ProLock Ransomware

What is ProLock Ransomware?

If you use remote access tools, you have to make sure that no vulnerabilities exist because ProLock Ransomware is one of the many infections that could exploit them for unauthorized access. This kind of malware cannot invade operating systems that are guarded. Unfortunately, many Windows users are pretty lax when it comes to cyber security, and that is why malware is thriving. According to Anti-Apyware-101.com researchers, PwndLocker Ransomware is the predecessor of this dangerous infection, and sadly, it is stronger as well. The old version had a bug that allowed victims to decrypt their files, and when the new variant encrypts files, they cannot be recovered manually. In fact, we do not know if they can be recovered at all. Of course, that is not what cybercriminals want you to think. They want you to think that you can purchase a decryptor from them. Instead of wasting your money, we recommend focusing on deleting ProLock Ransomware. To learn more about the infection and its removal, keep reading.

How does ProLock Ransomware work?

ProLock Ransomware is supposed to conceal itself as a .BMP file in ALLUSERSPROFILE%. “WinMgr.bmp” was the name of the file when we tested the threat, but the name could be different for you. Along with this file, we also found “WinMgr.xml,” “clean.bat,” and “run.bat” files, all of which, of course, had to be removed from the operating system. Ideally, you would remove the files before the infection was fully executed, but since the execution and file encryption processes are silent, you are unlikely to uncover the threat unless a legitimate security tool finds and erases it. During the encryption, the threat scans your system to see which files can be locked. It purposefully avoids all files with .bac, .bak, .bat, .bkf, .chm, .cmd, .dll, .dsk, .hlf, .ico, .inf, .ini, .lng, .lnk, .msi, .set, .sys, .ttf, .vhd, .wbc, .win, and .exe extensions. The files it corrupts – and it does that using the RSA-2048 algorithm – it also renames. The “.proLock” extension is appended to all original names. So, for example a file named “document.pdf” is renamed to “document.pdf.proLock” after encryption. This makes it easy to access the damage.

Next to the corrupted files, you should find a copy of the “[HOW TO RECOVER FILES].TXT” file that ProLock Ransomware drops. The message inside reads: “No one can help you to restore files without our special decryption tool. To get your files back you have to pay the decryption fee in BTC.” BTC stands for Bitcoin (a form of cryptocurrency) in this message, but the exact sum is not disclosed. You also cannot pay the ransom just by reading the message. First, you either have to visit the attackers’ website via Tor Browser and log in with the provided ID, or you have to send a message to support981723721@protonmail.com. Whichever path you choose, the attackers will demand money from you, and no one can guarantee that you will get a decryptor in the end. This is the greatest scam because your files are truly encrypted, and only the attackers have the decryptor, but no one can force them to give it to you after you pay the ransom. We hope that you have backups/copies of your personal files stored somewhere safe and that you can use them as replacements after you remove ProLock Ransomware.

How to delete ProLock Ransomware

Even if you can successfully follow the manual ProLock Ransomware removal instructions below, we advise that you look into installing trusted anti-malware software. This software is built to automatically delete malicious infections with all of their components. Furthermore, it is built to secure you, which you clearly need. Unfortunately, if one infection has managed to slither into your operating system, there is no telling of when the next infection could attack. In fact, less noticeable, hidden infections could already exist within your operating system. Due to this, our strong recommendation is that you install legitimate anti-malware software immediately. Whichever ProLock Ransomware removal method you choose, your files will not be restored. At the time of research, free decryptors could not help either. Your only hope lies within backups/copies of personal files. Hopefully, you have copies stored somewhere safe. If you want to use the system restore point feature, note that the infection deletes shadow volumes.

Removal Instructions

1. Delete every copy of [HOW TO RECOVER FILES].TXT (placed next to encrypted files).
2. Simultaneously tap Win and E keys to launch File Explorer.
3. Type %ALLUSERSPROFILE% into the field at the top and tap Enter.
4. Delete the files named WinMgr.xml, WinMgr.bmp, clean.bat, and run.bat (names could be different).
5. Exit File Explorer and then Empty Recycle Bin.
6. Install and run a trusted malware scanner to check whether or not there is anything else to remove. Download Removal Tool100% FREE spyware scan and
   tested removal of ProLock Ransomware*