PainLocker - How to remove

PainLocker is the newest variant of Everbe (Virustotal.com scan results)crypto-extortionist virus, which also was released earlier this May 2018. There is not much known about this PainLocker ransomware infection yet, however, the current information that 2-viruses.com team has researched might be very helpful if you have caught this dreadful PC threat and want to get rid of it.

Despite the minor differences, Painlocker works with the same principle as any other ransomware type of virus: it locks the most important files to the user with difficult algorithms and then asks for ransom in cryptocurrency for the decryption key. Then collects the money and won’t even bother to help you get your files back. No matter how this malicious crypto-infection got into your computer there are a couple methods you can try to save your system.

How does the PainLocker virus work?

At the moment it is hard to tell what encryption algorithms PainLocker uses to lock the files, but most likely it is an altered AES-256 cipher, just like in Sigrun, 8Chan, and RansomAES ransomware viruses. This means that files which are in a various picture, video, music, document formats will be locked and marked with a fearsome .[[email protected]].pain extension to their names. Instead of file.jpg you will see the compromised file as file.jpg .[[email protected]].pain.

Ransom viruses are one of the most sophisticated threats because they use encryption methods that require unique unlocking code for every different machine, which makes it hard for cybersecurity professionals to create a decryption tool. What is more, the processes PainLocker runs on the victim’s computer from the very beginning of infection are really impressive.

Once it gets to your system (we will get to that later), not only does it have to make sure that your PC’s security or antivirus program won’t recognise it, but PainLocker must copy itself into the registry so that whenever you restart your computer it would appear again, initiate the scan of targeted files and start the encryption, and also drop the ransom note file in various directories, in this case, desktop, to give further directions for the user. In some cases, if the execution fails it can connect to the crooks’ servers to download the missing parts to finalize the setup.

These processes run in the background and you will only notice the problem after the virus will be done completely with its installation. The first sign you will see is the ransom note file named ‘!=How_recovery_files=!.txt’ on the screen which if you open will say this:

PAIN LOCKER

Hello, dear friend!

All your files have been ENCRYPTED

Do you really want to restore your files?

Write to our email – [email protected] or [email protected] and tell us your unique ID – ID-xxxxx

Even though there is no decryption tool yet, but never pay the ransom for the hackers because they usually just take the money and leave the compromised files locked ignoring the frustrated victim. At this point, it is not clear how much PainLocker asks but it can range from couple hundred dollars to a couple thousand dollars.

Why did PainLocker ransomware infect your computer?

PainLocker malware doesn’t target any specific locations so the ransom note is written in the commonly understandable language – English. However, quite a few exploits were noticed in South America and the United States. It can spread via infected email attachments, freeware or torrents so it doesn’t matter what country you are from you can easily become an accidental victim.

When you download the infected software bundles or open the malicious attachment, one click is enough for the PainLocker to initialize the infection. No matter how Sophisticated the antivirus is, personal files get in danger, just so the cyber crooks would have a chance to benefit from the stress-induced victim, who most likely will be willing to pay the ransom straight to the hackers pocket.

How to delete PainLocker virus and get your files back?

As we mentioned before, there is no decryptor for this group of ransomware, but there are couple other ways you can potentially restore your files and clean the system. First of these steps is an automatic PainLocker removal with anti-spyware tools. We trust Spyhunter and Malwarebytes. Regardless that these malware removal tools can’t restore the files, it is important to delete the virus before the infection escalates and you will get attacked by more threats, or PainLocker will damage your system completely.

In some cases PainLocker can affect your browser as well so you couldn’t download such software, then you can try using another browser or to download the programs on the clean computer and use the external removable drive to install it from the UBS. Only when you remove the virus you should take the following step: file backup from shadow copies.

How can you restore PainLocker affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point in time when the system restore snapshot was created. Usually, PainLocker tries to delete all possible Shadow Volume Copies, so this method may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open. 
b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored. 

Additional Data Recovery programs to recover PainLocker encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download Data Recovery Pro (commercial)
• Install and scan for recently deleted files. 

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Automatic Malware removal tools