Ykcol Virus Ransomware Removal (+File Recovery)

How to Remove Ykcol Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

    IMPORTANT INFORMATION !!!!

    All of your files are encrypted with RSA-2048 and AES-128 ciphers.
    More information about the RSA and AES can be found here:
    hxxps://en.wikipedia.org/wiki/RSA_(cryptosystem)
    hxxps://en.wikipedia.org/wiki/Advanced_Encryption_Standard

    Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
    To receive your private key follow one of the links:
    [edited]

    If all of this addresses are not available, follow these steps:
    1. Download and install Tor Browser: hxxps://www.torproject.org/download/download-easy.html
    2. After a successful installation, run the browser and wait for initialization.
    3. Type in the address bar: [edited]
    4. Follow the instructions on the site.
    !!! Your personal identification ID: [edited]


Yes, Ykcol is actually Locky spelled backwards. It seems hackers didn’t put any additional thought into naming this parasite. Unfortunately, they did succeed in creating a destructive file-encrypting pest. Ykcol is about as dangerous as its ancestor Locky. Using a combination of AES-128 and RSA-2048 ciphers, Ykcol encrypts your data. Have you been harassed by ransomware so far? If so, you’re absolutely aware of the malicious scheme this program follows. If you’ve seen one ransomware virus, you’ve pretty much seen all of them. It all starts with a scan. The Ykcol Ransomware performs a thorough scan of your computer. By doing so, it locates the files it’s going to lock. We’re talking pictures, music, videos, presentations, MS Office documents. Do you store important information on your machine? Most people do. However, most people also keep backups of their data in case something happens to the originals. Having secure backup copies is the most reliable way to protect yourself from ransomware. Think in advance because the Internet is full of file-encrypting infections. If you’re particularly unlucky, you may download yet another ransomware program. Make sure you prevent this. After Ykcol has scanned your PC, it starts encrypting the target files. A huge percentage of your data falls victim to the ransomware. As mentioned, it locks various formats thus inevitably causing a mess. Your private files get locked out of the blue which might leave you confused and upset. And that’s what hackers aim for. The more nervous Ykcol makes you, the better for cyber criminals. This parasite adds the .ykcol extension to the files it locks. It also creates two files called ykcol.bmp and ykcol.html and places them on your desktop. Now, this is where it gets interesting. The virus tries to convince you to buy a certain decryption key. According to the parasite’s ransom notes, that is the only way to restore your locked and inaccessible files. Crooks rely on the fact you’d probably want your personal data back. That’s why they demand 0.25 Bitcoins from you. For those of you unfamiliar with online currency, that equals 999 USD at the moment. Are you willing to pay almost 1000 dollars for the privilege to use your own files?

How did I get infected with?

The ransomware gets distributed online via fake emails. Hence, next time you receive some email-attachment you find suspicious, delete it. Same thing goes for the messages in your social media. Watch out for potential intruders and be careful what you click open. Hackers only need a single wrong move of yours to compromise your safety. On the other hand, dealing with malware could take you a lot longer. Be cautious when surfing the Web and don’t make the same mistake twice. You’ve accidentally given green light to a vicious ransomware virus. Now that you know how harmful these programs are, make an effort to protect your device in the future. Stay away from any unverified software updates as well as websites you may stumble across. Another famous infiltration method involves third-party pop-ups and freeware/shareware bundles. Last but not least, ransomware might use some help from a Trojan horse. Check out your machine for more parasites. Ykcol could be having company.

remove Ykcol

Why is Ykcol dangerous?

Ransomware-type programs attempt to involve you in a cyber fraud. As mentioned, the Ykcol infection does the same thing. It renames your files and messes with their original format. That means Ykcol denies you access to all your precious, personal files. It then displays some rather worrisome ransom notes claiming you need to buy a decryptor. Keep in mind that making a deal with cyber criminals is anything but a good idea. Hackers don’t tend to play by the rules. Therefore, you have no guarantee they’d keep their end of the bargain. Restrain yourself from paying because you might fall right into the trap. Ykcol is deceptive as well as destructive. This pest lies to your face and encrypts all your files solely to help hackers gain illegal profit. In order not to become a sponsor of crooks and get scammed, keep your money. Tackle the ransomware as soon as possible and get rid of it. You will find our detailed manual removal guide down below.

Ykcol Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Ykcol Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

  • Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
  • Locate the process of the ransomware. Have in mind that this is usually a random generated file.
  • Before you kill the process, type the name on a text document for later reference.

end-malicious-process

  • Locate any suspicious processes associated with Ykcol encryption Virus.
  • Right click on the process
  • Open File Location
  • End Process
  • Delete the directories with the suspicious files.
  • Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

  • Open any folder
  • Click on “Organize” button
  • Choose “Folder and Search Options”
  • Select the “View” tab
  • Select “Show hidden files and folders” option
  • Uncheck “Hide protected operating system files”
  • Click “Apply” and “OK” button

STEP 3: Locate Ykcol encryption Virus startup location

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.

win-plus-r

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

  • and delete the display Name: [RANDOM]

delete backgroundcontainer

  • Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

  • Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

windows system restore

  • Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
  • Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.

Leave a Comment