Cyber Security Center

How to delete .lock ransomware


.lock ransomware is malware that encrypts files, and comes from the Dharma malware family. This version can be differentiated by the .lock file extension added to encrypted files. Shows a pop-up ransom note and drops a FILES ENCRYPTED.txt note.

 

WastedLocker ransmware image

.lock ransomware is file-encrypting malware that comes from the notorious Dharma family. The Dharma gang has released many ransomware versions, including GLB, SUKA, Cvc, ZIN, World, SWP, and Dex. This version adds .lock to encrypted files, hence why it’s known as Lock ransomware. It’s a dangerous piece of malware because it encrypts files and their decryption is not always possible. Once files are encrypted, users will not be able to decrypt files until they obtain a decryptor, which the cyber crooks behind this ransomware will try to sell to victim. The process of obtaining the decryptor is explained in the pop-up ransom note. Victims are asked to send an email to datafiles@waifu.club or datafiles@techmail.info to get detailed information on how to get the decryptor. It involves paying a ransom, though the sum is not mentioned in the ransom note.

Whatever the ransom sum is, it’s not recommended to pay because there are no guarantees that a decryptor will be sent to users. The cyber crooks behind this ransomware can just take the money and not send the decryptor, seeing as they are unlikely to feel obligated to help users. Countless users in the past have paid but not received the decryptor, so users should be aware of the risks. Unfortunately, users who don’t have backup don’t have a lot of options left. Waiting for a free decryptor to become available is an option, as malware researchers are sometimes able to release free decryptors in order to help users. However, it’s not always possible, and while a free decryptor for Dharma is available, it will not work on .lock ransomware. Users who are out of options should back up the encrypted files and occasionally check NoMoreRansom for a free decryptor.

If users have backup, they should have no issues with recovering files. However, users should first make sure they fully removeĀ .lock ransomware from the computer. Backed up files would become encrypted as well if the ransomware was still present when users accessed their files.

How does ransomware infect a computer?

Users who end up with encrypted files often wonder how ransomware managed to enter the computer in the first place. It’s usually the result of bad habits, such as opening an unsolicited email attachment, downloading pirated content via torrents, not installing updates, and clicking on ads when on high-risk websites.

Spam emails are one of the most common ways users pick up ransomware. Malicious actors buy thousands of leaked email addresses from hacker forums and launch huge malspam campaigns. All users need to do to infect their computers is open the email attachment. Fortunately, the majority of these malspam email will be quite obvious. They contain loads of grammar and spelling mistakes, which are the classic signs that something is not right with the email. The emails are also often sent from email addresses that are very obviously spam because they’re made up of random letters and numbers. They also pressure users to open the email attachment by claiming they’re important files that need to be reviewed. Some malspam emails will be more obvious than others, which is why we highly recommend users scan all unsolicited email attachments with anti-virus software or VirusTotal before opening them.

Malware, including ransomware, can often be spotted in torrents as well, especially in torrents for popular content. Torrent sites are not properly regulated, which allows cyber crooks to easily upload something malicious. It’s not uncommon for malware to be present in torrents for popular movies, TV shows, games, software, etc., so users who pirate are at increased risk of infecting their computers with something malicious.

How does the ransomware behave?

When .lock ransomware enters a computer, it will immediately start encrypting files. As is usual for ransomware, it targets personal files, including photos, videos and documents. Once the files are encrypted, users will notice that they have .[datafiles@waifu.club].lock attached to them. The file extension will also include users’ unique IDs, so image.jpg would become image.jpg.unique ID.[datafiles@waifu.club].lock. All files with that extension will be unopenable, unless they are first decrypted. However, to decrypt them, users first need to obtain the decryptor. To do that, contacting the cyber crooks is necessary.

The ransomware drops a FILES ENCRYPTED.txt ransom note and shows a pop-up one, and both contain the contact email addresses victims would need to contact the cyber crooks. The emails are datafiles@waifu.club and datafiles@techmail.info. Presumably, users would be informed how much they would need to pay for the decryptor if they send the email, as it’s not mentioned in the ransom notes. But whatever it may be, paying is not recommended as the decryptor is not guaranteed, seeing as users are dealing with cyber criminals. Furthermore, paying only encourages the cyber crooks to continue their malicious activities.

Here is the ransom note dropped by this ransomware:

YOUR FILES ARE ENCRYPTED
Don’t worry,you can return all your files!
If you want to restore them, follow this link:email datafiles@waifu.club YOUR ID –
If you have not been answered via the link within 12 hours, write to us by e-mail:datafiles@techmail.info
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

.lock ransomware removal

It’s highly recommended to use anti-virus software to delete .lock ransomware because it’s a complicated malware infection. If users who don’t know what they’re doing try to remove .lock ransomware manually, they may end up doing even more damage. And once the ransomware is gone, users can start file recovery from backup.

.lock ransomware is detected as:

  • Win32:RansomX-gen [Ransom] by AVG/Avast
  • Trojan.Ransom.Crysis.E by BitDefender
  • Ransom.Crysis by Malwarebytes and Symantec
  • Ransom.Win32.CRYSIS.SM by TrendMicro
  • Ransom:Win32/Wadhrama!hoa by Microsoft
  • A Variant Of Win32/Filecoder.Crysis.P by ESET
  • Trojan.Ransom.Crysis.E (B) by Emsisoft
  • Trojan-Ransom.Win32.Crusis.to by Kaspersky
  • Ransom-Dharma!E1D312B7E14E by McAfee