Alma Locker Ransomware - How to remove

Alma Locker ransomware is a new ransomware threat discovered by Proofpoint researcher Darien Huss. Even though it uses the prevailing cipher, it is impossible to be cracked at this point in time. Read the following paragraphs to learn about this malicious app and ways you can prevent it from entering your computer’s system or the measures you should take to remove it.

About Alma Locker Ransomware

Alma Locker virus encrypts the victim’s data using the popular AES-128 encryption algorithm, exploited by the advanced current ransomware threats. It creates a unique 8 character ID and appends a random 5 character extension to the filename extensions of each encrypted file. The victim ID is a derivative of the serial number of the C disk and the MAC address of the first network interface. The example of a corrupted file could be ‘‘Narrative.doc.fser8’’, if the original file had the name of ‘‘Narrative.doc’’. The following extensions belong to the file types which Alma Locker cryptomalware targets:

.1cd, .3ds, .3gp, .accdb, .ape, .asp, .aspx, .bc6, .bc7, .bmp, .cdr, .cer, .cfg, .cfgx, .cpp, .cr2, .crt, .crw, .csr, .csv, .dbf, .dbx, .dcr, .dfx, .dib, .djvu, .doc, .docm, .docx, .dwg, .dwt, .dxf, .dxg, .eps, .htm, .html, .ibank, .indd, .jfif, .jpe, .jpeg, .jpg, .kdc, .kwm, .max, .mdb, .mdf, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdf, .pef, .pem, .pfx, .php, .png, .pps, .ppt, .pptm, .pptx, .psd, .pst, .pub, .pwm, .qbb, .qbw, .raw, .rtf, .sln, .sql, .sqlite, .svg, .tif, .tiff, .txt, .vcf, .wallet, .wpd, .xls, .xlsm, .xlsx, .xml

When these files are being encrypted, the virus communicates with its TOR Command & Control Server to send the following information: the AES private decryption key, the new file extensions, the user name, the name of the active network interface, the system Locale ID (LCID), the version of the operating system, the unique victim’s ID, the type of security software registered with Windows OS and the time stamp of the starting point of the program. Thankfully, not all of your folders are to be damaged. Alma Locker file-encrypting virus will bypass the folders, which have the following strings:

system volume information
program files
program files (x86)
internet explorer
local settings

When the encryption of your data has been successfully accomplished, Alma Locker crypto malware displays the ransom note. It is called ‘‘Unlock_files_[the_extension].txt’’ and ‘‘Unlock_files_[the_extension].html’’, depending on the type of the file. The hackers demand for 1 BCT, which amounts to 586.17 USD. This sum of money must be payed within 5 days. The ransom message reads as follows:


As you can see, the message contains the instructions on how to pay the ransom, which are, basically, the links to the dark TOR website – the asylum of hackers. Among these links there is a link for probing the decryptor:


However, the link will only result in an internal server error. This should prove you that paying the ransom is a waste of money.

How is Alma Locker Ransomware Spread?

Alma Locker crypto-malware is distributed via the RIG exploit kit. This exploit kit primarily runs on questionable websites such as file sharing sites (e.g. torrents), free gambling or gaming platforms, porno domains, suspicious advertisements, etc. However, even the code of legitimate and seemingly trustworthy web pages can been hacked. Thus, you will never miss a shot, if you had reputable security software, such as Malwarebytes, running on your computer’s system. Just do not forget to regularly update it.

How to Decrypt Files Encrypted by Alma Locker Ransomware?

No decryption tool is available at the moment. Alma Locker ransomware is still under analysis by cyber security researchers, who work themselves into a lather to break the code of this malignant program and to provide you with the free and working decryptor to retrieve your data.

Update: the decrypter is now available at here: link. You can download it absolutely for free and successfully decrypt your files.

In the meantime, use your external (external hard drives, USB keys, etc.) or internal (Shadow Volume Copies) backed up copies. Try out data recovery tools such as Recuva, R-Studio, PhotoRec, etc. Bu before you lay your hands on data restoration, make a copy of the infected drive and remove the malware with Spyhunter or Hitman automatic malware removal tools. They will clean the registry and system folders from any residual elements of the virus. The manual removal instructions for Alma Locker ransomware virus are provided below.


Leave a Reply

Your email address will not be published. Required fields are marked *