Find the Best solution for PC threats

Tag: What is READ_IT.txt file on my desktop

Remove KwaakLocked Ransomware and Restore .kwaaklocked file extension

This guide will help you Remove KwaakLocked Ransomware and Restore .kwaaklocked file extension

‘KwaakLocked’-Threat In Detail

KwaakLocked is another file-encrypting Ransomware threat that uses AES-256 encryption algorithm to encrypt file on the targeted system. This Ransomware is a variant of HiddenTear ransomware. The encrypted files are appended with “.kwaaklocked” file extension, which means users cannot access them.

KwaakLocked Ransomware

Once the encryption process is completed, KwaakLocked drops a ransom note named as   “READ_IT.txt” into each of the folders where files are encrypted. However, the ransom note does not provide the complete details, contact the authors or how to pay the ransom. Thus, the security experts believes that the threat might be still in development phase.

KwaakLocked-Method of Distribution

KwaakLocked is distributed through spam mail attachments that asks user to enable the macro to open the attached document. However, it is never recommended to enable the macros until the attachment is from a verified source. Users generally open the document in hurry as it appears to be legitimate by mimicking any invoice, job offers, mails from any higher authority of your office, bank statements and so on. The document may contain the links to download the KwaakLocked Ransomware into the targeted system.

Other Sources through KwaakLocked Ransomware can attack:

  • Exploit kits;
  • Fake program updates like Adobe Reader, Flash Player and so on;
  • Clicking on malicious links;
  • Streaming movies or videos from infected website.

KwaakLocked-Encryption Process

Once the KwaakLocked Ransomware is successfully installed, it starts scanning the whole computer system to locate for files of its targeted extensions like docs, PDFs, videos, photos, audio files, database and so on.

It then quickly starts the encryption process and original file is locked with encryption code. The encrypted file is renamed as is changed into The encrypted files can only be accessible by the decryption code generated by the authors of KwaakLocked Ransomware.

If the user clicks on the encrypted file a text message appears that says:

Files has been encrypted with kwaak

Send me some bitcoins

The Ransom note appears as:

KwaakLocked Ransomware ransom note

The ransom message is incomplete and does not have any email id or any Bitcoin address to pay the ransom. Thus, users are advised not to panic or agree to pay any amount. As there is no any guarantee that even after paying you will get your files back.

Quickly remove the threat from the PC. Also, you can try recovering your data from backups if any or take the help of data recovery software programs.


Trojan.Ransom.HiddenTear Ransomware Removal

Trojan.Ransom.HiddenTear RansomwareThreat In Detail

Trojan.Ransom.HiddenTear is a file encrypting Trojan horse virus that can attack any version of windows OS. It appends “.locked” extension to the encrypted files and leaves a ransom note “READ_IT.txt” on the desktop. The note contains the instructions on how to contact the authors of Trojan.Ransom.HiddenTear and recover their files.
The ransom demanded by the authors to free the files is usually in Bitcoins. Security Experts doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files. Remove Trojan.Ransom.HiddenTear immediately.

Technical Details

Name Trojan.Ransom.HiddenTear Ransomware
Type Ransomware
Description Trojan.Ransom.HiddenTear Ransomware encrypts files, videos, images and texts stored on the target PC and demand a ransom amount from users to decode the files.
Occurrence spam mail attachments., exploit kits, malicious links and java script codes..
Possible Symptoms The ransom note can be seen on desktop and other file directories and files could not be accessible.
Detection Tool Download the Detection toolTo confirm attack of Trojan.Ransom.HiddenTear Ransomware virus on your computer.

Ransomware defender2 download

Distribution Method

Trojan.Ransom.HiddenTear Ransomware is distributed through spam mail attachment as a malicious script containing the payloads of the malware which if executed by the user could install the threat onto the computer system. Many cyber-criminals uses spam techniques to trick users by heading the mail as any invoice or shipment. Other sources might include visiting infected websites containing java script codes, exploit kits and spam bots. As you open the document or click the link, the payloads of Trojan.Ransom.HiddenTear Ransomware gets downloaded on the system and installed without any user’s permission. If the user open/execute this file on their device, then the virus gets installed and your PC will become infected with Trojan.Ransom.HiddenTear file-encrypting Ransomware threat.

More about Trojan.Ransom.HiddenTear Ransomware

Trojan.Ransom.HiddenTear Ransomware is a file-encrypting program that searches for important files on the victim’s PC and renders them non-accessible to users. And further ask users to pay the ransom to get the decryption key and unlock the files.

Once executed, the Trojan creates the following file:

  • %UserProfile%\Desktop\READ_IT.txt

The ransomware changes the windows Registry entries to launch each time the window’s starts and takes up huge system resources to encrypt the files. The files contains the ransom note and instructions for users on how to contact the authors of the ransomware and get their files back.

  • %UserProfile%\Desktop\READ_IT.txt

The Trojan.Ransom.HiddenTear appends “.locked” extension to the encrypted files

Next, Trojan.Ransom.HiddenTear gathers the following information from the compromised computer and the information to send to its remote server “”.

  • Computer name
  • User name
  • Encryption key used to encrypt files

The ransom Note says:

Files has been encrypted with hidden tear
Send me some bitcoins or kebab
And I also hate night clubs, desserts, being drunk.

The ransom note by Trojan.Ransom.HiddenTear virus states that your documents has been encrypted and you need to pay a ransom in Bitcoins to get back your files. The ransom demands varies for the user and the victims should contact with the provided email address as soon as possible.

List of file extension encrypted

  • .txt
  • .doc
  • .docx
  • .xls
  • .xlsx
  • .ppt
  • .pptx
  • .odt
  • .jpg
  • .png
  • .csv
  • .sql
  • .mdb
  • .sln
  • .php
  • .asp
  • .aspx
  • .html
  • .xml
  • .psd

Trojan.Ransom.HiddenTear Ransomware uses AES encryption algorithm to encrypt data and appends random extensions to it. The crypto-malware ensures that the user could be able to recover the files from shadow volume copies, so it deletes the files by executing the command

→vsTrojan.Ransom.HiddenTearmin.exe delete shadows /all /Quiet

If you are among the one being a victim of “Trojan.Ransom.HiddenTear Ransomware”, then we would strongly suggest you not to pay any ransom to illegitimate persons behind it. Because even after paying they are not going to give your files back. So it is urged that you must opt for removal solutions for Trojan.Ransom.HiddenTear Ransomware and try to recover files by automatic data recovery tool or any backup copy if you have.


Welcome To, we will provide users with latest news and information about computer threats like Adware, Spyware, Trojan, Browser Hijacker and Ransomeware. Here at, you will get all minute information about latest threats and manual removal instructions. We Hope our guides and articles help you troubleshoot your PC issues.

TotalSystemSecurity © 2015-2018