Severity scale:  

Remove EncoderCSL ransomware (Virus Removal Guide) - Quick Decryption Solution

removal by Olivia Morelli - - | Type: Ransomware

EncoderCSL ransomware is a data-locker that targets files with .txt and .test extensions on your computer

EncoderCSL ransomwareEncoderCSL ransomware is a file locking virus that is based on the Hidden Tear project

EncoderCSL ransomware is a HiddenTear-based file locking malware that was first spotted by multiple security researchers in mid-February 2020. Once inside the system, the virus applies the AES[1] encryption algorithm to lock a limited number of files located on the system, which appends the .locked extension to them as well. EncoderCSL ransomware virus currently only locks .txt and .test files on the host system, which is a clear indication that the malware is still in the experimental stage (fully functional ransomware usually targets all personal data).

After the encryption process, the EncoderCSL virus may drop one of the following ransom notes: READ.txt or READ_IT.txt, although this action is not fully functional yet – experts reported that the malware fails to deliver these text files. Nevertheless, it also displays a pop-up window, which explains why the files were compromised, and also states that victims should not attempt to recover the data without acquiring EncoderCSL ransomware decryptor for the hackers. Even if desired so, reaching criminals is impossible, as no contact details are provided.

Name EncoderCSL ransomware
Type File locking virus, cryptomalware
Based on HiddenTear
Main executable EncoderCSL.exe, or another random name
File extension Each .txt and .test file on the system is appended with .locked extension; for example, a “data.txt” file is turned into “data.txt.locked”
Encryption method A symmetric encryption algorithm is used – AES (Advanced Encryption Standard)
Ransom notes A pop-up message asks victims to view the READ.txt or READ_IT.txt files, but they are currently not dropped on the computer during the infection process
File recovery Retrieving personal files without backups is almost impossible unless you were lucky enough and the malware failed to delete Shadow Volume Copies; additionally, in some cases, data recovery software might be able to recover at least some of encrypted files
Malware removal Perform a full system scan with a security program that can recognize the threat
System fix In case your Windows machine is crashing, showing errors, lagging, or suffering from other stability and functionality issues after ransomware termination, fix Windows with repair software Reimage Reimage Cleaner Intego

Because the prevalence of EncoderCSL ransomware is relatively low, it is unknown what type of tactics threat actors use to distribute the malware. Nevertheless, the most common techniques include:

  • Malicious spam email attachments or hyperlinks;
  • Software vulnerabilities and exploits;
  • Poorly protected Remote Desktop connections;
  • Pirated program installers and software cracks/keygens;
  • Fake update prompts and other fake messages, etc.

Once inside the system, EncoderCSL ransomware places its main executable (can be named as anything, although researchers found the “EncoderCSL.exe” in the wild) into the %Temp%, %Users%, or Desktop location and the begins the infection routine.

During this time, the malware deletes Shadow Volume Copies to prevent victims from recovering from the damages quickly, modifies the Windows registry to establish persistence, starts the “LocalSystem” service, loads several modules, reads computer information, etc.

Finally, EncoderCSL ransomware performs file encryption that only affects .txt and .test files – this will append the .locked extension to these file types. The .locked marker has been extensively used by various other Hidden Tear versions, as it is a default market that indicates which files have been compromised.

After the encryption process, EncoderCSL ransomware will display a pop-up message with the following text:

Your files has been safely encrypted

Please open READ_ME file on your desktop for decryption

Don't try to decrypt files yourself! It can be damage your files forever!

User ID:
Machine ID:

As evident, EncoderCSL ransomware virus developers are not native English language users, although guessing the origin of these people is impossible. Regardless of that, contacting them is impossible anyways, as they do not provide contact details, as there are supposed to be included within the text file on the desktop – it is nowhere to be found.

EncoderCSL ransomware virusEncoderCSL is a ransomware-type virus that only targets .txt and .test files

Even if the ransom note would provide the contact details, security experts[2] highly discourage users from paying the ransom, as victims may get scammed and never received the promised decryption tool. If you had no backups to restore your data, you could try using alternative solutions listed in our recovery section below.

The legacy of HiddenTear: malicious actors keep abusing the open-source project

HiddenTear is a notorious open-source project that was developed by a researcher from Turkey back in 2015. Since then, the code was leaked, and malicious actors quickly learned how to utilize it for illegal monetization purposes. Even many years after its release, various threat actors may attempt to modify the code and start distributing it using various methods, as it happened with EncoderCSL ransomware.

Nevertheless, the EncoderCSL virus is in the early development stage, as it does not match the criteria of fully functional ransomware just yet. Those infected, however, might lose all the encrypted files forever, as there is no way to contact malicious actors at present.

EncoderCSL ransomware removal is necessary, however, as the improved versions might be employed by authors in the future, applying a fully-working encryption function. In such a case, victims may not only lose their .txt or .test files, but also pictures, videos, music, documents, databases, PDF, and other data.

To remove EncoderCSL ransomware from the system, users need to scan their machines with anti-malware software that is capable of detecting and eliminating the threat automatically. According to Virus Total results, more than 40 different anti-malware engines recognize the main executable as follows:[3]

  • Ransom:Win32/HiddenTear.gen
  • Gen:Variant.MSILPerseus.179410
  • A Variant Of MSIL/Filecoder.AK
  • Win32:Trojan-gen
  • Trojan[Ransom]/Win32.HiddenTear
  • MSIL/Filecoder.AK!tr.ransom
  • RDN/Ransom
  • Mal/Generic-S, etc.

Nevertheless, we strongly advise you to make a copy of encrypted files before you get rid of the EncoderCSL virus, as its termination might permanently damage the data.

EncoderCSL virus detectionMultiple AV engines recognize the main executable EncoderCSL.exe as malicious

Ransomware distribution methods vary, so be prepared for all types of attacks 

Ransomware is a very lucrative business currently, with many attacks being carried out against high profile companies, industries, government institutions, and also regular users.[4] The problem is highly complicated by the fact that ransoms are paid to criminals – these payments only fuels the illegal business. However, in some cases, enterprise entities and individuals simply have no other choice.

The best solution would be not being infected in the first place, and for that, adequate security measures are required. As mentioned previously, hackers may employ a single or multiple attack vectors (for example, Mool, Nppp, and other Djvu variants are being spread across the world with the help of software cracks exclusively, and this technique works extremely well, infecting hundreds daily), so it is important to ensure that comprehensive precautionary measures are applied:

  • Do not let spam email attachment run a macro function (“Allow content”) or click on links inside;
  • Update Windows and the installed programs as soon as possible to avoid software vulnerabilities from being exploited to infect malware automatically;
  • Protect all your accounts with security passwords and use two-factor authentication where possible;
  • Never download software cracks or pirated program installers from torrent and similar sites;
  • Install anti-malware software that would use advanced protection measures, such as machine-learning technology;
  • Backup your most important files regularly.

You should remove EncoderCSL ransomware after you backup the locked data

The immediate EncoderCSL ransomware removal might result in data compromise, so it is important not to do this immediately. As evident, the malware should be eliminated from the computer as soon as possible, as the infection may render it vulnerable to other cyber attacks.

Therefore, before you remove EncoderCSL ransomware virus from your computer, backup the encrypted files. If you do not care about the text files you have, you can skip this step and simply terminate the malware with the help of powerful anti-malware. Note that, in some cases, you will have to access Safe Mode with networking to prevent the EncoderCSL virus from tampering with your security tool.

Once you are sure that your system is clean, you can employ data recovery methods we provide below, although note that chances of these techniques being successful are very slim. Nevertheless, malware developers, including those behind EncoderCSL, might make mistakes that would allow security experts to create a free decryption tool. Considering how low the distribution of this malware is, the action is highly unlikely, unfortunately.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove EncoderCSL virus, follow these steps:

Remove EncoderCSL using Safe Mode with Networking

If your anti-virus cannot function in normal mode, access Safe Mode as explained below:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove EncoderCSL

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete EncoderCSL removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove EncoderCSL using System Restore

System Restore can also be used for EncoderCSL ransomware removal:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of EncoderCSL. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that EncoderCSL removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove EncoderCSL from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by EncoderCSL, you can use several methods to restore them:

Data Recovery Pro solution might be the right tool for you

While data recovery software is not designed to restore files that were encrypted by ransomware, they might be successful in retrieving at least some of the file copies from the hard drive.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by EncoderCSL ransomware;
  • Restore them.

Try out Windows Previous Versions feature

This method will only work if you had System Restore enabled before the infection occurred.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might save you from data loss

In case Shadow Volume Copies were preserved, ShadowExplorer should be able to recover all your files automatically.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryption tool is currently available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from EncoderCSL and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 


About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions


Your opinion regarding EncoderCSL ransomware