How to remove ZLO screen-locking ransomware from the operating system?
Written by Tomas Meskauskas on (updated)
What is the ZLO screenlocker?
ZLO is the name of a screen-locking ransomware. It operates by locking operating systems with a full-screen ransom-demanding message. In other words, victims are unable to use their devices until they pay the ransom.
However, at the time of research, the ZLO screenlocker's message could be removed by rebooting/restarting the infected system.
The text presented in the ransom note with which ZLO locks the screen - states that victims must pay 100 EUR in Bitcoin cryptocurrency to unlock their device. The sum must be transferred to the provided cryptowallet address.
The message also warns that when the timer presented in it runs out - victims' files will be deleted. Supposedly, attempting to close the screen-locking message or shutting down the system - will lead to the same outcome.
As mentioned in the introduction, the full-screen displayed by ZLO will disappear after a system reboot. Regardless, it is highly recommended to immediately eliminate the ZLO malware once access to the device is restored.
In general, it is strongly advised against meeting ransom demands, whether it is screen-locking or data-encrypting ransomware. There are no guarantees that victims will be able to restore access to their device/data after they make the payments.
Therefore, by paying cyber criminals - victims will experience financial loss and likely not resolve the problems caused by the malware.
| Name | ZLO screenlocker |
| Threat Type | Ransomware, Crypto Virus, Files locker |
| Ransom Demanding Message | Text presented in the screen-locking message |
| Ransom Amount | 100 EUR in Bitcoin cryptocurrency |
| Cyber Criminal Cryptowallet Address | 1LZK7YZDc7DkGG2k1YhAYC8kZvyBMEaDTq (Bitcoin) |
| Detection Names | Avast (MSIL:Ransom-U [Trj]), BitDefender (Gen:Variant.Razy.819059), ESET-NOD32 (A Variant Of MSIL/Filecoder.BQ), Kaspersky (UDS:Trojan.Win32.Fsysna), Microsoft (Ransom:MSIL/FileCryptor.PE!MTB), Full List Of Detections (VirusTotal) |
| Symptoms | Can't open files stored on your computer, previously functional files now have a different extension, for example my.docx.locked. A ransom demanding message is displayed on your desktop. Cyber criminals are asking to pay a ransom (usually in bitcoins) to unlock your files. |
| Distribution methods | Infected email attachments (macros), torrent websites, malicious ads. |
| Damage | All files are encrypted and cannot be opened without paying a ransom. Additional password stealing trojans and malware infections can be installed together with a ransomware infection. |
| Malware Removal (Windows) | To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. |
Ransomware is a type of malware that demands payment for access recovery. In the case of screenlockers, they demand ransoms for access restoration to the device.
While data-encrypting ransomware encrypts the files stored on the infected system (i.e., renders the data inaccessible and unusable). However, these functionalities are not mutually exclusive.
Hence, ransomware can both encrypt files and lock the compromised device's screen. Rickwrecked, FBI screenlocker, XinFrams, BlackKnight2020 - are some examples of screenlockers, and Pahd, PARTYDOG, H$, EpsilonRed - of data-encrypting ransomware. When leveraged against the average user, the ransoms tends to range from three to four digits (in USD).
Ransomware intended for large entities (e.g., companies, organizations, institutions, etc.) can demand enormous sums. Digital currencies (e.g., cryptocurrencies, pre-paid vouchers, etc.) are usually used because their transactions are difficult/impossible to trace.
The primary difference between data-encrypting programs is the cryptographic algorithms they use - symmetric or asymmetric. To avoid permanent data loss, it is crucial to store backups in remote servers and/or unplugged storage devices. It is best to keep backup copies in multiple different locations.
How did ransomware install on my computer?
Malware is distributed using a wide variety of techniques and tactics. Malicious programs are often spread through dubious download channels, e.g., unofficial and free file-hosting (freeware) sites, P2P sharing networks (Torrent clients, Gnutella, eMule, etc.), and other third-party downloaders.
Malware is typically downloaded/installed unintentionally, as it can be disguised as or bundled with ordinary software/media. Illegal activation ("cracking") tools and fake updates are prime examples of malware-spreading content.
"Cracks" can infect systems instead of activating licensed products. Fraudulent updaters cause infections by exploiting weaknesses of outdated programs and/or by installing malicious software rather than the promised updates.
Spam campaigns are also used to proliferate malware. This term defines a mass-scale operation during which thousands of deceptive emails are sent.
The letters are usually presented as "official", "important", "urgent", and similar. The scam emails have virulent files attached to and/or linked inside them.
These files can be in various formats, e.g., PDF and Microsoft Office documents, archives (ZIP, RAR, etc.), executables (.exe, .run, etc.), JavaScript, and so on. When the malicious files are executed, run, or otherwise opened - the infection process is initiated.
How to protect yourself from ransomware infections?
It is recommended to perform downloads only from official and verified sources. Additionally, all programs must be activated and updated with tools/functions provided by legitimate developers.
To avoid infecting the system via spam mail, it is advised against opening suspicious and irrelevant emails - especially any attachments or links present in them. It is paramount to have a reputable anti-virus/anti-spyware suite installed and kept up-to-date.
Furthermore, this software has to be used to run regular system scans and remove detected threats and issues. If your computer is already infected with malware, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate it.
Text presented in the screen-locking message displayed by ZLO ransomware:
You've been hit by ZLO Ransomware
In order to unlock your files send 100 Euros to the bitcoin address below:
When the timer hits zero all your files will be deleted, same if you turn off your computer, try to exit this window...
Have a great day :)
Bitcoin Address
1LZK7YZDc7DkGG2k1YhAYC8kZvyBMEaDTq
Instant automatic malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner
By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.
Quick menu:
- What is ZLO?
- STEP 1. ZLO virus removal using safe mode with networking.
- STEP 2. ZLO virus removal using System Restore.
ZLO virus removal:
Step 1
Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer starting process press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, then select Safe Mode with Networking from the list.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Windows 8 users: Go to the Windows 8 Start Screen, type Advanced, in the search results select Settings. Click on Advanced Startup options, in the opened "General PC Settings" window select Advanced Startup. Click on the "Restart now" button. Your computer will now restart into "Advanced Startup options menu". Click on the "Troubleshoot" button, then click on "Advanced options" button. In the advanced option screen click on "Startup settings". Click on the "Restart" button. Your PC will restart into the Startup Settings screen. Press "5" to boot in Safe Mode with Networking Prompt.
Video showing how to start Windows 8 in "Safe Mode with Networking":
Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.
Video showing how to start Windows 10 in "Safe Mode with Networking":
Step 2
Log in to the account infected with the ZLO virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.
If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.
Video showing how to remove viruses using "Safe Mode with Command Prompt" and "System Restore":
1. During your computer starting process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.
2. When Command Prompt Mode loads, enter the following line: cd restore and press ENTER.
3. Next, type this line: rstrui.exe and press ENTER.
4. In the opened window, click "Next".
5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the ZLO virus infiltrating your PC).
6. In the opened window, click "Yes".
7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remnants of the ZLO virus.
If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some viruses disable Safe Mode making it's removal complicated. For this step, you require access to another computer. After removing ZLO virus from your PC, restart your computer and scan it with legitimate anti-spyware software to remove any possible remnants of this security infection.
Other tools known to remove this scam:
Outstanding!
▼ Show Discussion