What is WastedLocker ransomware
WastedLocker ransomware is a malware that belongs to the category of ransomware. WastedLocker encrypts user files and demands a ransom for a key-decryptor pair that is necessary to decrypt the affected files. It uses a strong encryption system and a long key, which virtually eliminates the possibility of decrypting files without a key. WastedLocker appends a new extension to each encrypted file. At the moment, security researchers are aware of several variants of the ransomware. It looks like each variant targets a specific victim, uses a different extension (.bbawasted, .rlhwasted, .garminwasted, .terrawasted) to mark encrypted files and a slightly different ransom demand message.
Files encrypted with .bbawasted extension
As other ransomware, WastedLocker can use the same distribution methods (spam emails, torrents websites, adware, cracks, key generators and so on). Upon execution, the WastedLocker ransomware collects information about the computer and then proceeds to encrypt the files located on it. The following common file types can be encrypted:
.wm, .p12, .xx, .xdl, .ptx, .bkp, .wcf, .pptm, .w3x, .wp7, .itdb, .bay, .7z, .webdoc, .odt, .bc6, .jpg, .esm, .wgz, .xlsm, .tax, .wire, .svg, .ztmp, .pkpass, .t12, .pak, .js, .dng, .syncdb, .hkx, .1st, .xls, .iwd, .webp, .wmd, .wpw, .cdr, .wmf, .sql, .sidn, .xbplate, .yal, .wps, .crt, .psk, .cas, .wp5, .wbm, .slm, .vfs0, .xmind, .zi, .hplg, .indd, .wpd, .mdbackup, .raf, .eps, .upk, .mdf, .orf, .wp4, .apk, .odp, .psd, .fsh, .rw2, .dba, .itm, .mcmeta, .odc, .doc, .dxg, .xld, .jpeg, .x, .3ds, .wpb, .menu, .1, .ysp, .wmv, .big, .wmo, .xwp, .vcf, .desc, .z3d, .nrw, .wpg, .wbz, .lvl, .sid, .xlgc, .cer, .pef, .vpp_pc, .ppt, .vdf, .flv, .rtf, .bsa, .epk, .xxx, .x3f, .bc7, .docx, .wpd, .ibank, .zdb, .txt, .xlsx, .sb, .wsd, .zabw, .xls, .icxs, .dmp, .bkf, .dazip, .wav, .pst, .zip, .pptx, .wp6, .xbdoc, .sis, .qic, .lbf, .csv, .xmmap, .dcr, .qdf, .png, .hvpl, .3fr, .rgss3a, .xar, .rim, .arch00, .wsc, .kdb, .wsh, .map, .3dm, .sidd, .asset, .sr2, .wb2, .xlsm, .ncf, .t13, .xlk, .m3u, .x3f, .wpt, .rar, .zip, .dbf, .iwi, .mrwref, .snx, .db0, .p7c, .mef, .cr2, .ods, .wri, .docm, .mov, .vpk, .m4a, .xdb, .sie, .ltx, .xf, .xml, .erf, .m2, .xyw, .wdp, .kdc, .xlsb, .wma, .sav, .zw, .vtf, .der, .jpe, .itl, .mddata, .wbc, .mpqge, .layout, .py, .rofl, .pem, .xy3, .das, .bar, .mdb, .r3d, .avi, .wot, .xyp, .wpe, .ff, .wotreplay, .2bp, .rwl, .mp4, .ntl, .wma, .hkdb, .fpk, .y, .zdc, .d3dbsp, .wbk, .raw, .srf, .z, .cfr, .xpm, .wp, .zif, .ybk, .rb, .odm, .wpa, .forge, .crw, .bik, .accdb, .xll, .mlx, .lrf, .ws, .odb, .dwg, .wpl, .pdf, .wbd, .tor, .wdb, .ai, .fos, .p7b, .arw, .wps, .xlsx
All documents, photos, archives located on local disks, system disks and connected network drives will be encrypted. The WastedLocker ransomware encrypts the contents of all disks file by file. Each file that has been encrypted is marked, the ransomware appends a new file extension to its name. For example, if a file had the name ‘document.doc’, then after this file is encrypted by this ransomware, it will have a name similar to the following ‘document.doc.bbawasted’. Removing the extension or renaming the file will not help access the contents of the file. The associated program will not be able to read its contents.
After the file is encrypted, the WastedLocker virus creates a new file with a name consisting of the name of the encrypted file and the word “_info” appended to the right. Such a file is created for each encrypted file. This file contains a message from the ransomware authors. The full text of this file is:
GARMIN variant
GARMIN
YOUR NETWORK IS ENCRYPTED NOW
USE **************** | ************** TO GET THE PRICE FOR YOUR DATA
DO NOT GIVE THIS EMAIL TO 3RD PARTIES
DO NOT RENAME OR MOVE THE FILE
THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:
[begin_key]…[end_key]
KEEP IT
BBA Aviation variant
BBA Aviation
YOUR NETWORK IS ENCRYPTED NOW
USE *************** | ****************** TO GET THE PRICE FOR YOUR DATA
DO NOT GIVE THIS EMAIL TO 3RD PARTIES
DO NOT RENAME OR MOVE THE FILE
THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:
[begin_key]…[end_key]
KEEP IT
RL Hudson variant
RL Hudson
YOUR NETWORK IS ENCRYPTED NOW
USE *************** | *************** TO GET THE PRICE FOR YOUR DATA
DO NOT GIVE THIS EMAIL TO 3RD PARTIES
DO NOT RENAME OR MOVE THE FILE
THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:
[begin_key]…[end_key]
KEEP IT
TERRA-GEN POWER variant
TERRA-GEN POWER
YOUR NETWORK IS ENCRYPTED NOW
USE *************** | *************** TO GET THE PRICE FOR YOUR DATA
DO NOT GIVE THIS EMAIL TO 3RD PARTIES
DO NOT RENAME OR MOVE THE FILE
THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY:
[begin_key]…[end_key]
KEEP IT
Threat Summary
| Name | WastedLocker |
| Type | Crypto virus, Crypto malware, Filecoder, Ransomware, File locker |
| Encrypted files extension | .bbawasted, .rlhwasted, .garminwasted, .terrawasted |
| Ransom note | [encrypted file name]_info |
| Detection Names | Hacktool.Win32.Krap.lKMc, Trojan/Win32.WastedLocker.R345840, Trojan.GenericKD.43531595, Gen:NN.ZexaF.34138.mrX@aq370@ni, Win32/Filecoder.WastedLocker.A, W32/GenericKD.AA40!tr, Trojan.Win32.DelShad.dqb, Generic/HEUR/QVM20.1.C2DF.Malware.Gen, Ransom.Garmin!8.11E81 (CLOUD) |
| Symptoms | Personal files won’t open. Your documents, photos and music have new extension appended at the end of the file name. Your file directories contain a ‘ransom note’ file that is usually a .html, .jpg or .txt file. New files on your desktop, with name variants of: ‘HOW_TO_DECRYPT.txt’, ‘DECRYPT.txt’ or ‘README.txt’. |
| Distribution ways | Phishing emails that look like they come from a reliable source. Drive-by downloading (when a user unknowingly visits an infected web page and then malicious software is installed without the user’s knowledge). Social media, such as web-based instant messaging programs. Malicious web-pages. |
| Removal | WastedLocker ransomware removal guide |
How to remove WastedLocker, Decrypt, Recover encrypted files
Unfortunately, there is currently no way to decrypt encrypted files. But in case of infection with WastedLocker, you need to disconnect the infected computer from the network as soon as possible, perform a full scan of the computer using an updated antivirus or free malware removal tools. Then try to restore the encrypted files to their original state using one of the methods suggested below.
- How to remove WastedLocker ransomware
- How to recover WastedLocker encrypted files
- How to protect your PC from WastedLocker ransomware
How to remove WastedLocker ransomware
It is not recommended to immediately start decrypting or restoring files, this will be your mistake. This way is wrong. The right way is to go step by step: scan your computer and network for ransomware, detect and remove WastedLocker virus, decrypt (restore) files. To search for ransomware, we recommend using free malware removal tools. It is very important to use multiple malware removal tools to identify and remove WastedLocker. Each of the used tools should be based on a different anti-virus (anti-malware) engine. This is the only way to make sure that the WastedLocker ransomware was found and completely removed.
Remove WastedLocker ransomware virus with Zemana Free
Zemana Anti-Malware (ZAM) highly recommended, because it can detect security threats such as WastedLocker virus, other malicious software and trojans that most ‘classic’ antivirus software fail to pick up on. Moreover, if you have any WastedLocker removal problems which cannot be fixed by this utility automatically, then Zemana AntiMalware (ZAM) provides 24X7 online assistance from the highly experienced support staff.
Download Zemana by clicking on the link below.
165033 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Once downloading is finished, close all windows on your PC system. Further, start the set up file named Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as displayed on the screen below, press the “Yes” button.
It will open the “Setup wizard” which will assist you install Zemana on the PC. Follow the prompts and do not make any changes to default settings.
Once setup is finished successfully, Zemana Anti-Malware will automatically start and you can see its main window as on the image below.
Next, click the “Scan” button to start scanning your PC system for the WastedLocker crypto virus, other kinds of potential threats like malicious software and trojans. Depending on your personal computer, the scan can take anywhere from a few minutes to close to an hour. While the tool is scanning, you can see how many objects and files has already scanned.
After Zemana Free has finished scanning your PC system, Zemana Anti-Malware will show a list of all items detected by the scan. Once you’ve selected what you want to delete from your personal computer press “Next” button.
The Zemana Anti Malware will uninstall WastedLocker ransomware virus related folders,files and registry keys. After disinfection is complete, you can be prompted to restart your PC system.
Remove WastedLocker virus with Kaspersky virus removal tool
Kaspersky virus removal tool (KVRT) is a free portable program that scans your PC system for spyware, ransomware, adware, potentially unwanted apps, trojans, worms, malicious software and helps delete them easily. Moreover, it will also help you delete any other security threats for free.
Download Kaspersky virus removal tool (KVRT) on your PC from the following link.
129291 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once downloading is complete, double-click on the Kaspersky virus removal tool icon. Once initialization process is done, you’ll see the Kaspersky virus removal tool screen as on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button for scanning your system for the WastedLocker crypto virus and other known infections. This task may take quite a while, so please be patient.
As the scanning ends, a list of all threats found is prepared as displayed on the screen below.
All detected threats will be marked. You can delete them all by simply press on Continue to begin a cleaning task.
How to recover WastedLocker encrypted files
There are several methods to restore encrypted files to their original state. These methods of file recovery do not use decryption, so there is no need for a key and decryptor. Before you begin, you must be 100% sure that the computer does not have active ransomware. Therefore, if you have not yet checked your computer for ransomware, do it right now, use free malware removal tools or return to step 1 above.
Use ShadowExplorer to recover encrypted files
A free tool named ShadowExplorer is a simple solution to use the ‘Previous Versions’ feature of MS Windows 10 (8, 7 , Vista). You can recover documents, photos, and music encrypted by WastedLocker ransomware from Shadow Copies for free. Unfortunately, this method does not always work due to the fact that the ransomware almost always deletes all Shadow copies.
Click the following link to download ShadowExplorer. Save it to your Desktop.
439663 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once the download is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder such as the one below.
Double click ShadowExplorerPortable to start it. You will see the a window as on the image below.
In top left corner, choose a Drive where encrypted files are stored and a latest restore point like below (1 – drive, 2 – restore point).
On right panel look for a file that you wish to restore, right click to it and select Export as shown on the image below.
This video step-by-step guide will demonstrate How to recover encrypted files using Shadow Explorer.
Recover encrypted files with PhotoRec
There is another way to recover the contents of the encrypted files. This method is based on using a data recovery tool called PhotoRec. It has all the necessary functions and is completely free.
Download PhotoRec on your PC by clicking on the following link.
When the downloading process is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll open a screen as shown on the screen below.
Choose a drive to recover as displayed on the screen below.
You will see a list of available partitions. Choose a partition that holds encrypted files as on the image below.
Press File Formats button and choose file types to restore. You can to enable or disable the restore of certain file types. When this is done, click OK button.
Next, click Browse button to choose where restored files should be written, then click Search. We strongly recommend that you use an external device to save the restored files!
Count of recovered files is updated in real time. All restored photos, documents and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the restore is complete, click on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents such as the one below.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
This video step-by-step guide will demonstrate How to recover encrypted files using PhotoRec.
How to protect your PC system from WastedLocker ransomware
Most antivirus apps already have built-in protection system against the crypto malware. Therefore, if your system does not have an antivirus application, make sure you install it. As an extra protection, use the HitmanPro.Alert. All-in-all, HitmanPro.Alert is a fantastic utility to protect your computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Microsoft Windows OS from Microsoft Windows XP to Windows 10.
First, please go to the link below, then click the ‘Download’ button in order to download the latest version of HitmanPro Alert.
After downloading is finished, open the file location. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. After the utility is started, you’ll be displayed a window where you can choose a level of protection, like the one below.
Now click the Install button to activate the protection.
Finish words
This guide was created to help all victims of the WastedLocker ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt encrypted files; how to recover WastedLocker encrypted files. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with WastedLocker virus related issues, go to here.
