FilesLocker ransomware v2.0 - How to remove

FilesLocker v2.0 ransomware

FilesLocker v2.0 is a new ransomware variant and an improvement for another FilesLocker cryptovirus that came out earlier this year, October 2018. This threat doesn’t bring any surprises to the table and demonstrate just the typical ransom demanding virus behavior – locking personal files and asking for a certain amount of money in exchange for the decrypting key.

Just like its predecessor, again found by MalwareHunterTeam, FilesLocker v2.0 virus’ ransom notes are written in two most spoken languages – English and Chinese, allowing this ransomware to disseminate in the bigger part of the globe. Although this malware seems to be working just like any other variant of its kind, e.g. Ghost ransomwareLolita or Delphimorix, developers did make some alterations to separate this virus from others, which you will find about in this article. If you are currently dealing with FilesLocker v2.0 ransomware and want to know how to remove it, then you’ll find this post helpful as well.

What is FilesLocker v2.0 virus

FilesLocker v2.0 cryptovirus behaves as expected from any ransomware threat – it sneaks into the Windows OS silently, encrypts personal files, adds an extension to all affected files and drops a ransom note asking for a payment in exchange for the decryptor. More specifically, FilesLocker v2.0 ransomware uses .[[email protected]] appendix (the original used ‘.locked’), a combination of RSA-2048 and AES algorithms and #解密我的文件#.txt, #DECRYPT MY FILES#.txt text files together with GUI format window as ransom notes. Hackers made sure to cover the information in most spoken languages, so the change of getting paid would increase significantly. 

FilesLocker v2.0 ransom notes

Once the FilesLocker v2.0 virus is in and successfully managed to perform its Malicious duties altering Windows registry keys, writing itself into important system folders, managing antivirus detection, you will notice that all your personal files get an additional string at the end of their names (for example, ‘picture.jpg’ becomes ‘picture.jpg.[[email protected]]’) and are impossible to open. Moreover, on the desktop and in some directories, you’ll find ransom notes, both in Chinese and English which will say:

FilesLocker RANSOMWARE v2.0
###########################################
All your important files(database,documents,images,videos,music,etc.)have been encrypted!and only we can decrypt!
To decrypt your files,follow these steps:
1.Buy 0.15 Bitcoin
2.Send 0.15 Bitcoin to the payment address
3.Email your ID to us,after verification,we will create a decryption tool for you.

Email:[email protected]
Your ID:

Chinese version of #解密我的文件#.txt:

FilesLocker RANSOMWARE v2.0
###########################################
您所有的重要文件(数据库,文档,图像,视频,音乐等)已被加密!并且只有我们才能解密!
要解密您的文件,请按照以下步骤操作:
1.购买 0.15 比特币
2.将 0.15 比特币发送到付款地址
3.将您的ID通过电子邮件发送给我们,经核实后,我们将为您制作解密工具

邮件地址:[email protected]
您的ID:

FilesLocker v2.0 will let the victim know what happened to their computer and what they need to do next. Although before creators were asking for 0.18 BTC (around 702.30 USD), now they want for a smaller amount of 0.15 BTC (585.25 USD) for locked data. No matter that the payment got lower, it is still Not advisable to pay the crooks, because there is no guarantee that they will send you the decrypting key back. The best you can do now is to continue on reading this article and trying to solve the issue yourself as instructed by the 2-viruses.com team.

How FilesLocker v2.0 virus infect computers

Just like FilesLocker original version, FilesLocker v2.0 is also spreading in a RaaS (Ransomware-as-a-service) method, meaning that ransomware creators promise to share a certain percentage of money collected from the ransom with users who will be helping with distribution. This technique allows to significantly increase the dissemination of the threat, because of a large number of participants who want to make a little profit for sending out Malspam, place malicious hyperlinks on websites, compile FilesLocker ransomware into bundles, pdf’s, doc files and etc. While this is not the most often distribution techniques amongst ransomware, it definitely helps FilesLocker v2.0 to maximize the invasion.

It is impossible to protect yourself from FilesLocker cryptovirus infection if it is placed online, except for practicing safe browsing, but you can definitely avoid it if it comes as a Socially engineered email. Usually, these types of infected messages are very short, not directed personally to you, are written with mistakes, from an unknown sender and urge you to open the attached .doc or .pdf file for more information. Potentially it can look like letters with supposed financial information, invoices, hospital records, government requests and etc. If you open the attachement and it asks to Enable Macros but the file is plain itself, there is a great chance that this is FilesLocker v2.0 virus just trying to sneak in, and you should delete it immediately.

Ways to remove FilesLocker v2.0 ransomware and restore data

No other actions should be performed on the compromised system until FilesLocker v2.0 ransomware will be removed or else files will get double-encrypted with no chance of recovery. There are a couple ways to delete this cryptovirus – manual and automatic. You will find the manual FilesLocker v2.0 removal instructions below, but we suggest trying elimination with anti-malware software first. Spyware removal programs like Spyhunter will definitely save you time and carefully remove all the harmful files from all directories without a trace. All you need to do is to run a free scan with either of them and then proceed with the instructions as the security tool directs.

Automatic Malware removal tools

Download Spyhunter for Malware detection
(Win)

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection
(Mac)

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,

At the moment of writing, there are no official decryptors neither for FilesLocker nor FilesLocker v2.0 ransomware. That, however, does not mean that the virus affected files will never be recovered. If FilesLocker cryptovirus encrypted are precious digital memories like pictures, videos and etc. which can wait, simply clean the system from the ransomware and then keep the unavailable data, until the decrypting tools will show up on the Nomoreransom.org page. If the files that got locked are immediately necessary, then, please, check the recovery options mentioned below in the manual instruction guidelines, like Shadow Volume Copies and files restoring software. There is no guarantee that these methods will work, but there is a slight possibility, especially if the virus did not install properly. However, we must warn that there is always a chance of losing your data when doing manual recovery improperly.

How to fix FilesLocker v2.0 virus infection manually

This manual method of system recovery from the FilesLocker v2.0 ransomware works only for those users that have the backups. Actually, it is one of the best techniques to get all the data back and get rid of the notorious threat, yet unfortunately requires your prior preparation. Everyone who has important files stored on their computers should be making restore points themselves or getting an application that does this for them.

If you have been a persistent and responsible PC owner, then all you have to do is to follow these 2-viruses.com designed instructions and restore your Windows to the state right before the FilesLocker malware infection. Mind you, if the important files that you need to unlock have been created right before the ransomware invasion, but the backups were made earlier, that data will not be recovered, because it did not exist yet when the restore point was taken. In such case, better proceed with automatic tool elimination. And finally, if FilesLocker v2.0 virus encrypted files do not matter to you at all, and you simply want to start over with a fresh operating system, you can always perform System Restore for a fresh start.


How to recover FilesLocker ransomware v2.0 encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before FilesL0cker RAN$OMWARE has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of FilesLocker ransomware v2.0

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to FilesL0cker RAN$OMWARE. You can check other tools here.  

Step 3. Restore FilesLocker ransomware v2.0 affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually FilesL0cker RAN$OMWARE tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover FilesLocker ransomware v2.0 encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *