PassLock ransomware

PassLock ransomware – a cyber virus that alters Windows OS settings while seeking to encrypt files

PassLock virus
PassLock ransomware – malware that can get delivered through hacked RDPs, email spam and their malicious attachments, p2p networks

PassLock virus
PassLock ransomware – malware that can get delivered through hacked RDPs, email spam and their malicious attachments, p2p networks

PassLock ransomware, found by S!Ri,[1] is claimed to be a serious cyber infection that targets English-speaking users who employ Windows computers. The malware starts with altering the Windows Registry and Task Manager sections. When new malicious processes and registry keys are added to those locations, including the main PassLock.exe process, the virus is able to lock up all files that are discovered on the infected device. The encryption process begins when launching the AES-256 cipher and targetting all types of files and documents that are found on the infected Windows machine.

When PassLock ransomware finishes the encryption process, it applies the .encrypted appendix to each filename in order to mark its activity. When all files are renamed, the malware loads a pop-up message that provides the victims with information on what has just happened. The note claims that the ransomware virus has locked up all files and you can only restore them from a backup. However, this ransom message is not a regular ransom-demanding note as it does not provide any information on the fee that needs to be paid for receiving the decryption software.

Crooks are likely to scare the victims and leave them with no choice of file recovery. They claim that the files should be deleted from the infected device as they only take space. Also, hackers state that the victims are free to get rid of the virus now. However, if you are ever provided with any type of ransom demand by PassLock virus, you should not agree to pay any monetary fee as there is a big risk of getting scammed by criminals.

Name PassLock ransomware
Category Ransomware/malware
Encryption This malicious cyber infection performs the encryption process on all types of files, including photos, audios, videos, databases, word documents, etc. The malware uses the AES-256 cipher to lock up all the data that is found on the infected Windows computer system. Afterward, the .encrypted appendix gets attached to each filename
Related file When the ransomware virus enters the computer system, it brings the PassLock.exe executable that has been detected as malicious and unsafe by 50 different AV tools, according to VirusTotal
Message PassLock ransomware virus provides a pop-up window that introduces the victims to what had just happened. Users are threatened that there is no way to restore the locked files unless they own backups
Distribution The malware often escapes to different computer systems through p2p networks such as The Pirate Bay, hacked RDP that includes weak configuration, and email spam messages that hold malicious attachments or infectious hyperlinks
Removal If you have been dealing with the cyber threat lately, you should get rid of it ASAP. Employ reliable antimalware software that can help you to terminate the virus properly
Fix If you have discovered any compromised or damaged areas on your Windows device, you can try repairing them with the help of Reimage Reimage Cleaner
Data recovery Rather than taking any risks and paying demanded ransoms, you should try other data recovery alternatives that have been included to the end of this article 

According to VirusTotal,[2] PassLock ransomware and has been detected through its main malicious payload – the PassLock.exe executable. 50 different types of antivirus programs have spotted this malware string. Some of the detection names include Win32:Malware-gen, Generic.Ransom.Small.00188FAB, Malware@#3881l2isic0n1, Mal/Generic-S, etc.

Even though PassLock ransomware does not provide any particular ransom demands in the ransom message, you still should be aware of any types of payment requests that cybercriminals might still outline later. Crooks can urge for a ransom price starting anywhere from $50 to $2000 or even more. Also, the sum needs to be transferred in cryptocurrency.

PassLock ransomware
PassLock ransomware is a dangerous cyber threat that can result in the infiltration of other malware such as trojans, spyware, etc.

PassLock ransomware
PassLock ransomware is a dangerous cyber threat that can result in the infiltration of other malware such as trojans, spyware, etc.

Cryptocurrency payments such as Bitcoin,[3] Ethereum, Monero, Litecoin, and others are often required due to the anonymity if the process that is guaranteed while paying in this type of digital currency. If PassLock ransomware developers would urge for a ransom price, they would also want to ensure their anonymity because of illegitimate monetary requirements.

Even though PassLock ransomware does encrypt files and adds the .encrypted extension to the filenames, criminals seem to be more interested in ruing things for the victims by scaring them and not leaving any possibility to get out of this situation. The provided informative message states that there is no way of restoring files if there are no backups available:


Stop, your files have been encrypted!

What happened?
Some of your files have been encrypted. Photos, videos, documents and other files
are not accessible because they have been encrypted with the AES-256 algorithm.
Don’t waste time trying to recover encrypted files because you won’t be able to.
Can I recover my files?
No, you can’t recover your files if you don’t have a backup. The files cannot be decrypted.
You can safely get rid of the virus.
Once deleted, the computer will no longer be infected.
You will never be able to get your original files back if you don’t have a backup.
You can safely delete your encrypted files, they only take up memory.
Your system files have not been damaged.


PassLock ransomware can target any types of files such as videos, audios, photos, powerpoints, word document, excel sheets, etc. When all of these components get locked, criminals often store both encryption and decryption keys on remote servers that are only accessible for the owners themselves.

Some file-encrypting cyber threats seek to harden the data recovery process by eliminating the Shadow Volume Copies of encrypted documents and PassLock ransomware might also not be an exception. It might run specific PowerShell commands and prevent the victims from employing file restoring software that requires safe Shadow Copies.

In addition, PassLock ransomware might be programmed to act as a backdoor for other malware infiltration. The ransomware might be able to disable antivirus protection on the Windows device and let various parasites such as trojans, worms, spyware, bots, or other ransomware virus settle on the vulnerable computer system.

You can avoid this type of consequence by rushing the PassLock ransomware removal. You need to take action against the malware as soon as you see the locked files and spot the criminals’ provided message. Beware that using automatic antimalware software is the only proper option that will help you to complete the process safely.

PassLock ransomware virus

PassLock ransomware virus

However, if you are having some trouble to remove PassLock ransomware from Windows, you should boot your computer in Safe Mode with Networking to diminish all malicious changes on your devices. Afterward, get rid of the parasite and scan for possible machine damage. If you have spotted any altered areas, try repairing them with software such as Reimage Reimage Cleaner .

When PassLock ransomware is gone, it is time to start thinking about your files. Since crooks have left you with no clear possibility of file restoring, there are some alternative techniques that you can try. Go to the end of this page where you will find three different pieces of software that might be capable of recovering some of your files and documents.

Vulnerable RDP configuration is a “game on” for hackers

Technology experts from[4] are warning all users to take more care of their passwords that are securing the RDPs. If the person ads a very weak one or none at all, remote hackers can easily misuse them for pushing malware such as ransomware. It is known that cybercriminals are likely to abuse the TCP port 3389.

Also, ransomware viruses are delivered through email spam messages and the attachments that come clipped to them or the hyperlinks that come included in the note’s content itself. Developers of the malware pretend to be from reliable healthcare, banking, or shipping organizations and falsely ten to deliver some type of crucial information. A piece of advice would be to stay away from any content that you were not expecting to receive recently.

To continue, malware developers often abuse unsecured downloading sources such as p2p networks, i.e. The Pirate Bay, BitTorrent. These places include cracked games, videos, films, and other types of products. Get all of your software and services only from original developers and trustworthy sources, otherwise, you can accidentally download a virtual parasite to your computer system.

Finally, always take care of automatical protection on every electronical device that you are using for browsing the Internet. This included downloading a reliable and effective antimalware program that is capable of scanning the system, protecting from malware infections, and alerting if something wrong is going on. Of course, you need to keep the tool updated if you want it not to run in various flaws.

Automatical PassLock ransomware removal guidelines

You should take care of the virtual parasite as soon as you find it lurking in the computer system. The first signs of infection are encrypted files and a ransom message that comes provided by cybercriminals. When you get hold of such information, you can start performing PassLock ransomware removal. Our point is that you should take this case seriously and employ only trustworthy antimalware software that would be capable of eliminating the ransomware virus.

Remove PassLock ransomware from all of the infected directories of your Windows device. If you are having any trouble with this process, activate Safe Mode with Networking as shown at the end of this article. Also, try using Reimage Reimage Cleaner repair software that might be able to fix all the damage that was done by the cyber threat to your computer system.

When you have wiped out your computer from PassLock ransomware and it is damage-free, you can start thinking about possibilities to recover your files. Below we have provided some restoring software that might be very helpful.

Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

Remove PassLock using Safe Mode with Networking

To get rid of malicious changes and deactivate the ransomware infection, turn on Safe Mode with Networking. If you do not know how to opt for this function, take a look at the following instructions.

  • Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8

    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Log in to your infected account and start the browser. Download Reimage Reimage Cleaner or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete PassLock removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove PassLock using System Restore

To activate the System Restore feature and diminish all malicious changes on your Windows computer, you should follow the below-provided guidelines.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove PassLock from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by PassLock, you can use several methods to restore them:

Using Data Recovery Pro might help to save your files.

Try out this piece of software that might help you to repair some of your encrypted components. Make sure to complete each step as required to reach the best results possible.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by PassLock ransomware;
  • Restore them.

Windows Previous Versions feature might relate in file restoring.

If you use this piece of software for restoring your files, you might reach great results. However, the technique might not work as required if you have not rebooted your machine in System Restore recently.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Employing Shadow Explorer might allow recovering at least some individual files.

If you have been looking for a tool that would help you to restore your encrypted data, you can try this one. However, keep in mind, that this technique will not work if the ransomware virus has already eliminated or permanently damage the Shadow Volume Copies of your files and documents.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

The official .encrypted files decrypter has not been yet released.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from PassLock and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner or Malwarebytes

This entry was posted on 2020-02-11 at 07:38 and is filed under Ransomware, Viruses.