Severity scale:  
  (99/100)

TrumpLocker ransomware virus. How to remove? (Uninstall guide)

removal by Alice Woods - - | Type: Ransomware
12

TrumpLocker virus is not a joke – it is a fearsome file-encrypting ransomware

TrumpLocker virus is the second ransomware Donald Trump-themed ransomware[1]. The first one was Donald Trump ransomware; however, the new variant seems to be far more sophisticated. It has been confirmed that this ransomware is developed using pieces of VenusLocker ransomware code, as malware experts find many similarities in both ransomware source codes. What we don’t know for sure, is whether the same group of hackers stands behind both of these malicious projects. Nevertheless, a bit of mystery makes the virus even more tempting to investigate. TrumpLocker’s encryption routine is quite interesting. First of all, you need to know that computer viruses that are developed to encrypt files on computer systems typically have a list of file types they target to damage, and the Trump Locker ransomware targets a lot of different file types. However, the source code[2] of the virus contains an “Exclude Folder,” which contains a list of folder names that the virus bypasses during the encryption routine. Here are some folders that it stays away from:

Program Files, Program Files (x86), Windows, Windows Photo Viewer, WinRAR, Windows Media Player, Windows Mail, CCleaner, Mozilla Firefox, Skype, wamp, Internet Explorer, Microsoft Office, MSBuild, VirtualDJ, Java, Yahoo!, TeamViewer, Adobe, NVIDIA Corporation, and more.

What is also interesting is that the virus walks around all security programs and bypasses folders of antivirus or anti-malware software. It encrypts the rest of data with a RSA-4096 encryption algorithm, which creates public and private keys for individual users. The public key is used to corrupt data, meanwhile, the private key is meant to decrypt the encrypted data. However, the virus sends this key to the private server, leaving no hope to track it down. During the encryption, virus checks if it managed to corrupt the file entirely. If it does, it adds .TheTrumpLockerf file extension to the original extension. If it fails and corrupts only 1024 bytes of the file, it adds .TheTrumpLockerp file extension.

The virus then opens a picture of Donald Trump with a slogan “YOU ARE HACKED!!,” closes it, then creates a ransom note, called What happen to my files.txt, which is the most informative ransom note we have ever seen. It contains a lot of information with all the details about the cyber attack[3], possible ransom payment methods, and more. The ransomware also opens a program window called The Trump Locker Ransomware, which tells the victim that criminals want to get 150 USD; otherwise they won’t send the decryption key to the victim. They provide their Bitcoin address and demand to pay the ransom in Bitcoins. They also ask the victim to get in touch with them via TheTrumpLocker@mail2tor.com email after paying the ransom. If you are not willing to pay the ransom, remove TrumpLocker ransomware immediately. You can use programs like Reimage or Malwarebytes Anti Malware for that; however, please restart your PC using TrumpLocker removal guidelines given below this post.

How did this Trump ransomware get into my computer?

The new president of the USA hardly has anything to do with this virus; his name was used for fun, although we do not believe that any of the victims find this virus funny. Ransomware viruses are spread in illegal ways, usually via drive-by downloads, malware-laden ads, or malicious emails. Lately, criminals found new ways to distribute malware and now they are using “The HoeflerText wasn’t found” ads[4] to trick users into installing malware on computers. You might also become a victim of ransomware if you come across a website that hosts an exploit kit and you have outdated software on your PC. The virus arrives in the form of RansomNote.exe file, runs a process that deletes Volume Shadow Copies[5], and starts encrypting files right away.

How can I remove TrumpLocker virus?

If your PC was compromised by this noxious piece of software, you have to clean the computer system immediately. We suggest using anti-malware programs for TrumpLocker removal. Before you begin the removal procedure, restart your PC in a Safe Mode with Networking (see a tutorial below), then run anti-malware software to remove TrumpLocker virus. Speaking about data recovery, we can say that currently there are no tools that could fully revert damage done by this virus; however, you can try these data recovery methods explained below – they might help you to recover at least some files.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove TrumpLocker ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall TrumpLocker ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.

Manual TrumpLocker virus Removal Guide:

Remove TrumpLocker using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

Carefully read these instructions before you try to delete the virus from your PC.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove TrumpLocker

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete TrumpLocker removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove TrumpLocker using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of TrumpLocker. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that TrumpLocker removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove TrumpLocker from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

We must say that TrumpLocker ransomware uses professional methods to corrupt your data, which means that it is nearly impossible to restore it without having the special decryption key. We really hope that you have a data backup – this way, you wouldn’t have to pay a ransom or spend hours trying to recover your files using various data recovery tricks. However, if you do not have it, you should read instructions provided below.

If your files are encrypted by TrumpLocker, you can use several methods to restore them:

Data Recovery Method 1

Use Data Recovery Pro scanner to find corrupted files. It can help to recover various types of data, and it might help you in the current situation as well.

Data Recovery Method 2

You can try to recover your files with the help of this trick. Bear in mind that you can use this method only in case you created a system restore point a while ago.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

TrumpLocker decrypter

Unfortunately, there are currently no software that would help recover files encrypted by TrumpLocker for free, but don’t lose hope! Security experts often come up with alternative ways to bypass the encryption of even the most dangerous ransomware viruses. We will inform you as soon as such tool is released so be sure to check back with us regularly. 

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from TrumpLocker and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Alice Woods
Alice Woods - Likes to teach users about virus prevention

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Alice Woods
About the company Esolutions

References


  • Rinald

    Wow, someone honours Trump by dedicating a whole ransomware virus for him? Thats nice… and childish, i suppose!

  • July

    I am so glad I created a backup a while ago. I am trying to delete the virus now…

  • shocked

    The Trump Locker ransomware attacked my computer! I cant believe that there is no way to restore files! There MUST be a way!!!

  • Lolly

    I am so angry on myself, I was thinking about creating a backup a few days ago. A bit too late now, all my files are lost. And I have NO idea how I got infected!