Severity scale:  

Remove ElvisPresley ransomware (Virus Removal Guide) - Bonus: Decryption Steps

removal by Gabriel E. Hall - - | Type: Ransomware

ElvisPresley ransomware – a data locking virus that stems from a well-known malware family

ElvisPresley ransomwareElvisPresley ransomware is a data locking malware that threatens to delete files in certain time intervals if ransom is not paid within 24 hours

ElvisPresley ransomware is a file locking virus that first started attacking users around the world in early June of 2020 and was first spotted by security researcher Jack. The malware belongs to a relatively old family, Jigsaw, and uses the celebrity name of Elvis as a theme. Just as many other viruses of this kind, it's primary goal is to extort money from victims by locking all personal files on the device with the help of a sophisticated encryption algorithm.

Once inside the system, the ransomware looks for a particular file type (pictures, documents, PDF, videos, etc.) and appends them with .ElvisPresley extension, restricting user access, and removing the original icons. To make sure that users are aware of the infection, cybercriminals deliver an untitled pop-up window, which serves as a ransom note. In it, hackers are asking for $100 into the 1C1pAkwpvuxr4ZxzqHSeTLpFGQMDMJKS3U bitcoin wallet for the decryption tool. For communication purposes, ElvisPresley virus authors ask users to write an email at

Name ElvisPresley ransomware
Type File locking virus, cryptomalware
Family Jigsaw
Related files Zembla.exe
File extension Most of the files are appended with .ElvisPresley extension and can no longer be opened. An example of an encrypted file: “document.doc.ElvisPresley”
Contact Crooks ask victims to email them at
Ransom size $100 in Bitcoin, which doubles after 24 hours. Some files are deleted every hour if ransom is not paid
Bitcoin wallet 1C1pAkwpvuxr4ZxzqHSeTLpFGQMDMJKS3U

Some of the malware's malicious executables can be detected under the following names on Virus Total:

  • Generic.MSIL.Ransomware.Jigsaw.433625C8
  • Ransom.Jigsaw
  • Heuristic.HEUR/AGEN.1126343
  • HEUR:Trojan.Win32.Generic
  • Ransom:MSIL/JigsawLocker.A
  • Win32:RansomX-gen [Ransom]
  • Gen:NN.ZemsilF.34122.cm0@aKWx2Fo, etc.
File recovery Data can be recovered with the help of Emsisoft's decryption tool or by using alternative solutions provided in our recovery section below
Elimination Make sure that the infection is terminated promptly with the help of powerful security software such as SpyHunter 5Combo Cleaner or Malwarebytes. If required, access Safe Mode as explained in the instructions below
System fix Ransomware can not only affect personal files by might also negatively impact system-related data. As a result, even after the infection is terminated, it can cause serious damage or reduce computer performance. If you suffer from lag, errors, crashes, or similar issues, fix your Windows with Reimage Reimage Cleaner Intego

Jigsaw is one of the most notorious ransomware families that was first started its distribution in April 2016 and is widely known for its incorporation of the Billy the Puppet from the Saw movies. Since then, malware came back with multiple versions, such as HydraBadut Clowns, DeltaSEC, and many others.

ElvisPresley ransomware is yet another variant of the virus that uses a well-established AES encryption algorithm[1] to lock personal files on the system. However, it does not perform the data locking process immediately, as it first needs to prepare the system for that to be successful. Here are some changes that the malware performs:

  • Places a malicious executable such as Zembla.exe into %AppData% or %Temp% folder;
  • Deletes Shadow Volume Copies to prevent a quick data recovery;
  • Modifies Windows registry keys for persistence purposes;
  • Creates CryptSvc service with performs the file deletion in intervals;
  • Drops hundreds of malicious files on the system, etc.

Once the preparations are complete, ElvisPresley ransomware would begin the encryption procedure, which typically takes only seconds (although victims with exceptionally large HDDs/networks should expect longer encryption times, which can be stopped by shutting down the machine). Victims can later see that typical icons of files became blank and that none of them can be opened. Additionally, each of such files is appended with .ElvisPresley extension.

While ransomware usually leaves system files intact, some Jigsaw variants are known to encrypt Master Boot Record (MBR)[2] data, which complicates ElvisPresley ransomware removal. Nevertheless, accessing Safe Mode with Networking is likely to remove the difficulties with the process. Note: to remediate the Windows machine after a ransomware infection, we recommend using Reimage Reimage Cleaner Intego.

To ensure that users are aware of what happened, they are presented with a pop-up window without a title, which claims the following:

All Your Files Has Been Locked!
Your personal files are being deleted. Your photos, videos, documents, etc…
But all of your files were protected by a strong encryption.
This means that we can decrypt all your files after paying the ransom.

Every hour I select some of them to delete permanently,
You have 1day to Decide to Pay.
after 1 Day Decryption Price will be Double.
During the first 24 hour you will only lose a few files,
the second day a few hundred, the third day a few thousand, and so on.
If you turn off your computer or try to close me, when I start next time

you will get 5 files deleted as a punishment.
If you want to unlock your data
You Can Learn Decrypt Instructions
click on the button: HOW TO DECRYPT FILES ?

Contact us :

1 file will be deleted.
Please send at least $100 worth of Bitcoin here:

As evident, the ElvisPresley file virus claims that consequences for not paying the ransom are disastrous: the ransom size would double within 24 hours (the pop-up window also includes a timer which is showing the time remaining), and files will be deleted exponentially.

ElvisPresley ransomware virusElvisPresley ransomware is a file locking virus that belongs to a well-established malware family Jigsaw

This particular trait is very common in Jigsaw malware versions, as it creates pressure and anxiety among victims, especially since important files could be deleted during the process. However, paying cybercriminals is not recommended, as they might simply scam you and never provide the needed ElvisPresley ransomware decryption tool.

Instead, you should rely on alternative methods for data recovery – Emsisoft even released a decryption tool specifically designed for ElvisPresley ransomware. In case it does not work, you can also use third-party recovery software as per the instructions provided below.

While many ransomware threats would self-delete after encryption is performed, the ElvisPresley virus will remain on the system to be able to delete a predetermined number of files and encrypt all the incoming ones. Therefore, it is important to remove ElvisPresley ransomware from the computer as soon as possible. You should make a copy of the encrypted files if you had no backups available, however.

Watch out for spam email attachments and protect your computer in comprehensive ways to repel ransomware attacks

Jigsaw ransomware and its versions are known to be spread via contaminated spam email attachments. This technique is rather old but very effective, as email spam is used by countless criminal groups to deliver even the most devastating malware to victims, as noted by security researchers from[3]

Email providers such as Google, Hotmail, and others, implemented various security scanners that could filter email spam. However, these precautionary measures are not perfect, as some legitimate emails end up in Spambox, while malicious emails still manage to break into users' inboxes.

When dealing with fraud and phishing, the most important thing is to stay vigilant and keep in mind that such a threat exists in the first place. In other words, each of the received emails should be treated with suspicions, unless you are absolutely sure who it is coming from. This only applies to emails that include attachments or links, as you will not get infected with malware just by opening an email itself.

Even though hyperlinks can be used to direct users to malicious domains were malware is downloaded from, this attack vector is in decline, and email attachments are much more popular. To check whether the link is legitimate, put your mouse cursor over it and check the real destination on the bottom-left corner of the browser.

When it comes to attachments, you should never allow a macro to be run on the document, such as .doc or .xlsm, as this would trigger a chain of events that would install malware on the system automatically. Remember: if you are not sure if the email is legitimate, delete it and do not interact with any components inside.

You should also ensure that your computer is adequately protected, as ransomware could access your machine in other ways. Thus, install a powerful anti-malware program to protect your from the incoming threats, patch your system, and the installed apps with security updates regularly to avoid software vulnerability[4] exploitation, use strong passwords for all your accounts and never download software cracks/pirated programs on your PC.

Delete ElvisPresley ransomware safely

ElvisPresley ransomware removal might prove difficult due to its advanced traits, such as MBR encryption. Therefore, an attempt should be made to access Safe Mode with Networking, as explained below, and a full system scan should be performed from there. Additionally, malware might also attempt to disable or corrupt the installed security application if it programmed to do so.

ElvisPresley ransomware encrypted filesElvisPresley ransomware encrypted files can no longer be accessed, although it is possible to recover them with the help of Emsisoft decryption tool

If you do not remove ElvisPresley ransomware, it will keep encrypting all the incoming files, and will also delete more and more files as the time goes on. Nonetheless, you should also prepare a backup of encrypted data as a precautionary measure.

Once you are sure that the ElvisPresley virus is eliminated completely, you can begin the data recovery process. You will find all the detailed instructions below. The good news is that decryption tools provided by security researchers almost always recover victims' files without any issues.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove ElvisPresley virus, follow these steps:

Remove ElvisPresley using Safe Mode with Networking

In case ElvisPresley ransomware is interfering with your security software, you should go to Safe Mode with Networking and initiate the scan from there:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove ElvisPresley

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete ElvisPresley removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove ElvisPresley using System Restore

Safe Mode can also be used for malware elimination process:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of ElvisPresley. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that ElvisPresley removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove ElvisPresley from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by ElvisPresley, you can use several methods to restore them:

Save your files with Data Recovery Pro

Data recovery software can be effective in some cases when trying to restore files encrypted by ransomware. However, the chances of restoring files successfully diminish over time.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by ElvisPresley ransomware;
  • Restore them.

Make use of Previous Versions Feature

Microsoft included an automated recovery feature called Previous Versions. It might sometimes help victims of ransomware to recover files one-by-one.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might be able to save all your files

In case ElvisPresley ransomware failed to eliminate Shadow Volume Copies, you have a high chance of recovering your data successfully with tools like ShadowExplorer.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Try Emsisoft's decryptor

Download and install Emsisoft's decryptor to recover all your files safely.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from ElvisPresley and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various circumstances, malware is also one of the main culprits that can cause loss of pictures, documents, videos, and other important files. Potentially unwanted programs may clear files that keep the application from running smoothly.

More serious malware infections lead to significant data loss when your documents, system files, or images get locked. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them. Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system.

In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 


About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions


Your opinion regarding ElvisPresley ransomware