Remove Evil Ransomware and Restore .file0locked Files

How to Remove Evil Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

Hello.
Your UID: –
Its evil ransomware. As you can see some of your files have been encrypted!
Encryption was made using a unique strongest AES key.
If you want restore your files you need to BUY (sorry, nothing personal, its just business) the private key, send me your UID to r6789986@mail.kz List of encrypted files.

One would claim that all ransomware programs are evil. After all, they’re designed that way! Well, there is one, roaming the web, whose creators chose to name Evil. Apparently, they wanted to really stress on the nastiness of the infection, they unleashed. And, true to its name Evil is quite the evil invention. It’s a pretty standard ransomware as far as programming goes. It’s written in Javascript, and follows the established pattern. It sneaks into your system via trickery and deceit. Then, it encrypts every single file you have on your computer. Once everything gets locked, it displays its demands. The program leaves a ransom note on your Desktop, as well as every affected folder. It’s either an HTML or a TXT file, and it reads the same. The file explains your situation, and lays out its requirements. And, it boils down to a simple “pay up or lose your data.” If you wish to decrypt your files, you have to pay a ransom. Once you do that, you receive a decryption key. Apply that key, and you unlock your files. It seems straightforward enough, doesn’t it? Well, there are so many things that can go wrong. At first, remember that you’re dealing will cyber criminals. The odds are NOT in your favor. Chances are, these people WILL double-cross you. They might not send you a key, send you the wrong one, or who knows? Maybe they’ll give the right one, and you’ll release your data from the encryption. But, what then? You have zero guarantees that your files will remain encryption-free. Understand that by applying the decryption free, you only get rid of the encryption. Not the ransomware. So, Evil is still somewhere on your PC. Perhaps, it’s waiting to strike again? What’s stopping it from acting up, and locking your data once more? But even if you tune out all these variables, and ignore every other danger, one remains. It’s a danger, you just cannot look past. And, it has to do with your privacy. If you cave, and pay the ransom, you expose your private life. To unknown cyber extortionists, who can then use it as they see fit. You give them access to your personal and financial details. You need to ask yourself what’s more important – privacy or pictures? Figure out your priorities, and act accordingly. But, know that experts advise towards saying goodbye to your files. They’re replaceable. Privacy is not.

How did I get infected with?

How do you suppose one gets stuck with the Evil ransomware? It seems as though, one day, it just popped up on your PC. But that’s not the case. Like, most cyber threats, this one requires user’s assistance. Your assistance. Or, rather, your carelessness. These types of tools have an entire array of sneaky methods of infiltration they can use. But they all rely on your distraction, gullibility, and haste. So, if you want to keep your system infection-free, go the opposite direction! Be extra thorough and vigilant. Don’t rush, and always opt to read the terms and conditions. Don’t just say “yes” to everything. Due diligence goes a long way. At the very least, it will improve your chances of keeping Evil away. It won’t hurt. So, next time you’re installing freeware, remember that. Take your time to be thorough. Other invasive methods include spam email attachments, bogus updates, corrupted links, and sites.

Why is Evil dangerous?

After the Evil ransomware slithers into your system, it doesn’t waste time but gets to work. The tool encrypts every single file you keep on your PC, using AES cryptography. Pictures, videos, documents, music, etc. All falls under the tool’s control. To solidify its grasp over your data, the program attaches a special extension. At the end of each of your files, you’ll find ‘.file0locked.’ For example, a picture named ‘summer.jpg’ gets renamed to ‘summer.jpg.file0locked.’ Once the attachment is in place, you can no longer open your files. They’re inaccessible. And, moving or renaming them, achieves nothing. They’re locked. The only way to unlock them, and free them of Evil, is with a decryption key. But to get it, you have to pay a ransom. Payment is usually demanded in Bitcoin. The amount usually fluctuates between $500 and a $1000 US Dollars. The number can can go higher or lower, but here’s the thing. Even if it were one single dollar, do NOT pay. As was already explained, payment equals your privacy getting exposed. The best course of action you can take is to forsake your files. Do NOT follow the cyber extortionists’ demands! Do yourself a favor, and pick the more difficult but wiser choice. Discard your data to protect your privacy.

Evil Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Evil Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

• Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
• Locate the process of the ransomware. Have in mind that this is usually a random generated file.
• Before you kill the process, type the name on a text document for later reference.

• Locate any suspicious processes associated with Evil encryption Virus.
• Right click on the process
• Open File Location
• End Process
• Delete the directories with the suspicious files.
• Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

• Open any folder
• Click on “Organize” button
  
• Choose “Folder and Search Options”
• Select the “View” tab
• Select “Show hidden files and folders” option
• Uncheck “Hide protected operating system files”
• Click “Apply” and “OK” button

STEP 3: Locate Evil encryption Virus startup location

• Once the operating system loads press simultaneously the Windows Logo Button and the R key.

• A dialog box should open. Type “Regedit”
• WARNING! be very careful when editing the Microsoft Windows Registry as this may render the system broken.

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

• and delete the display Name: [RANDOM]

• Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

• Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

• Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
• Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.