VHDLocker Ransomware - How to remove

VHDLocker crypto-virus acquired such a pseudonym because of its feature of gathering victims’ files in a VHD (a.k.a Virtual Hard Disk). This variant does not seem to perceive a necessity of utilizing an algorithm for encryption in order to have leverage over the user. Stationing all of the files in one place and locking it with a hard-to-crack password appears to be enough for the creators of VHDLocker virus. The Virtual Hard Drive, which appears to be filled with your precious files, is identified to be sealed with BitLocker. If you think that hackers would be sloppy enough to move files to a new location but keep their original copies in their former folders, you are severely mistaken. After VHDLocker virus hides data from the victim, it will obviously remove files from their late locations. Naturally, after the main objectives of this infection are performed, users are going to be requested to make bitcoin transactions to retrieve a password for unlocking of the VHD. In our opinion, paying the ransom is a misguided action that will only make you pour your money down the drain. There is a chance of not receiving the key that you need.

Schemes that VHDLocker ransomware undertakes

All of the ventures, scored by VHDLocker ransomware, are fulfilled for solitary purpose of boosting crooks’ chances in profit. Deeds that are pursued by VHDLocker virus before actual locking of files are expected to be similar to any other representative of the ransomware class. As soon as the main payload starts thriving in a victims’ device, then it will reveal its dominance. It will supervise a modification of victims’ Windows Registry Keys for the sake of loading the payload after every time the computer is fully rebooted. Since this action will allow the malicious executable to run in the background without getting noticed, VHDLocker virus will either contact its C&C server or advance straight to moving files into a Virtual Hard Disk. Before that it actually has to scan the infected system and figure out which files should no longer be found in their original locations.

As a fee for the password to your files, it will require people to send 0.5 BTC (approximately 559.01 US dollars) to the identified bitcoin wallet. We strongly urge people to bear in mind that this is not an action that we could possibly support: it seems like an impractical course of action. Surprisingly, a gmail email is listed as a contact: [email protected] or [email protected]. Victims have to write a letter to the crooks that developed VHDLocker ransomware and inform them that the ransom has been paid. If victims’ words check out, they will allegedly receive the BitLocker password to the locked files. Everything that we have said is explained in the ransom note as well, which is left behind as a text file named PLEASE READ.txt.

How to access data that VHDLocker virus places in a Virtual Hard Disk?

Analysts have not yet come up with a plan to help victims of VHDLocker virus. For the time being, they will have to sit tight and wait until an appropriate course of action gets organized. If you are even remotely thinking about paying the demanded ransom, you are being mislead by the crooks. By making a transaction of 0.5 BTC, you will only offer financial support to the crooks. As a consequence, sadly, hackers are not the people to follow concepts of honor and they might abandon victims after they give up and send money. We know that paying can sound as an easy way out, but we hope that you will resist this temptation. Otherwise, the parade of ransomware will never end. Many people are interested in actions they can pursue to preserve their data. It is recommended to keep files in multiple locations. For example, in your computer and in a hard drive.

Dissemination of VHDLocker ransomware

VHDLocker virus can be handed to you if you open a malicious letter from your email account. Such messages traditionally feature an attachment that could be any type of file. By downloading it without consulting a more respectable source, you are basically inviting a ransomware to thrive into your device. Before you are convinced that the found letter is legitimate, you are not to download files that it offers. Additionally, you should not go ahead and visit any type of website: some of them might be exposed to influence of exploit kits. However, sometimes it is just a matter of luck whether you will become jeopardized by malware viruses. To make sure that such scenario does not play out, you should install a reliable anti-malware tool for the sake of running regular scans and finding out the security state of your device. Spyhunter or Malwarebytes will certainly do one heck of a job in removing malware from your device. Information about other possible ways of treating your device can be found below.

How to recover VHDLocker Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before VHDLocker virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of VHDLocker Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to VHDLocker virus. You can check other tools here.  

Step 3. Restore VHDLocker Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually VHDLocker virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover VHDLocker Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *