ArmaLocky Ransomware Virus - How To Remove?

 

ArmaLocky ransomware virus encodes files with a combination of ciphers: RSA-4096 and AES-256 algorithms. This strategy has been adopted by a number of different file-encoders like May and FileFrozr computer infections. ArmaLocky ransomware is designed to append an extension of .armadilo1 to all executables that become corrupted by the selected encryption tactic. MlsoSvc.exe is considered as the payload of this malware disease which will terrorize users and damage their digital files. This malware is bound to generate a “locky” RUN Key in Windows Registry (MSDN.Microsoft).

Alarming features of ArmaLocky crypto-virus

ArmaLocky crypto-virus impersonates the notorious Locky infection. Latter malware definitely has some surprising tricks up its sleeves and can be treated as an example for all ransomware infections. Nevertheless, creators of ArmaLocky infection have no relation to people behind Locky or its newest version, Lukitus.

ArmaLocky ransomware virus

ArmaLocky malware aims to strike while the iron is hot. To catch users off-guard, hackers hope to threaten them with a short deadline of only 72 hours until file-decryption software/key is deleted. Crooks claim that after this time passes, even they will no longer have the power to help their victims. There is a number of ransomware infections that will destroy private keys for decryption after a specific period of time. Decryption Assistant and Balbaz ransomware viruses are only a few of these examples (Varonis).

In the picture above, people can see the ransom note that ArmaLocky inserts onto victims’ desktops. Since the goal of this malware is to be treated as the frightening Locky infection, inserted files will try to support this sham as well. Therefore, _Locky_Help_.html and _Readme_.txt executables will be implanted. In these messages, victims will be urged to download a TOR browser and access a specific website. TOR browsers frequently present more information about ransomware. This strategy is also exploited by such samples like WininiCrypt and a strain of Globe Imposters.

It could be that all of the encoded data might be archived into a zip file. It will be protected with a specific password. On the other hand, it could be that the archive will also contain the victims’ personal identification IDs. In the website that the TOR browser will present, users are presumably going to be urged to contact hackers via specific email addresses. However, the domain could contain a specific sum of bitcoins that are required to be paid for decryption.

How could files be recovered? How can I become immune to ransomware infections?

Currently, not enough analysis is done to generate a specific file-decryptor. It could be that hackers already have this software, but they could also be bluffing for the sake of earning money. The payment is probably going to be required via bitcoin payment system which reassures anonymity. Luckily, there are alternative methods to help victims of ransomware restore data or at least a part of it. There is a number of universal file-recovery tools that are designed to encrypt files of basically any crypto-virus. Naturally, this does not always go as planned.

In addition to this possibility, we can also remind our users that it is possible to restore Shadow Volume Copies. Unfortunately, ransomware viruses are usually eager to delete them. If you become infected with ransomware, we hope these copies will remain untouched.

However, there is a way to become completely immune to all ransomware infections. All you have to do is upload files in backup storages or other alternative locations. In case originals in your hard drive are influenced by crypto-viruses, you will have no trouble finding a way to recover files.

Before any file-recovery attempt, victims have to be certain that all traces of ransomware are eliminated. It is recommended that people would run a scan with anti-malware tools like Reimage. If the crypto-virus is still influencing an operating system during the file-recovery processes, restored executables could be re-encrypted.

How to recover ArmaLocky ransomware virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again. CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before ArmaLocky ransomware virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of ArmaLocky ransomware virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to ArmaLocky ransomware virus. You can check other tools here.


Step 3. Restore ArmaLocky ransomware virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually ArmaLocky ransomware virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.


Previous version
b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover ArmaLocky ransomware virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download Data Recovery Pro (commercial)
  • Install and scan for recently deleted files. Data Recovery Pro

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

     
 

About the author

 - Virus researcher
I’m a virus researcher and my field of specialization involves but is not limited to the newly-developed ransomware variants. In my opinion, crypto-viruses are highly-underestimated and some Internet users have very few opportunities to learn about their symptoms before it is too late. Our goal here in 2-viruses.com is to make sure that crucial information about the most relevant malware samples would be available for everyone.
 
September 12, 2017 02:08, September 12, 2017 02:08
   
 

Leave a Reply

Your email address will not be published. Required fields are marked *