TrumpLocker ransomware / virus (Improved Instructions) - Decryption Methods Included
TrumpLocker virus Removal Guide
What is TrumpLocker ransomware virus?
TrumpLocker virus is not a joke – it is a fearsome file-encrypting ransomware
TrumpLocker virus is the second ransomware Donald Trump-themed ransomware. The first one was Donald Trump ransomware; however, the new variant seems to be far more sophisticated. It has been confirmed that this ransomware is developed using pieces of VenusLocker ransomware code, as malware experts find many similarities in both ransomware source codes. What we don’t know for sure, is whether the same group of hackers stands behind both of these malicious projects. Nevertheless, a bit of mystery makes the virus even more tempting to investigate. TrumpLocker’s encryption routine is quite interesting. First of all, you need to know that computer viruses that are developed to encrypt files on computer systems typically have a list of file types they target to damage, and the Trump Locker ransomware targets a lot of different file types. However, the source code of the virus contains an “Exclude Folder,” which contains a list of folder names that the virus bypasses during the encryption routine. Here are some folders that it stays away from:
Program Files, Program Files (x86), Windows, Windows Photo Viewer, WinRAR, Windows Media Player, Windows Mail, CCleaner, Mozilla Firefox, Skype, wamp, Internet Explorer, Microsoft Office, MSBuild, VirtualDJ, Java, Yahoo!, TeamViewer, Adobe, NVIDIA Corporation, and more.
What is also interesting is that the virus walks around all security programs and bypasses folders of antivirus or anti-malware software. It encrypts the rest of data with a RSA-4096 encryption algorithm, which creates public and private keys for individual users. The public key is used to corrupt data, meanwhile, the private key is meant to decrypt the encrypted data. However, the virus sends this key to the private server, leaving no hope to track it down. During the encryption, virus checks if it managed to corrupt the file entirely. If it does, it adds .TheTrumpLockerf file extension to the original extension. If it fails and corrupts only 1024 bytes of the file, it adds .TheTrumpLockerp file extension.
Researcher shows files associated with TrumpLocker ransomware - RansomNote.exe file and Desktop background.png. The virus then opens a picture of Donald Trump with a slogan “YOU ARE HACKED!!,” closes it, then creates a ransom note, called What happen to my files.txt, which is the most informative ransom note we have ever seen. It contains a lot of information with all the details about the cyber attack, possible ransom payment methods, and more. The ransomware also opens a program window called The Trump Locker Ransomware, which tells the victim that criminals want to get 150 USD; otherwise they won’t send the decryption key to the victim. They provide their Bitcoin address and demand to pay the ransom in Bitcoins. They also ask the victim to get in touch with them via TheTrumpLocker@mail2tor.com email after paying the ransom. If you are not willing to pay the ransom, remove TrumpLocker ransomware immediately. You can use programs like RestoroIntego or Malwarebytes for that; however, please restart your PC using TrumpLocker removal guidelines given below this post.
How did this Trump ransomware get into my computer?
The new president of the USA hardly has anything to do with this virus; his name was used for fun, although we do not believe that any of the victims find this virus funny. Ransomware viruses are spread in illegal ways, usually via drive-by downloads, malware-laden ads, or malicious emails. Lately, criminals found new ways to distribute malware and now they are using “The HoeflerText wasn’t found” ads to trick users into installing malware on computers. You might also become a victim of ransomware if you come across a website that hosts an exploit kit and you have outdated software on your PC. The virus arrives in the form of RansomNote.exe file, runs a process that deletes Volume Shadow Copies, and starts encrypting files right away.
How can I remove TrumpLocker virus?
If your PC was compromised by this noxious piece of software, you have to clean the computer system immediately. We suggest using anti-malware programs for TrumpLocker removal. Before you begin the removal procedure, restart your PC in a Safe Mode with Networking (see a tutorial below), then run anti-malware software to remove TrumpLocker virus. Speaking about data recovery, we can say that currently there are no tools that could fully revert damage done by this virus; however, you can try these data recovery methods explained below – they might help you to recover at least some files.
Getting rid of TrumpLocker virus. Follow these steps
Manual removal using Safe Mode
Carefully read these instructions before you try to delete the virus from your PC.
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Remove TrumpLocker using System Restore
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of TrumpLocker. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your dataGuide which is presented above is supposed to help you remove TrumpLocker from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.
We must say that TrumpLocker ransomware uses professional methods to corrupt your data, which means that it is nearly impossible to restore it without having the special decryption key. We really hope that you have a data backup – this way, you wouldn’t have to pay a ransom or spend hours trying to recover your files using various data recovery tricks. However, if you do not have it, you should read instructions provided below.
If your files are encrypted by TrumpLocker, you can use several methods to restore them:
Data Recovery Method 1
Use Data Recovery Pro scanner to find corrupted files. It can help to recover various types of data, and it might help you in the current situation as well.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by TrumpLocker ransomware;
- Restore them.
Data Recovery Method 2
You can try to recover your files with the help of this trick. Bear in mind that you can use this method only in case you created a system restore point a while ago.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
Unfortunately, there are currently no software that would help recover files encrypted by TrumpLocker for free, but don’t lose hope! Security experts often come up with alternative ways to bypass the encryption of even the most dangerous ransomware viruses. We will inform you as soon as such tool is released so be sure to check back with us regularly.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from TrumpLocker and other ransomwares, use a reputable anti-spyware, such as RestoroIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Protect your privacy – employ a VPN
There are several ways how to make your online time more private – you can access an incognito tab. However, there is no secret that even in this mode, you are tracked for advertising purposes. There is a way to add an extra layer of protection and create a completely anonymous web browsing practice with the help of Private Internet Access VPN. This software reroutes traffic through different servers, thus leaving your IP address and geolocation in disguise. Besides, it is based on a strict no-log policy, meaning that no data will be recorded, leaked, and available for both first and third parties. The combination of a secure web browser and Private Internet Access VPN will let you browse the Internet without a feeling of being spied or targeted by criminals.
No backups? No problem. Use a data recovery tool
If you wonder how data loss can occur, you should not look any further for answers – human errors, malware attacks, hardware failures, power cuts, natural disasters, or even simple negligence. In some cases, lost files are extremely important, and many straight out panic when such an unfortunate course of events happen. Due to this, you should always ensure that you prepare proper data backups on a regular basis.
If you were caught by surprise and did not have any backups to restore your files from, not everything is lost. Data Recovery Pro is one of the leading file recovery solutions you can find on the market – it is likely to restore even lost emails or data located on an external device.
- ^ Donald Trump ransomware virus. NoVirus. Cybersecurity news and virus removal guides.
- ^ Source Code. Wikipedia. The Free Encyclopedia.
- ^ Tim Ross. Threat of Cyber Attack Is Biggest Fear for Businesses. Bloomberg. Business and markets news, data, analysis, and video.
- ^ EITest Nabbing Chrome Users with a “Chrome Font” Social Engineering Scheme. Proofpoint. Threat Insight Blog.
- ^ Volume Shadow Copy Service. TechNet. Resources and Tools for IT Professionals.