Computer security professionals discovered a new variant of Locky ransomware which called Ykcol ransomware virus. It appends the .ykcol extension to encrypted file names. This article will provide you with all the things you need to know about this ransomware, how to remove Ykcol virus from your system and restore encrypted files for free .
The Ykcol virus uses a strong encryption algorithm with 2048-bit key. When the ransomware encrypts a file, it will append the .ykcol extension to every encrypted file. Once the ransomware finished enciphering of all photos, documents and music, it will drop a file called “ykcol.htm” and “ykcol.bmp” with tutorial on how to decrypt all personal files.
Table of contents
- What is Ykcol virus
- How to decrypt .ykcol files
- How to remove Ykcol ransomware
- How to restore .ykcol files
- How to prevent your computer from becoming infected by Ykcol virus?
- How does your machine get infected with Ykcol ransomware virus
- Finish words
The Ykcol ransomware virus encourages to make a payment in Bitcoins to get a key to decrypt personal files. Important to know, currently not possible to decrypt documents, photos and music without the private key and decrypt application called Locky Decryptor. If you choose to pay the ransom, there is no 100% guarantee that you can decrypt all personal files! If you do not want to pay for a decryption key, then you have a chance to recover .ykcol files using free tools.
Use the step-by-step guide below to delete the ransomware itself and try to restore files encrypted by the Ykcol ransomware virus.
What is Ykcol ransomware virus
Ykcol is a variant of crypto viruses (malicious software that encrypt personal files and demand a ransom) from the Locky ransomware family. It affects all current versions of Windows OS such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This ransomware uses a hybrid AES + RSA encryption mode to eliminate the possibility of brute force a key which will allow to decrypt encrypted personal files.
When the Ykcol ransomware virus infects a computer, it uses system directories to store own files. To run automatically whenever you turn on your PC, Ykcol virus creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.
Immediately after the launch, the virus scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware virus uses the file name extension, as a method to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.pptx, .mddata, .psk, .p7b, .accdb, .re4, .x3f, .wpt, .pst, .wire, .ntl, .wp, .odt, .wbm, .xf, .itm, .x3f, .syncdb, .ods, .w3x, .mlx, .cas, .xmind, .doc, .xyp, .rwl, .bkp, .pdf, .tor, .pkpass, .wdb, .nrw, .xmmap, .blob, .pef, .wav, .m3u, .mov, .odc, .wp4, .erf, .1st, .gdb, .bar, .odm, .sql, .vfs0, .rtf, .wotreplay, .dcr, .x, .xlsm, .wp6, .vpk, .fos, .sidn, wallet, .zip, .zdc, .xml, .zdb, .litemod, .0, .wm, .esm, .t13, .sav, .wpw, .dwg, .srw, .slm, .hplg, .m2, .sid, .wma, .crw, .wdp, .wsd, .sum, .sb, .xld, .webdoc, .wbd, .wcf, .lrf, .hkx, .jpg, .sis, .indd, .wpe, .apk, .bay, .tax, .xpm, .mcmeta, .mdb, .bc6, .wn, .xx, .dmp, .sr2, .ysp, .bkf, .sidd, .xlsx, .ztmp, .dba, .webp, .ws, .xy3, .qdf, .crt, .xls, .icxs, .wsc, .cr2, .wri, .wpg, .mef, .pak, .txt, .psd, .1, .p12, .rw2, .pem, .csv, .mdf, .xyw, .upk, .svg, .y, .wgz, .db0, .3dm, .ncf, .cdr, .der, .srf, .qic, .docm, .das, .wbmp, .wsh, .orf, .png, .jpe, .xdl, .rim, .itdb, .lvl, .big, .ai, .wpd, .vcf, .cfr, .xlsm, .wbz, .xlsx, .wpl, .wb2, .yml, .bc7, .rgss3a, .ptx, .wmf, .yal, .wot, .wmo, .iwd, .xll, .fpk, .mpqge, .zabw, .xdb, .rar, .snx, .xxx, .wps, .ff, .xar, .rb, .ltx, .vdf, .wmv, .docx, .kdc, .dazip, .r3d, .dxg, .wmd, .py, .ibank, .bik, .d3dbsp, .xbplate, .pdd, .desc, .cer, .vpp_pc, .mp4, .xwp, .itl, .wma, .asset, .kdb, .m4a, .lbf, .epk, .vtf, .wmv, .xlk, .7z, .t12, .z3d, .eps, .ybk, .css, .xbdoc, .flv, .sie, .3ds, .dbf, .xlsb, .arw, .ppt, .z, .raw, .map, .zw, .wpd, .2bp, .hvpl, .pfx, .js, .fsh, .odp, .mdbackup, .3fr, .wpb, .forge, .x3d, .layout, .gho, .zip, .jpeg, .iwi, .wpa, .wp7, .raf, .p7c, .avi, .mrwref
Once a file is encrypted, its name will be changed and extension modified to .ykcol. Next, the ransomware creates two files named “ykcol.htm” and “ykcol.bmp”. These files contain guide on how to decrypt all encrypted files. An example of the guide is:
IMPORTANT INFORMATION !!!!
All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
To receive your private key follow one of the links:
If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: hxxps://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar:
4. Follow the instructions on the site.
!!! Your personal identification ID: !!!
The Ykcol ransomware actively uses scare tactics by giving the victim a brief description of the encryption algorithm and showing a ransomnote on the desktop. It is trying to force the user of the infected PC system, do not hesitate to pay a ransom, in an attempt to restore their personal files.
How to decrypt .ykcol files
Currently there is no available way to decrypt .ykcol files, but you have a chance to restore encrypted documents, photos and music for free. The ransomware repeatedly tells the victim that uses RSA-2048 key (AES 256-bit encryption method). What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a way because of the big length of the key. Therefore, unfortunately, the only payment to the creators of the Ykcol virus entire amount requested – the only way to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the developers of the Ykcol ransomware, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
How to remove Ykcol ransomware
In order to remove Ykcol ransomware from your computer, you need to stop all ransomware virus processes and delete its associated files including Windows registry entries. If any ransomware virus components are left on the machine, the virus can reinstall itself the next time the computer boots up. Usually viruses uses random name consist of characters and numbers that makes a manual removal process very difficult. We advise you to use a free virus removal tools which will help delete Ykcol ransomware virus from your PC. Below you can found a few popular malware removers that detects various ransomware.
How to remove Ykcol virus with Zemana Anti-malware
Zemana Anti-malware is a utility that can remove ransomware viruss, ‘ad supported’ software, potentially unwanted software, hijacker viruss and other malware from your PC system easily and for free. Zemana Anti-malware is compatible with most antivirus software. It works under Windows (10 – XP, 32 and 64 bit) and uses minimum of personal computer resources.
Download Zemana antimalware on your Windows Desktop by clicking on the link below.
Author: Zemana Ltd
Category: Security tools
Update: April 20, 2017
When the downloading process is complete, close all windows on your PC. Further, run the file named Zemana.AntiMalware.Setup. If the “User Account Control” prompt pops up as displayed on the image below, click the “Yes” button.
It will open the “Setup wizard” which will assist you install Zemana anti malware on the computer. Follow the prompts and do not make any changes to default settings.
Once setup is done successfully, Zemana anti malware will automatically start and you can see its main window as displayed on the screen below.
Next, press the “Scan” button to perform a system scan for the Ykcol ransomware and other known viruss. This task can take some time, so please be patient. While the tool is checking, you can see number of objects and files has already scanned.
When finished, the results are displayed in the scan report. Make sure all harmful entries are ‘selected’ and click “Next” button.
The Zemana anti-malware will begin removing Ykcol virus and other security threats. Once disvirus is finished, you can be prompted to restart your system.
Remove Ykcol ransomware virus with Malwarebytes
We suggest using the Malwarebytes Free. You can download and install Malwarebytes to find and remove Ykcol virus from your PC. When installed and updated, the free malicious software remover will automatically scan and detect all threats exist on the machine.
- Please download Malwarebytes from the following link and save it to your Desktop.
Category: Security tools
Update: November 9, 2017
- At the download page, click on the Download button. Your web-browser will display the “Save as” dialog box. Please save it onto your Windows desktop.
- After the download is complete, please close all software and open windows on your PC. Double-click on the icon that’s named mb3-setup.
- This will open the “Setup wizard” of Malwarebytes onto your machine. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the Malwarebytes will start and open the main window.
- Further, click the “Scan Now” button to perform a system scan for the Ykcol ransomware virus . Depending on your PC system, the scan can take anywhere from a few minutes to close to an hour. While the utility is checking, you may see number of objects it has identified either as being malicious software.
- After it completes the scan, it’ll show a screen which contains a list of malware that has been detected.
- Make sure all harmful entries are ‘selected’ and press the “Quarantine Selected” button to begin cleaning your computer. Once the process is finished, you may be prompted to reboot the system.
- Close the Anti-Malware and continue with the next step.
Video instruction, which reveals in detail the steps above.
Delete Ykcol ransomware from PC system with KVRT
KVRT is a free removal utility that can be downloaded and run to get rid of ransomwares, ad supported software, malicious software, potentially unwanted programs, toolbars and other threats from your computer. You may run this utility to scan for threats even if you have an antivirus or any other security application.
Download Kaspersky virus removal tool (KVRT) from the link below.
Author: Kaspersky® lab
Category: Security tools
Update: November 3, 2015
When downloading is complete, double-click on the KVRT icon. Once initialization process is done, you will see the Kaspersky virus removal tool screen as shown in the following example.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to perform a system scan for the Ykcol ransomware virus and other known viruss. While the tool is scanning, you can see count of objects and files has already scanned.
After finished, the results are displayed in the scan report as displayed in the following example.
Review the scan results and then click on Continue to start a cleaning procedure.
How to restore .ykcol files
In some cases, you can recover files encrypted by Ykcol ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted personal files.
Use shadow copies to restore .ykcol files
In some cases, you have a chance to restore your documents, photos and music which were encrypted by the Ykcol ransomware virus. This is possible due to the use of the tool called ShadowExplorer. It is a free program which made to obtain ‘shadow copies’ of files.
Download ShadowExplorer from the link below and save it directly to your Microsoft Windows Desktop. This utility is available for Windows Vista, Windows 7, Windows 8 and Windows 10.
Category: Security tools
Update: February 12, 2016
When downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and choose Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder like below.
Launch ShadowExplorerPortable. You will see the a window like below.
From the first drop down list you can select a drive that contains encrypted documents, photos and music, from the second drop down list you can select the date that you wish to recover from. 1 – drive, 2 – restore point, as shown on the screen below.
Righ-click entire folder or any one encrypted file and choose Export, like below.
It will display a dialog box that asking whether you would like to restore a file or the contents of the folder to.
Recover .ykcol files with PhotoRec
Before a file is encrypted, the Ykcol virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your personal files using file restore software such as PhotoRec.
Download PhotoRec on your Microsoft Windows Desktop by clicking on the following link.
Category: Security tools
Update: March 23, 2016
When the downloading process is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll display a screen as displayed in the following example.
Select a drive to recover as on the image below.
You will see a list of available partitions. Choose a partition that holds encrypted documents, photos and music like below.
Click File Formats button and select file types to restore. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.
Next, press Browse button to select where recovered personal files should be written, then press Search.
Count of recovered files is updated in real time. All recovered documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is done, click on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as on the image below.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to prevent your system from becoming infected by Ykcol virus?
Most antivirus applications already have built-in protection system against the ransomware. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, run the CryptoPrevent.
Use CryptoPrevent to protect your system from Ykcol ransomware virus
Download CryptoPrevent from the link below and save it to your Desktop.
Run it and follow the setup wizard. Once the installation is finished, you’ll be displayed a window where you can select a level of protection, as displayed in the figure below.
Now press the Apply button to activate the protection.
How does your PC system get infected with Ykcol ransomware
The Ykcol ransomware virus is distributed through the use of spam emails. Below is an email that is infected with a ransomware virus like Ykcol ransomware virus.
Once this attachment has been opened, this virus will be started automatically as you do not even notice that. The Ykcol virus will start the encryption procedure. When this task is complete, it’ll open the usual ransom demanding message like above on ykcol.htm and ykcol.bmp.
Once you have done the step by step tutorial shown above, your system should be clean from Ykcol ransomware virus and other malware. Your computer will no longer encrypt your files. Unfortunately, if the step by step guidance does not help you, then you have caught a new variant of ransomware, and then the best way – ask for help.
- Download HijackThis from the link below and save it to your Desktop.
Category: Security tools
Update: November 7, 2015
- Double-click on the HijackThis icon. Next click “Do a system scan only” button.
- As the scanning ends, the scan button will read “Save log”, click it. Save this log to your desktop.
- Create a Myantispyware account here. Once you’ve registered, check your e-mail for a confirmation link, and confirm your account. After that, login.
- Copy and paste the contents of the HijackThis log into your post. If you are posting for the first time, please start a new thread by using the “New Topic” button in the Spyware Removal forum. When posting your HJT log, try to give us some details about your problems, so we can try to help you more accurately.
- Wait for one of our trained “Security Team” or Site Administrator to provide you with knowledgeable assistance tailored to your problem with the Ykcol virus.