Wholocked Ransomware Removal Guide

If you are wondering who locked your files and attached the “.wholocked” extension to their names, we can assure you that it is Wholocked Ransomware. This is a file-encrypting and screen-locking infection that was created by cybercriminals. Although they want you to believe that you can recover your personal files if you follow their instructions, we have to warn you that cybercriminals’ promises cannot be trusted. They want you to pay a ransom in return for a decryption key, but it is unlikely that they have any desire to provide you with this key after they receive your money. This is why we advise that you focus on the removal of the infection instead of paying the ransom. Unfortunately, some victims of the infection are likely to take risks, and they might even expect to have their files decrypted after deleting Wholocked Ransomware. Things are more complicated than that, and if you want to learn more, you should continue reading.

Wholocked Ransomware is definitely not the first infection to lock Windows screens. A few other screen-lockers we can mention include Acroware Cryptolocker Ransomware, Widia Ransomware, and FilesLocker Ransomware. Some of these infections are easy to handle, and some of them do not even encrypt files. They use screen locks to trick victims into thinking that they need to do something to gain access to their own files. Unfortunately, Wholocked Ransomware is not bluffing, and if it invades your Windows operating system, it can encrypt your files. Once that happens, your personal files become unreadable, and that is exactly what the attackers want. Files named “READ_ME_Heyyyyyyy.txt” and “ransom.jpg” are dropped to introduce you to the cybercriminals’ demands. The first file is dropped to every folder with encrypted files, while the second one should be dropped to %USERPROFILE%. Of course, you are not really supposed to access these files if your system is locked appropriately. In this case, you should face a screen-locking window that displays the same message that is carried by the .txt and .jpg files.

The attackers behind Wholocked Ransomware are not trying to hide their intentions. It is obvious that they want money from you, and they expect you to transfer it in Bitcoins to their Bitcoin Wallet (1NxoWvpXufC5PkagnfWD9Rf19wm5jchVkX). At the time of research, the ransom was 300 Euro, and that should have bought the victim a decryption key. So, would the attackers give you a decryptor if you fulfilled their demands? That is highly unlikely to be the case. Hopefully, you do not need a decryptor in the first place. If you have created copies of all important files and stored them somewhere safe, outside the computer, you can now use them as replacements. If you cannot replace the corrupted files, it is most likely that Wholocked Ransomware has successfully destroyed them. Should you decide to fulfill the attackers’ demands, understand that you are most likely to waste money for no reason at all. In the future, be more diligent about backing up your personal files simple for safety reasons.

If your system was locked, you need to unlock it to perform the removal of Wholocked Ransomware. This can be done via Safe Mode, and we hope that you can successfully delete the infection yourself using the instructions presented below. Note that some components of the ransomware might have unique names, and if you cannot identify them, manual removal is not the best option for you. Instead, you should employ anti-malware software to delete Wholocked Ransomware automatically. If this is the option you are more interested in, you need to reboot to Safe Mode with Networking because you need access to the internet so that you could install the anti-malware software of your choice. Besides easy malware removal, this software can also ensure full-time protection, which is something that you absolutely need. If we can answer more questions or help you in any other way, do not hesitate to contact us via the comments form below.

How to delete Wholocked Ransomware

1. Restart the computer to access the logon screen.
2. Press and hold the SHIFT key.
3. Click Restart and wait for the Windows Recovery Environment to show up.
4. Open Troubleshoot and then navigate to Advanced options.
5. Click Startup settings, click Restart, and then wait for the boot options menu to show up.
6. Tap the F4 key (Safe Mode) or the F5 key (Safe Mode with Networking).
7. When the system boots up, immediately tap WIN+R keys.
8. Type regedit into the RUN dialog box and click OK to launch the Registry Editor.
9. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
10. Right-click and Delete the value named svñhîst.
11. Exit Registry Editor and then tap WIN+E keys to launch the File Explorer.
12. Enter %USERPROFILE% into the field at the top.
13. Right-click and Delete the file called ransom.jpg.
14. Enter %USERPROFILE%\AppData\Local\Temp\ into the field at the top.
15. Right-click and Delete the {unknown name}.exe file (could be named xc.exe).
16. Enter %TEMP% into the field at the top.
17. Right-click and Delete two {random name}.exe files (could be named xc.exe and XVlBzgbaiC.exe).
18. Exit File Explorer and then right-click and Delete all copies of the file named READ_ME_Heyyyyyyy.txt.
19. Empty Recycle Bin once you think that all malware components are erased.
20. Install and run a trusted malware scanner to make sure that your system is clean.