Exolock Ransomware Removal Guide

Exolock Ransomware is a highly dangerous computer infection that can infect your PC by stealth and encrypt many of your personal, valuable files. Then, it can demand that you pay a small ransom for a decryption tool, but the problem is that you might not get it after you pay, so we suggest that you remove this program because you cannot trust cybercriminals to keep their word. We have acquired a sample of this ransomware and tested it. So, in this article, we will discuss how this ransomware works, how it is distributed, and how you can get rid of it.

Let us jump right into how this application works. If Exolock Ransomware were to infect your PC, then it would start encrypting your files immediately. Our research has shown that this ransomware uses the Advanced Encryption Standard (AES) to encrypt your files which ensures a rather strong encryption that may or may not be cracked in the future. While encrypting your files, it appends them with a custom “.exolocked” that acts as a file marker. It tells you which files were encrypted. However, unlike some ransomware, this program does not change the original file names of the encrypted files.

The sample we have acquired and tested crashed on Windows 7 and restarted the PC on Windows 10. In both cases, once the PC was restarted, the files had already been encrypted. This ransomware can encrypt many file types such as pictures, documents, databases, file archives, executable files, and so on. Once the files have been encrypted it will show a ransom note.

The note says that you have to go to www.anvcoindirect.eu/en/buy/bitcoins to buy some Bitcoins. They want you to pay 0.01 BTC which is 36.73 USD. Once the payment is confirmed, the cybercriminals promise to decrypt your files and you can use your PC normally again. They warn you that if you close the ransomware or shut down your PC your files will be deleted and you will not be able to recover them. Therefore, you should remove this ransomware as soon as possible and wait for a free decryption tool to appear. You can try paying the ransom because the criminals to don’t ask for much money, but there is no guarantee that they will decrypt your files once you have paid.

There is no concrete information on how the criminals distribute Exolock Ransomware, but we suspect that the criminals might have set up an email server that sends bogus emails to random people. The ransomware should be included as a file attachment that may pose as a PDF document while being an EXE file. The developers could try to trick you into thinking it is a PDF file by adding a fake extension to the name and the file should like “file.pdf.exe.” If you open this file, then it will encrypt your files and crash or restart your system.

If you do not want to pay the ransom, then we recommend that you remove Exolock Ransomware from your PC as soon as possible. One of the ways you can do that is to get an antimalware program such as our featured SpyHunter antimalware application or locate and delete the ransomware manually. However, the problem is that it can be hard to identify where it is located. The manual removal guide below features the most likely folders where this ransomware can end up in. See the guide below for more information.

Manual Removal Guide

1. Simultaneously hold down Windows+E keys.
2. Enterthe following file paths in the address of File Explorer.
   • %USERPROFILE\Desktop
   • %USERPROFILE%\Downloads
   • %WINDIR%\Syswow64
   • %WINDIR%\System32
   • %TEMP%
   • %APPDATA%
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
   • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
   • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
3. Hit Enter on your keyboard.
4. Find the executable file.
5. Right-click it and click Delete.
6. Empty the Recycle Bin.