8lock8 Ransomware - How To Remove?

 

8lock8 ransomware, also known as EightLockEight ransomware, is said to be developed from the source code of HiddenTear ransomware. 8Lock8 file encoder employs asymmetric encryption algorithm. Two keys are generated: public (decryption) key and private (encryption) key. The private key is stored on C&C (Command and Control) servers controlled by the hackers. However, this ransomware has a flaw. Sometimes it fails to connect to its C&C server and store the decryption key on it.

About 8lock8 Ransomware

8lock8 ransomware may appear in one of the following locations: %AppData%, %Temp%, %Roaming%, %Common%, %{User’s Profile}% or %System32% folder. It appends the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run registry entry to Windows Registry in order to start automatically when the victim launches the PC. This cryptomalware directly attacks the drives of your computer, changes their settings and encrypts almost all sorts of files. The data is encrypted with AES-256 cipher. 8Lock8 encoder appends .8lock8 extension to the filename extensions of encrypted files, for instance, book.doc becomes book.doc.8lock8. The file READ_IT.txt is dropped on your desktop and in every folder of encrypted files. This file encloses the ransom note written in two languages: English and Russian. The note contains two contact e-mails: d1d81238@tuta.io and d1d81238@india.com. However, the size of the ransom is not disclosed.

How is 8lock8 Ransomware Distributed?

Malicious links in spam e-mails which redirect to malicious URLs infected with malicious scripts are the primary source of this ransomware trojan. The attachments of these spam e-mails may also contain infected files which, once opened, execute malicious scripts on your computer’s system. They can disguise themselves in various invoices, official documents, etc. The cyber criminals behind this ransomware threat go great guns to make you fall into their trap. The secondary source of 8lock8 cryptomalware infiltration is the system vulnerabilities targeted by exploit kits (e.g. Angler EK). In this case, the best preventative measure you can take is to use a reliable anti-virus utility.

How to Decrypt files Encrypted by 8lock8 Ransomware?

Luckily, 8lock8 ransomware is decryptable. But the decryption is to be implemented only after the manual or automatic removal of the virus since the ransomware can easily re-encrypt your data again. Reimage, SpyHunter, Hitman or Malwarebytes are the powerful malware (including ransomware) removal tools to be applied facing such threats as 8lock8 ransomware. Ransomwares keep mutating and growing in their number rapidly, accordingly, you have to not only install but also update your anti-virus regularly. Manual removal instructions are provided below.

Now it is the time for decryption. You will have to employ HiddenTear Bruteforcer. Download it from the following link: https://download.bleepingcomputer.com/demonslay335/hidden-tear-bruteforcer.zip. You will also have to prepare the smallest encrypted PNG file. When you have the decrypter opened, load the PNG file and select EightLockEight mode at the bottom. Then, click the Start Bruteforce button. When the decryption key is found the window will show ‘‘Key Found!’’ text in green and the message in black bold ‘‘Click here to check file for success’’ below. Click on the message to preview the tested file, if it has been decrypted successfully. If it has, you have the working decrypter. Copy the key and paste it into HT (HiddenTear) Decrypter. Then, select the directory of encrypted files. The password is x1ai2g55r4u3r1p1dehdtoyf1zziap6j. The extension, as you already know, is .8lock8. And, click the Decrypt My Files button. Once the files are decrypted, you will be greated with ‘‘Files Decrypted!’’ text in green. Note. If the hash (the last line of random letters) in your ransom note ends with AH33, skip the whole procedure. Instead, fill the password line with ‘‘Whendiplomacyends,Warbegins.1933’’ and click Decrypt My Files (do not forget to fill the extension line). The following case occurs when the ransomware fails to connect its C&C (Command and Control) server to send the private encryption key.

Another way to decrypt your files is to download and use decryptor from here: link. So feel free to choose the method that fits your needs the best.

 

Automatic 8lock8 ransomware removal tools

 
 
Note: Reimage trial provides detection of parasites and assists in their removal for free. You can remove detected files, processes and registry entries yourself or purchase a full version.  We might be affiliated with some of these programs. Full information is available in disclosure

Manual removal

 

Important Note: Although it is possible to manually remove 8lock8 ransomware, such activity can permanently damage your system if any mistakes are made in the process, as advanced spyware parasites are able to automatically repair themselves if not completely removed. Thus, manual spyware removal is recommended for experienced users only, such as IT specialists or highly qualified system administrators. For other users, we recommend using Reimage or other tools found on 2-viruses.com.

Processes:
Extensions:
External decryptor:
       
 

About the author

 - Main Editor
I have started 2-viruses.com in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.
 
June 13, 2016 02:07, March 14, 2017 05:01
   
 

Leave a Reply

Your email address will not be published. Required fields are marked *