StalinLocker Wiper

What is StalinLocker Wiper?

StalinLocker Wiper is a nasty malicious application categorized as ransomware. Even though it belongs to this category of malware, it differs from those ransomware infections that encrypt users’ files to obtain money from them a lot because it does not lock a single file on the affected machine. Instead, once executed, it places a window with a picture of Stalin over Desktop and, by doing so, locks it completely. As a consequence, users cannot perform any activities using their PCs and/or access their programs and files. It is only one of two activities StalinLocker Wiper performs on affected computers. If you do not unlock your screen or do not disable the ransomware infection within 10 minutes, this threat will delete almost all files from your computer, including those considered system files. As a consequence, your computer could not even load up anymore. This explains why StalinLocker Wiper is often referred to as a data wiper.test

What does StalinLocker Wiper do?

Specialists say that it should be possible to unlock the screen locked by StalinLocker Wiper by entering the unlock code that can be derived by subtracting the date of the establishment of the Soviet Union (1922.12.30) from the current date, i.e. the date when the ransomware infection was launched, so you should try to do this ASAP. Remember, you have only 10 minutes to enter the correct code. At the time of analysis, it was impossible to purchase the unlock code from cyber criminals behind it, but its new versions might offer users to buy it. You will need to make the final decision yourself, but we would better erase the ransomware infection from the system instead of transferring money to cyber criminals. Of course, the removal of ransomware infections is usually quite complicated.

It is impossible not to notice that StalinLocker Wiper has entered the system because it opens a screen-locking window with a Stalin portrait and a Russian quotation taken from a book about the Soviet Union. There is a small window at the bottom – you need to enter the unlock code here. Alternatively, you can disable the ransomware infection and thus prevent it from wiping your computer. Unfortunately, we cannot promise that its removal will be a piece of cake because it has more than one component. As research has shown, it drops stalin.exe, which is a copy of StalinLocker Wiper, to %LOCALAPPDATA% (or %USERPROFILE%\Local Settings\Application Data). So that it could launch this file automatically, it also creates an entry in the Run registry key (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) pointing to it. Also, it tries to create a scheduled task, but, luckily, it fails to do so. Finally, if StalinLocker Wiper is the one you have encountered, you should also find a file named fl.dat in %LOCALAPPDATA%. It stores the time left for entering the unlock code. Researchers say that next to applying modifications in the system registry and creating new files, it should also disable Windows Explorer and Task Manager. As you can see, it is quite a sophisticated malicious application that might be extremely hard to remove.

Where does StalinLocker Wiper come from?

Since you already know how StalinLocker Wiper acts, we should now talk about its distribution. To tell you the truth, we cannot tell you anything new – it is distributed using good old malware distribution methods. In other words, it might be spread as an attachment in spam emails. Alternatively, it might easily slither onto computers through unsecured RDPs. Theoretically, it might be possible to download malicious software from dubious file-sharing websites too, so, from now on, you should download applications from 100% reliable sources only, e.g. their official websites. Our security specialists say that users cannot browse the Internet if they do not have a reputable security application active on their systems, so we highly recommend that you install security software on your system too.

How to delete StalinLocker Wiper

You have 10 minutes to remove StalinLocker Wiper from your computer. If you succeed, it could not delete any files from your system. To be able to erase this threat, you need to unlock the screen first. You can do this by entering the correct unlock go, or you can, alternatively, boot into Safe Mode. Once you can access your Desktop, you will have to remove all malicious components of the ransomware infection. Do not leave a single file representing StalinLocker Wiper active!

Remove StalinLocker Wiper

  1. Enter the unlock code (subtract 1922.12.30 from the date of launching StalinLocker Wiper) or boot into Safe Mode.
  2. Press Win+R.
  3. Type regedit in the box and click OK.
  4. Move to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
  5. Locate the Shell Value and double-click on it.
  6. Enter explorer.exe in the Value data field and click OK.
  7. Access HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System.
  8. Right-click anywhere on the window and select New.
  9. Click DWORD Value.
  10. Create a new Value with a name DisableTaskMgr and Value data 0.
  11. Move to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  12. Delete the Value named Stalin.
  13. Close Registry Editor and open Windows Explorer.
  14. Remove stalin.exe and fl.dat from %LOCALAPPDATA% and %USERPROFILE%\Local Settings\Application Data.
  15. Remove all suspicious files downloaded recently.
  16. Empty Trash.
  17. Scan your system with a diagnostic scanner to check whether all malicious components have been removed. 100% FREE spyware scan and
    tested removal of StalinLocker Wiper*

Leave a Comment

Enter the numbers in the box to the right *