If you are wondering who locked your files and attached the “.wholocked” extension to their names, we can assure you that it is Wholocked Ransomware. This is a file-encrypting and screen-locking infection that was created by cybercriminals. Although they want you to believe that you can recover your personal files if you follow their instructions, we have to warn you that cybercriminals’ promises cannot be trusted. They want you to pay a ransom in return for a decryption key, but it is unlikely that they have any desire to provide you with this key after they receive your money. This is why we advise that you focus on the removal of the infection instead of paying the ransom. Unfortunately, some victims of the infection are likely to take risks, and they might even expect to have their files decrypted after deleting Wholocked Ransomware. Things are more complicated than that, and if you want to learn more, you should continue reading.
Wholocked Ransomware is definitely not the first infection to lock Windows screens. A few other screen-lockers we can mention include Acroware Cryptolocker Ransomware, Widia Ransomware, and FilesLocker Ransomware. Some of these infections are easy to handle, and some of them do not even encrypt files. They use screen locks to trick victims into thinking that they need to do something to gain access to their own files. Unfortunately, Wholocked Ransomware is not bluffing, and if it invades your Windows operating system, it can encrypt your files. Once that happens, your personal files become unreadable, and that is exactly what the attackers want. Files named “READ_ME_Heyyyyyyy.txt” and “ransom.jpg” are dropped to introduce you to the cybercriminals’ demands. The first file is dropped to every folder with encrypted files, while the second one should be dropped to %USERPROFILE%. Of course, you are not really supposed to access these files if your system is locked appropriately. In this case, you should face a screen-locking window that displays the same message that is carried by the .txt and .jpg files.
The attackers behind Wholocked Ransomware are not trying to hide their intentions. It is obvious that they want money from you, and they expect you to transfer it in Bitcoins to their Bitcoin Wallet (1NxoWvpXufC5PkagnfWD9Rf19wm5jchVkX). At the time of research, the ransom was 300 Euro, and that should have bought the victim a decryption key. So, would the attackers give you a decryptor if you fulfilled their demands? That is highly unlikely to be the case. Hopefully, you do not need a decryptor in the first place. If you have created copies of all important files and stored them somewhere safe, outside the computer, you can now use them as replacements. If you cannot replace the corrupted files, it is most likely that Wholocked Ransomware has successfully destroyed them. Should you decide to fulfill the attackers’ demands, understand that you are most likely to waste money for no reason at all. In the future, be more diligent about backing up your personal files simple for safety reasons.
If your system was locked, you need to unlock it to perform the removal of Wholocked Ransomware. This can be done via Safe Mode, and we hope that you can successfully delete the infection yourself using the instructions presented below. Note that some components of the ransomware might have unique names, and if you cannot identify them, manual removal is not the best option for you. Instead, you should employ anti-malware software to delete Wholocked Ransomware automatically. If this is the option you are more interested in, you need to reboot to Safe Mode with Networking because you need access to the internet so that you could install the anti-malware software of your choice. Besides easy malware removal, this software can also ensure full-time protection, which is something that you absolutely need. If we can answer more questions or help you in any other way, do not hesitate to contact us via the comments form below.