ITLOCK Virus - How to remove

ITLOCK infects computers and breaks (encrypts) the files that it finds. This is undoubtedly a virus — ransomware. Ransomware, also known as cryptoviruses, is a lucrative venture for online criminals, and a destructive and devastating event for the victims.

What does ITLOCK look like?

ITLOCK is a variant of Matrix ransomware. Its ransom note looks a lot like the other Matrix notes, though the text is slightly different. The note, !ITLOCK_README!.rtf, provides the contacts of the ITLOCK developers and a personal ID is given to you. The ITLOCK note is very similar to the ransom note left by the NEWRAR virus. If you see the ransom note, all the files that ITLOCK could have encrypted have been. You will see the names having changed into [[email protected]].[random characters].ITLOCK.

The developers of ITLOCK want their victims to contact them — they provide three email addresses:

• [email protected]
• [email protected]
• [email protected]

How do cryptoviruses work?

Encryption is used to restrict access to files and information that should be confidential. Information encrypted with the public-key cryptography can be unlocked with the private key. This makes it safe so that the person who is encrypting files cannot decrypt them — the private key is not exposed to anyone.

This also makes it possible for your computer to encrypt files without having the private key needed to decrypt them. Now the ITLOCK developers try to sell you the key needed to unlock the files. They are right about that the files probably cannot be decrypted without the decryption key. And unless ITLOCK developers leak the keys themselves, or are arrested, it’s unlikely that the files will be decrypted without their “help”. Still, it’s a bad idea to give in. Usually, the ransom for one computer is hundreds of dollars, and there is never a guarantee that the files will be fixed.

How is ITLOCK distributed?

Hacking computers through Remote Desktop is one of the most common ways that cybercriminals spread cryptoviruses, and ITLOCK has been using this strategy lately. Your accounts should be secured with complicated passwords, the RD connection limited as much as possible. The most common, simple passwords are already well known, and yet people keep using them. Additionally, some websites sometimes have information stolen from their database, and if they stored passwords without obfuscating them, criminals can use this information in brute force attacks. Don’t use the same password for multiple accounts!

If the attackers are successful and they get administrator access, they infect all the accessible computers with ITLOCK (or whatever virus that particular criminal is spreading). Attacks like this are usually manually coordinated, aimed at specifically chosen targets, and are the most lucrative type of online extortion.

Still, a lot of ransomware infections are automated. Peer-to-peer filesharing is one way to download malicious files. Software cracks are especially dangerous because antivirus programs are expected to detect them as malicious anyway, so scanning does not necessarily serve as a good warning. Infected files are also distributed with malicious spam emails. These files are often disguised as important documents, but if you are aware of the red flags that indicate deception, you can probably avoid most of them. Still, be very careful, do not enable macros for unfamiliar files, do not open archives, scan each file you got from unknown senders — and even known senders.

How to remove ITLOCK

Don’t contact the cybercriminals and don’t pay the ransom. The developers of ITLOCK have no obligation to be fair — it is easy for them to just take the money and leave. The best solution for ITLOCK is to have had your files saved in multiple places. If you have a backup of your computer, or at least of your most important files, the infection is probably not very devastating. Even if you did not create a backup, think if you have external hard drives, check your cloud storage, check your email attachments. Maybe your files can still be recovered.

Scan your computer to check if there are any threats on it. You can use Spyhunter, or another reputable antivirus program. . The ransomware might have deleted itself after it finished encryption, but it might have left some other malware on your machine, such as spyware.

Once you’ve made sure that your computer is clear of malware, you can start using your computer normally again. Copy your files from the backup, or try the guide below to restore them. Think about how ITLOCK infected your computer and make sure to remove that vulnerability. Keep your antivirus program up-to-date, patch your operating system as well. Use the built-in Windows tools to create a backup of your system. Be safer in the future.

How to recover ITLOCK Virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before ITLOCK has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of ITLOCK Virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to ITLOCK. You can check other tools here.  

Step 3. Restore ITLOCK Virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually ITLOCK tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover ITLOCK Virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.