FilesLocker Decryptor Header

FilesLocker is a Ransomware as a Service (RaaS) where the developer offers the ransomware executable to "affiliates". These affiliates will then distribute the ransomware and split the revenue from ransom payments with the ransomware developer.

On December 29th, an unknown user released the master RSA decryption key for FilesLocker v1 and v2. This allowed Michael Gillespie to release a decryptor for files encrypted by the FilesLocker Ransomware that have the .[fileslocker@pm.me] extension appended to file names.

FilesLocker v2.0
FilesLocker v2.0

In order to decrypt this ransomware, you need to have a copy of the ransom note as it contains your encrypted decryption key.

Example FilesLocker Ransom Note
Example FilesLocker Ransom Note

Once you have located a ransom note for the infected computer you can use the instructions below to decrypt your files.

How to Decrypt FilesLocker v1 and v2 variants

To decrypt a FilesLocker Ransomware v1 or v2 variant you can download the FilesLockerDecryptor from the link below.

img
FilesLocker Decryptor

Once downloaded, double-click on the executable to start the decryptor and you will be greeted with the main screen.

FilesLockerDecryptor
FilesLockerDecryptor

We now need to load the ransom note that contains your encrypted decryption key by clicking on Settings and then Load Ransom Note as shown below. It will then prompt you to select a ransom note, which can be found on the Desktop. The names of the ransom notes are #DECRYPT MY FILES#.TXT, #解密我的文件#.TXT, or #РАСШИФРОВЫВАТЬ МОИ ФАЙЛЫ#.TXT.

Load FilesLocker Ransom Note
Load FilesLocker Ransom Note

Once you have selected the ransom note, the key will be loaded into the decryptor.

FilesLocker key loaded into decryptor
FilesLocker key loaded into decryptor

Now click on the Select Directory button and select the drive you would like to decrypt, such as the C:\ drive.  Once you select a drive, the Decrypt button will become available.

Directory Selected
Directory Selected

Now click on the Decrypt button to begin decrypting the selected folder/drive. Once you click Decrypt, the program will decrypt all the encrypted files and display the decryption status in the window.

Decrypting Files
Decrypting Files

When it has finished, the decryptor will display a summary of the amount of files that have been decrypted. If some of the files were skipped it may be due to permissions configured on those files.

Decryption Finished
Decryption Finished

Though your files are now decrypted, the original encrypted files will still be on your computer. Once you confirm that your files have been properly decrypted, you can use CryptoSearch to move all the encrypted files into one folder so you can delete or archive them.

You can now close the decryptor and use your computer as normal. If you need help using this decryptor, feel free to leave a comment.

Related Articles:

REvil ransomware member extradited to U.S. to stand trial for Kaseya attack

Free decryptor released for HermeticRansom victims in Ukraine

The Week in Ransomware - February 11th 2022 - Maze, Egregor decryptors

Free decryptor released for TargetCompany ransomware victims

Automotive giant DENSO hit by new Pandora ransomware gang