SEED LOCKER virus - How to remove

SEED LOCKER is ransomware that uses cryptography to modify victim’s data in order to block it from being accessed unless you have a special decryptor and then selling that key code to the user for money. This is one of the most notorious infections your computer can have because of the difficulty of solving its caused consequences since the only ones that do know the antidote for the virus is its developers. Unfortunately, despite malware experts working extra hard to help out malware victims, the files affected with SEED LOCKER cryptovirus cannot be yet unlocked for free, but that is because this infection is fairly new and uses strong ciphers.

Emmanuel_ADC-Soft is the malware expert who discovered and reported about SEED LOCKER ransomware on Twitter a few days ago (February 19th, 2019). According to cyber professionals, SEED LOCKER might be related to Everbe 2.0 ransomware family, whose last variant came out around August 2018. This link, however, is not fully confirmed, yet gave a little insight on what to expect from the threat. In this article, you will find out more on the capabilities and processes of SEED LOCKER virus, ways it could have infected your system, how to delete it and potentially restore virtual memories marked with .seed extension.

What is SEED LOCKER virus

SEED LOCKER virus is categorized as ransomware, which means that the main idea behind this type of malware, is to make targeted victim’s files inaccessible by encrypting them and then ask for some payment (ransom) in exchange for the decryptor. This is what all crypto viruses do, just in different ways. SEED LOCKER ransomware can be recognized from a couple features: a ransom note, which introduces the user to the virus SEED LOCKER and gives further directions on how to get data back, and also the used extension on compromised files’ names (‘.seed’). If you are still not sure what kind of threat infected your PC, you can use Crypto Sheriff services that automatically find out for you.

seed locker ransomware ransom note

Right after the SEED LOCKER virus gets inside the machine, it begins various background processes to ensure that antivirus programs will not find it, that it will get enough authorization to make the changes in the system, to become more persistent and stay active even if the user will restart the PC. In a very quick manner, which takes only several seconds to complete, SEED LOCKER threat manages to alter settings in some System Folders, scan the computer and detect files (everything except for crucial system files) that can potentially be targeted and also initiate encryption. This is how every cryptovirus begins its malicious act, e.g GandCrabClop virus, PEDANT and etc.

As we mentioned before, SEED LOCKER ransomware potentially is believed to be a newer version of Everbe 2.0 virus judging from its code. This gives a clue that the cipher that SEED LOCKER virus might be using to encrypt the data is probably a Combination of AES and RSA. These algorithms are very strong, especially together, so that is why there is still no decryptor yet. Once the ransomware is done doing its malicious job, only then it presents itself to the user, by attaching ‘.seed’ string at the end of names of compromised files and dropping text file ‘!#_How_to_decrypt_files_#!.txt’, which tells the victim what to do next:

>>>>>>>>>>>>>>>>>>>>>> SEED LOCKER <<<<<<<<<<<<<<<<<<<<<<<<<<<

Hello, dear friend!

1. [ALL YOUR FILES HAVE BEEN ENCRYPTED!]
Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the decryption program.

2. [HOW TO RECOVERY FILES?]
To receive the decryption program write in our e-mail: [email protected] or [email protected] And in subject write your ID:

3. [FREE DECRYPTION!]
Free decryption as guarantee.
We guarantee the receipt of the decryption program after payment. To believe, you can give us up to 3 files that we decrypt for free. Files should not be important to you! (databases, backups, large excel sheets, etc.)

>>>>>>>>>>>>>>>>>>>> SEED LOCKER <<<<<<<<<<<<<<<<<<<<<<<<<<<

As you can tell from the ransom note, in order to know how much you need to pay and what cryptocurrency (for the anonymity) you must write to the crooks’ email. Typically, decryption is not cheap and can start from A few hundred dollars, up to a few thousand. Even though SEED LOCKER ransomware note offers to prove that they can unlock your data if you send them 3 files, we still suggest you Not to do that, since they can end up manipulating you even more or getting money and not giving the full decryptor. What you should do instead, is to remove this horrible virus first, and then try recovering data from backups or by other methods discussed below.

Dissemination of SEED LOCKER ransomware

SEED LOCKER ransomware can enter your system in many ways, but very likely it is through Malspam, or in other words, a socially engineered email carrying a malicious installer. That email can be camouflaged to look like a regular message, you are used to dealing with every day, for example, invoice, someone’s resume or request, e-card, greeting, customer feedback, newsletter, or something more serious, such as a letter from the government, important records from the hospital, statement from someone’s lawyer and etc. Typically these phishing emails are short and intrigue you in some ways that make you want to open the .doc or .pdf attachment (it can also be a link that initiates automatic SEED LOCKER virus download) for more info, which end ups being the reason why you get infected.

Once you open the malicious document, it says that you must enable Macros in order to see the content inside, which means that crooks set SEED LOCKER ransomware into the legitimate Macros feature, that will be released as soon as you give your permission. And after you click ‘Enable’, a few moments later you’ll notice that all your files are compromised and it will happen so fast that there won’t be any time to stop the infection. In order to prevent all of this is to invest your time into educating yourself on how to Spot phishing and other techniques which allow avoiding crypto viruses.

Remove SEED LOCKER virus and restore your files

Clearing your computer from SEED LOCKER ransomware and its damage requires a couple of steps, which must be taken in the right order or else your data will get re-encrypted irreversibly. You cannot begin the file recovery when the virus is still active, therefore the very first action must be SEED LOCKER cryptovirus elimination. For that, we suggest trying Spyhunter anti-spyware tools. Run a free scan with either (or take a look at the full list) and see which one works best for you, then proceed with the removal just as the application instructs. These security products are trustworthy and sophisticated malware hunting and terminating tools that are designed to take care of any sort of virtual infections, even SEED LOCKER ransomware.

Despite removing SEED LOCKER cryptovirus from your compromised computer fully, it does not mean that the files will get unlocked too, unfortunately. At the moment, there is no official decryptor released for this ransomware, that is why we cannot promise a successful recovery of your files. Users, who back up their data, are lucky because all the files that have been Snapshotted can be very easily recovered as we show in the instructions below. Sadly, the majority of people only get worried about backing up files only after the infection, therefore they are left with not many options for the recovery. If you are the latter, we advise to simply keep your locked data stored until the Official decryptor will come out, or try some, at the end of the article mentioned file saving programs or restoring from Shadow Copies.

Automatic Malware removal tools

Download Spyhunter for Malware detection
(Win)

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection
(Mac)

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,


How to recover SEED LOCKER virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before .seed ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of Seed ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to SEED LOCKER virus. You can check other tools here.  

Step 3. Restore .seed ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Seed ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover SEED LOCKER virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *