Authors of the ShellLocker present new variant of crypto-malware

ShellLocker is a file-encrypting virus that appends .l0cked file extension. Malware has been first discovered at the end of November 2016. However, on July 2017, developers presented a Russian version of ransomware[1] that renames targeted files as [random characters].L0cked.
Created in .NET framework, ransomware[2] is supposed to encrypt files using AES-256 encryption. Once all files are corrupted, it changes computer’s background and runs ransom-demanding window. The message says that pictures, videos, and music are encrypted. In order to get them back, victims need to pay 100 USD to the provided Bitcoin address until the timer goes to zero (victims are given 48 hours).
ShellLocker virus spreads via Documents.cmd file that is executed on the system as soon as victim opens an infected email attachment. Then malware downloads malicious files to %AppData% and %Startup% folders.
On the system, malware might also make numerous modifications. For instance, it might modify Windows Registry and delete Shadow Volume Copies that are crucial in data recovery procedure. Thus, victims who do not have backups do not have high chances to get back their files.
However, paying the ransom should not be considered decryption option. Crooks might not have necessary software or do not let you use it even if you have paid the money.[3] Thus, we recommend focusing on ShellLocker removal using professional security software, such as FortectIntego.

The chronology of ShellLocker’s updates
Since the appearance of Shell Locker, researchers have discovered few versions of it. The original variant works as a regular ransomware virus that encrypts files and runs a pop-up window with instructions how to pay the ransom.
The second version of malware works as a scam. The virus delivers a fake Microsoft notification that claims that detect a copy of Windows is not genuine. Crooks ask to purchase the license within 48 hours. Otherwise, people may need to pay the fine of 250,000 USD or spend five years in prison.
Another variant of ShellLocker appends .x0lzs3c file extension to each of the encrypted photos, music, video and other targeted files. Crooks ask to transfer 2 Bitcoins to the provided address within two days time. Hackers threaten to delete files if the ransom is not paid until the deadline.
On July 2017, security experts spotted a Russian[4] malware variant that renames files with a random name and appends .L0cked file extension. It provides the ransom note in the lock-screen message. Here crooks inform about encrypted files with AES-256 cipher and give instructions how to pay the ransom. They also leave an e-mail address for communication (5quish@mail.ru).
Nevertheless, taking care of your personal files seems the most important task; it’s not. You have to remove ShellLocker from the computer and only then think about data recovery possibilities. It’s crucial to delete the malicious program from the device to keep the system and sensitive data protected.
Distribution ways of the file-encrypting virus
Originally, ShellLocker spreads via malicious spam email attachments as Documents.cmd file. However, it’s not the one and the only distribution channel of the virus. Cyber criminals may use a wide range of different ways to spread malware executable:
- outdated software,
- pirated links,
- fake updates,
- exploit kits,
- malvertising.
You might lower the risk of the ShellLocker hijack if you avoid staying in the websites overcrowded with ads and questionable links. Besides, you should never download programs or updates from suspicious pop-ups or insecure file-sharing sites.
Secondly, do not rush to open spam emails even if they are addressed to you directly.[5] Hackers might have exploited various forms of spyware to get a hold of personal data and, likewise, forge the email with your full name.
If you receive emails from a supposed FBI or tax institution, look for grammar and typo mistakes. What is more, such emails often contain altered logos and missing official credentials. In order to protect your device from exploit kits, install a reliable anti-spyware tool.
Getting rid of ShellLocker virus
We recommend performing ShellLocker removal with the assistance of a security program, for example, FortectIntego or MalwarebytesMalwarebytes. These tools will ensure that the elimination process is completed properly.
Nonetheless, if you cannot initiate automatic elimination because you cannot download a security app or other crucial system functions ceased working, use the guide below to recover the access to your device.
Either the ransomware possesses a complex structure, or it is less elaborate, we do not recommend eliminating it manually. Malware damages the system and modifies legitimate processes. Thus, attempts to locate and delete its related files and components may end up with irreparable harm.
Once you remove ShellLocker entirely, you can recover your files from backups or try additional methods presented at the end of this article.
Was this guide helpful?
3 comments