ITLOCK ransomware is a file locking virus that comes from Matrix family

ITLOCK is malware that belongs to ransomware type – it encrypts files in order to blackmail victims to pay ransom in Bitcoin for the decryptor. The virus stems from Matrix ransomware – a relatively old threat that has more than a dozen variants during its two-year lifespan. ITLOCK ransomware uses AES-128 and RSA-2048[1] ciphers to lock data and adds .ITLOCK extension, also modifying the file name to a random string of characters. Once encoding procedure is complete, malware drops a !README_ITLOCK!.rtf file which explains victims the situation and urges them to contact criminals via all three email addresses: rescompany19@qq.com, rescompany19@yahoo.com, and rescompany19@cock.li. Note that it is not the first time .ITLOCK extension is used, and a similar variant came out back in September 2018.
| Name | ITLOCK |
| Type | Ransomware |
| Family | Matrix |
| File extension | [rescompany19@qq.com].[random]-[random].ITLOCK |
| Cipher | AES-128 and RSA-2048 |
| Ransom note | !README_ITLOCK!.rtf |
| Contact | rescompany19@qq.com, rescompany19@yahoo.com and rescompany19@cock.li |
| Decryptable? | No |
| Elimination | Use security software that can detect the virus – we recommend FortectIntego or SpyHunterCombo Cleaner |
It is yet unknown what methods ITLOCK ransomware uses to propagate the machines. However, previous variants of Matrix used Internet Explorer (CVE-2016-0189) and Flash (CVE-2015-8651) vulnerabilities to infect victims. Later on, malware authors started using brute-force attacks via the poorly protected RDP connections.
Because ITLOCK virus is a relatively new threat, not all AV engines recognize it. Currently, 46 vendors detect malware using the following names:[2]
- Gen:Variant.Ransom.Matrix.6
- Win32:DangerousSig [Trj]
- TR/FileCoder.gousb
- Ransom:Win32/Genasom
- Ransom.Matrix
- Trojan/Win32.Matrixran.R234829, etc.
Users should pick one of the tools that can detect the threat for ITLOCK ransomware removal. We recommend using FortectIntego or SpyHunterCombo Cleaner to perform the system scan.
During the encryption, ITLOCK ransomware uses two Command Prompt windows, so users can instantly notice that something is doing on. However, the process usually does not last too long, and files become encrypted in the following pattern: [rescompany19@qq.com].[random]-[random].ITLOCK.
For example, a file called picture.jpg will be converted to [rescompany19@qq.com].HKu8jex-WHQUrnX.ITLOCK. From that time, all the pictures, documents, databases and other files become unusable. To unlock files, users are asked to pay ransom in Bitcoin. It is yet unknown how much ITLOCK ransomware authors want, but paying cybercriminals is not recommended by experts.
Victims might end up being scammed and lose their money, along with the data. Therefore, users should remove ITLOCK ransomware from their devices with the help security software and only then proceed to alternative file recovery methods.
Those who failed to prepare backups before ITLOCK virus attacked, should check our guide below on how to use third-party software that might be able to restore at least some of the files.

Employ reputable anti-malware software and be attentive online to avoid ransomware attacks
As we previously mentioned, older variants of malware used weak RDP or software vulnerabilities to spread. To protect yourself from these infiltration methods, you should make sure that your system and software is adequately patched. Security updates come out very often (or as soon as vulnerabilities are discovered) and without applying updates, users still are vulnerable to old flaws. For example, the EternalBlue exploit was actively used in WannaCry campaigns back in 2017, and the flaw is yet being actively exploited by criminals to infect not only ransomware but also cryptojackers like NRSMiner.
A second important step into malware-less PC is the anti-virus program. There are plenty to choose from, and if you are not using one, there is a tremendous risk of being infected.
Finally, you should generally be more careful when using the internet:
- Use strong passwords for RDP and all your accounts;
- Avoid high-risk websites;
- Use Firewall, adblock, and VPN (for RDP);
- Do not casually open spam email attachments or links;
- Etc.
Eliminate ITLOCK ransomware and protect your files from danger in the future
To remove ITLOCK ransomware, you should download and install security software that is capable of doing so. We suggest using FortectIntego or SpyHunterCombo Cleaner, although other programs can be good for the job as well. Be aware that malware may interfere with anti-virus engine working properly. In such a case, you should enter Safe Mode with Networking as explained below.
Once ITLOCK ransomware removal is complete, you can start file recovery. If you have a backup device, feel free to connect it to your computer and copy all the files. Unfortunately, most users fail to backup their data and risk losing it all in case of ITLOCK virus or other infection.
For those who do not have backups prepared, we suggest checking third-party software that might be able to help. Finally, making a copy of files and waiting till security researchers release official decryptor is an option as well, although its discovery is never guaranteed.
Was this guide helpful?
Be the first to comment