KoreanLocker ransomware - How to remove

KoreanLocker crypto-virus is an infection by the “Korean ransomware team”. Therefore, we suspect that it mostly targets people from Korea (just like the Satan Cryptor 2.0 did), but should also be seen as a threat to all cyber surfers. Hackers require victims to pay 1 BTC in 24 hours after the infection fully reveals itself. Currently, 1 BTC equals $14816.18. If this sum is not sent to the “1HB5XMLmzFVj8ALj6mfBsbifRoD4miY36v” bitcoin wallet, the private key for decryption is explained to be deleted after the given 24 hours. Like many preceding Ransomware infections, KoreanLocker virus appends .locked extension to damaged data. This extension is used by File-Locker and CrY-TrOwX variants.

KoreanLocker virus encrypts data with AES and RSA algorithms

As soon as the ransom is paid, victims are required to contact [email protected]. In the email, people are supposed to include their personal ID number. This is supposed to indicate which victim has paid the fee for decryption. After this, crooks emphasize that they will provide the private key for decryption. However, we are skeptical about this: most hackers attempt to trick users into paying and bluffs about helping victims recover encoded data.

KoreanLocker ransomware is described as a Hidden Tear infection which means that it is based on this open-source project. There are many crypto-malware examples that have been created this way: WanaDie and Foxy viruses are two of the possible variants.

Payload of this infection is discovered as Hidden-tear.exe or Sample_5a536787ed9ecc0f9ba4458b.bin files. Differently from many ransomware viruses, KoreanLocker malware is studied as a portable executable file. It is a Win32 exe file. Furthermore, all of the information from hackers is put in one additional file: README.txt. The original text is shown in the Korean language, meaning that this region is the main target.

What are the methods of recovering data, encoded by the KoreanLocker crypto-malware?

Currently, there does not appear to be a known method to recover data, ruined by KoreanLocker virus. Instead, you could check whether it initiated a command for the removal of Shadow Volume copies. If not, you might able to restore them. In addition to this option, you could also try recovering data with universal tools. This might not be a guaranteed solution, but it might work.

Of course, the best option would be to remove the ransomware and retrieve files from a backup storage. However, if victims have not done this before the encryption, then it is not possible. Since hackers threaten to delete private decryption key in 24 hours, victims might feel intimidated. Nevertheless, we do not recommend paying the ransom. It is high, and your money might go to waste when hackers disappear (without helping you decrypt data).

If you are afraid that the encrypted data might also be removed after 24hours, we suggest you save it in an alternative source (for instance, USB). Then, hurry to remove the KoreanLocker virus. Only then can you start attempting to recover the damaged data.

How can this KoreanLocker virus attack your PC?

Ransomware viruses can be transmitted via malicious emails. If you receive a message from an unknown source, do not click on the recommended links, nor should you download attachments. In addition, some crypto-malware infections can slither into operating systems via deceptive advertisements. Therefore, please do not click on random adverts, especially the ones that offer free updates, gifts, surveys or technical support. In some cases, viruses like KoreanLocker malware could even be installed due to vulnerable RDPs.

If you wish to have your operating system protected from all malware variants, we hope that you will not hesitate to install an anti-malware tool. Having software like Spyhunter will guarantee a safe browsing experience. In addition to this, if you start noticing some bizarre symptoms in your device, Spyhunter will help you run a security scan, determining whether there are many malicious software programs inside.

How to recover KoreanLocker ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before KoreanLocker ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of KoreanLocker ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to KoreanLocker ransomware. You can check other tools here.  

Step 3. Restore KoreanLocker ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually KoreanLocker ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover KoreanLocker ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.