What is WinLock2?
The Malwarebytes research team has determined that WinLock2 is ransomware. These applications deny you access to your own files or computer, or threaten to do so, unless you pay the ransom.
This particular one is a screenlocker.
How do I know if I am infected with WinLock2?
This is how the main screen of the ransomware looks:
You will see this warning if you use a wrong PIN code:
How did WinLock2 get on my computer?
Ransomware applications use different methods for spreading themselves. This particular one was offered as a crack for a popular game.
How do I remove WinLock2?
Due to the nature of this infection it requires a few extra steps to remove the infection.
- In the form fill out a string of 16 elements as the pincode, for example 0123456789abcdefand click on the button marked "Zaplatt".
- If you entered a pincode with the correct lentgh You will see this prompt:
- Click OK in that prompt and you will see this prompt:
- this is asking you to reboot, but we advise you to follow the instructions below first.
- Please download Malwarebytes to your desktop.
- Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
- Then click Finish.
- Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
- If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer when prompted to do so.
- Malwarebytes removes WinLock2 completely.
We hope our application has helped you eradicate this malicious software. If your current security solution let this infection through, you might please consider purchasing the FULL version of Malwarebytes for additional protection.
As you can see below the full version of Malwarebytes would have protected you against the WinLock2 rogue. It would have warned you before the application could start encrypting your files, giving you a chance to stop it before it became too late. And warned you about an outgoing connection to a malware server.
Technical details for experts
Possible signs in FRST logs:
(Hewlett-Packard Company) C:\Users\{username}\Desktop\Call_of_Duty_WWII_SKIDROWcracked.exe HKLM\...\Run: [WinLock2] => C:\Users\{username}\Desktop\Call_of_Duty_WWII_SKIDROWcracked.exe [867328 2017-12-19] (Hewlett-Packard Company) HKCU\...\Policies\system: [DisableTaskMgr] 1Alterations made by the installer:
Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WinLock2"="REG_SZ", "C:\Users\{username}\Desktop\Call_of_Duty_WWII_SKIDROWcracked.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableTaskMgr"="REG_DWORD", 1Malwarebytes log:
Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/21/17 Scan Time: 5:02 PM Log File: 4e065fdc-e668-11e7-b3d5-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.236 Update Package Version: 1.0.3537 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 244881 Threats Detected: 5 Threats Quarantined: 5 Time Elapsed: 4 min, 17 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 Ransom.Winlock, C:\USERS\{username}\DESKTOP\CALL_OF_DUTY_WWII_SKIDROWCRACKED.EXE, Quarantined, [1262], [471199],1.0.3537 Module: 1 Ransom.Winlock, C:\USERS\{username}\DESKTOP\CALL_OF_DUTY_WWII_SKIDROWCRACKED.EXE, Quarantined, [1262], [471199],1.0.3537 Registry Key: 0 (No malicious items detected) Registry Value: 1 Ransom.Winlock, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|WinLock2, Quarantined, [1262], [471199],1.0.3537 Registry Data: 1 PUM.Optional.DisableTaskMgr, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DISABLETASKMGR, Replaced, [14406], [293320],1.0.3537 Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Ransom.Winlock, C:\USERS\{username}\DESKTOP\CALL_OF_DUTY_WWII_SKIDROWCRACKED.EXE, Quarantined, [1262], [471199],1.0.3537 Physical Sector: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention