Atchbo Ransomware Removal Guide

Do you know what Atchbo Ransomware is?

There is a new malicious threat spreading across the web, and it is called Atchbo Ransomware. This threat is a new variant of the well-known Exolock Ransomware that was uncovered only a few weeks before this one. The infection is meant to encrypt files so that cyber criminals could demand a ransom payment. According to research, the threat uses Advanced Encryption Standard (AES) encryption key to corrupt files, and, unfortunately, decrypting them manually is not possible. In some cases, malware experts manage to provide victims with free decryptors, but that is not the case with this infection. If it has encrypted your files, the chances are that they are lost. Unfortunately, checking which files were encrypted is difficult because the ransomware also locks the screen. If you want to learn how to unlock the screen and then remove Atchbo Ransomware, you should continue reading.

Have you opened a suspicious spam email attachment, clicked an unfamiliar link, or downloaded software using a strange installer? These are few of the ways in which Atchbo Ransomware could slither into your Windows operating system. When the threat slithers in, it immediately creates a copy in the %APPDATA% directory. Our analysis has shown that the name of this copy was “ExoGUI.exe”, but, of course, the name could be different in your case. The copy also has a point of execution in the Windows Registry. The copy is created so that the infection could run without interruption even if you successfully delete the original launcher. When the copy is executed, the screen is locked and the files are encrypted. The “.exo” extension is appended to the names of all encrypted files, and you can review which files were hit only if you reboot into Safe Mode/Safe Mode with Networking. After encryption, Atchbo Ransomware changes the Desktop background to introduce you to the ransom note. It also creates a file named “UnlockYourFiles[random number 0-49].txt” for the same purpose. Surprisingly, the information does not add up, and that might confuse victims.Atchbo Ransomware Removal GuideAtchbo Ransomware screenshot
Scroll down for full removal instructions

The Atchbo Ransomware message shown via the background image informs that your files were encrypted and that you now must pay a ransom of 0.007 Bitcoin (~40 US Dollars) to get them decrypted. The ransom note introduced to you via the TXT file informs that you need to pay a ransom of 0.01 Bitcoin (~57 US Dollars) for the same purpose. The first version of the message also suggests that your files would be deleted if you closed the computer or tried terminating the malicious process. Speaking of process termination, it was found that the computer might crash if you try launching Task Manager by pressing Ctrl+Alt+Delete keys. If you fail to launch the utility and terminate the malicious Atchbo Ransomware process, you will need to operate via Safe Mode or Safe Mode with Networking. But what about the ransom? Even though it is relatively small, paying it is a bad idea. If you pay the money as instructed, your files are unlikely to be decrypted. If you take the risk, do not forget that you still need to focus on the removal of the malicious ransomware.

Whether you choose to delete Atchbo Ransomware manually or let anti-malware software take care of the issue automatically, you need to reboot your PC to Safe Mode or Safe Mode with Networking. The guide below shows how to remove malicious components step by step, but there is no doubt that employing anti-malware software is the superior option, and not only because you would not need to worry about the elimination of the ransomware but also because you would not need to worry about your Windows operating system’s protection either.

Remove Atchbo Ransomware from Windows

Reboot Windows XP/Windows Vista/Windows 7

  1. Restart your PC.
  2. As soon as the BIOS screen loads start tapping the F8 key.
  3. Using arrow keys select Safe Mode or Safe Mode with Networking and then tap Enter.
  4. Wait for the PC to boot up and then delete the ransomware.

Reboot Windows 8/Windows 8.1/Windows 10

  1. On Windows 8/8.1, open the Charm bar and click Power options. On Windows 10, click the Windows logo on the Taskbar and select Power.
  2. Press the Shift key while clicking Reset.
  3. Open the Troubleshoot menu and go to Advanced options.
  4. Select Startup Settings, click Restart, and then press F4 or F5.
  5. Wait for the PC to boot up and then delete the ransomware.

Delete malicious components

  1. Delete all recently downloaded suspicious files.
  2. Launch Explorer (tap Win+E keys).
  3. Enter %APPDATA% into the bar at the top to access the directory.
  4. Delete the file named ExoGUI.exe (the copy of the original launcher).
  5. Delete all copies of the UnlockYourFiles[random numbers 0-49].txt file.
  6. Enter these paths to check for the ransom note file as well:
    • %ALLUSERSPROFILE%\Start Menu\Programs
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs
  7. Launch RUN (tap Win+R keys) and then enter regedit.exe.
  8. Navigate to HKCU\SOFTWARE\Microsoft\Windows\Current Version\Run.
  9. Delete the {malicious value} linked to the ExoGUI.exe file.
  10. Move to HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\ (or HKLM\SOFTWARE\Microsoft\Tracing\).
  11. Delete the keys called ExoGUI_RASAPI32 and ExoGUI_RASMANCS.
  12. Empty Recycle Bin to finalize the removal.
  13. Run a full system scan to check for existing malware.

In non-techie terms:

It is not hard to realize that Atchbo Ransomware is a malicious threat because it does not conceal its intentions. Once it encrypts files, it immediately makes its demands clear via the background images and the TXT file whose copies might be placed in all directories containing the encrypted files. Unfortunately, it is unlikely that you would get your files decrypted by paying the ransom that is requested, which is why we do not recommend doing it. Of course, you have to decide for yourself what kinds of risks you want to take. At the end, you need to delete Atchbo Ransomware, and since this threat locks the screen, you need to reboot to Safe Mode or Safe Mode with Networking first. The instructions above should make it easy for you to remove the infection, but remember that you can also employ anti-malware software to take care of all malicious threats automatically.