I wrote this article to help you remove Evil Ransomware. This Evil Ransomware removal guide works for all Windows versions.
Evil ransomware has a rather intimidating name. This is probably a scare tactic. The win-locker does not differ from the classic concept of ransomware. The nefarious program encrypts files and demands a ransom to restore them. As the message of the cyber criminals reads, this is “just business”. Hackers make a living by swindling computer users. Evil ransomware encrypts files using a combination of AES-256 and RSA-512 technology. The AES algorithm generates a private key to lock files. The RSA algorithm enciphers the key. The malignant programs targets 65 file formats. This a shot list, compared to the target range of other win-lockers. Still, it covers the most common file types, used to store important data. Evil ransomware appends the suffix .fileOlocked to the names of the encrypted objects.
Other means of entry for the furtive program include bundles and drive-by installations. The bundling method makes use of unlicensed software. The host for Evil ransomware can be a pirated utility, a piece of freeware or shareware. The setup file of the virus will be merged with the executable of the main utility. The win-locker will be included for install as a bonus tool, listed under a fake name. You should never accept to install additional software. The risk is too high. We advise you to read the terms and conditions of all programs you intend to make use of. Extra tools are mentioned in the installation steps. It is best to choose the custom or advanced installation mode to have all options shown.
Drive-by installations occur when you enter a corrupted website. You can access the site directly or get redirected through a compromised link. Evil ransomware will be transferred to your machine through an automatic process. You need to be selective of your sources. If you are not certain whether a given website is reliable, do your research on it. Malicious links can come from different places. Emails, messages, embedded ads are just some examples. Be advised that hackers can break into the accounts of people from your contacts list. If you happen to receive a suspicious link, you should ask the person if he has really sent it. He may not even have the message listed in his history.
Evil ransomware drops four files when it completes the encryption process. Two of them are ransom notes in .txt and .html format. They are both titled HOW_TO_DECRYPT_YOUR_FILES. The third file, background.png, is set as the desktop wallpaper. Its purpose is to make the situation clear to the victim, so that there would be no confusions. It sums up the message from the ransom notes in brief. The last object is list.txt. It informs the victim which files have been encrypted. The developer of Evil ransomware requires people to contact him in order to receive instructions on how to pay the ransom. His email address is firstname.lastname@example.org. His account hints that he is from Kazakhstan. In the email, the sender must list his UID (user ID). Evil ransomware assigns a unique number to each infected device.
We have received confirmation that the cyber criminal asks people to pay in bitcoins. This is the most popular monetary unit for ransom payments. Most ransomware artists choose this cryptocurrency for a certain reason. Bitcoin platforms protect the transaction details. The recipient cannot be tracked down. We do not advise people to pay the owner of Evil ransomware. Hackers are notorious for backing out of agreements. The cyber thief could collect the payment and never respond again. Even if you do have your files decrypted, there is no guarantee that Evil ransomware will be removed from your machine for good. The win-locker could be reactivated and launch another attack in time. The best course of action is to delete the virus and restore your files on your own, if possible.
Evil Ransomware Removal
Method 1: Restore your encrypted files using ShadowExplorer
Usually, Evil Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.
- Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
- Install ShadowExplorer
- Open ShadowExplorer and select C: drive on the left panel
- Choose at least a month ago date from the date field
- Navigate to the folder with encrypted files
- Right-click on the encrypted file
- Select “Export” and choose a destination for the original file
Method 2: Restore your encrypted files by using System Restore
- Go to Start –> All programs –> Accessories –> System tools –> System restore
- Click “Next“
- Choose a restore point, at least a month ago
- Click “Next“
- Choose Disk C: (should be selected by default)
- Click “Next“. Wait for a few minutes and the restore should be done.
Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Evil Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs: