Ransomware keyword.

Do not forget to remove FilesLocker-Christmas Ransomware from your computer, too. If you do not deal with the removal on your own, you can always terminate the infection automatically with a licensed antispyware tool. This way, you would also get rid of other unwanted or potentially dangerous threats that might be hiding in your system.

How to Remove FilesLocker-Christmas Ransomware

1. Delete the most recently downloaded files from your Desktop*.
2. Open the Downloads folder.
3. Delete the most recently downloaded files.
4. Scan your computer with SpyHunter.

* Do not forget to leave the ransom note files for decryption!