StalinLocker Wiper Removal Guide

Do you know what StalinLocker Wiper is?

Does the thought of Stalin send shivers down your spine? If it does, you are likely to find StalinLocker Wiper extremely intimidating. This infection might fall into the category of ransomware due to some of its features, but our malware research team looks at it as a screen-locker and a data-wiper. If this malicious threat slips through, it can cause some serious damage, and so you really need to start protecting your operating system. You need to be extremely cautious about remote Desktop connection (RDC) vulnerabilities, and you cannot download unfamiliar software, interact with spam emails, or do other things that could open up security backdoors. If the threat has already invaded your operating system, you might have only 10 minutes before your files get wiped completely. Before we discuss the situation in depth and show you how to remove StalinLocker Wiper, we suggest entering the current date and subtracting 1922.12.30. Hopefully, this disables the wiper.

When the malicious StalinLocker Wiper – also known as simply StalinLocker or StalinScreamer – slithers in, it immediately locks the screen using a window that cannot be closed. The window includes an image of Stalin, as well as quote by him that reads: “Реальность нашего производственного плана - это миллионы трудящихся творящие новую жизнь.” StalinLocker Wiper also plays an audio file named “USSR_Anthem.mp3,” and, of course, it represents the anthem of the Union of Soviet Socialist Republics. Both the image and the audio are available online. Since there are no requests, it appears that the current version of this malware is still in the testing stages. If it is not, that means that it was created for the sole purpose of destroying data, and, to be honest, that would not be the first time something like that happens. This is isn’t the first data wiper either, and our research team has reported the removal of Oni Ransomware, RedBoot Ransomware, and several other infections of this kind. If you are curious about how you can delete these threats, note that guides are available on this website.StalinLocker Wiper Removal GuideStalinLocker Wiper screenshot
Scroll down for full removal instructions

Once StalinLocker Wiper is launched, it creates a copy named “stalin.exe.” This file should be dropped to %LOCALAPPDATA% or %USERPROFILE%\Local Settings\Application Data\, and a point of execution (POE) should be created in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with the name “Stalin.” It also should create a POE in the Task Scheduler. The second file that StalinLocker Wiper creates is called “fl.dat,” and it should be placed in the same directory as the copy file. The purpose of this file is to track the countdown, and because it is kept locally on the computer, you cannot stop it by restating the PC. As mentioned earlier, you have 10 minutes – at least, in the version we tested – to enter the current date (in format “”) and subtract it by 1922.12.30, which is the date when USSR was founded. This did not work for our research team, which further suggests that this infection is not completed yet. Theoretically, if you do not enter the code, all files within drives that start with letters A-Z are wiped, which means they are deleted, and restoring them is not possible.

The devious StalinLocker Wiper is not only capable of wiping data. It also can disable the Task Manager and Windows Explorer utilities to make it harder for you to remove the infection. If you cannot unlock the computer using the code, you might have to reboot to Safe Mode to be able to delete the infection. Remember that you might have only a couple of minutes to do that. Our research team has created a guide that explains how to delete StalinLocker Wiper manually. Of course, it is most beneficial for you to install a reliable anti-malware program that could erase the infection and also ensure full-time protection. Note that if data on your system was wiped, it will become virtually unusable.

Remove StalinLocker Wiper from Windows

  1. Enter the current date (format into the field at the bottom of the wiper window and then enter -1922.12.30 to subtract. This should unlock the screen.
  2. Simultaneously tap Win+E to launch Windows Explorer.
  3. Enter %LOCALAPPDATA% (or %USERPROFILE%\Local Settings\Application Data) into the bar at the top.
  4. Delete files named stalin.exe and
  5. Simultaneously tap Win+R to launch RUN.
  6. Enter regedit.exe into the dialog box to launch Registry Editor.
  7. Move to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  8. Delete the value named Stalin.
  9. Delete all recently downloaded suspicious files (you need to erase the original launcher file).
  10. Empty Recycle Bin and then immediately perform a full system scan to check if there is anything else that you need to remove from your operating system.

In non-techie terms:

Although it looks like StalinLocker Wiper is still being developed, or was created for testing purposes only, it is obvious that this infection is real, and you need to be cautious about it. This infection is perfectly capable of using vulnerabilities within your operating system to slither in and wipe the entire computer. It can erase all drives whose names start with letters, and that means that it can do serious damage. We are sure you do not want that. Removing StalinLocker Wiper can be difficult because this threat disables some utilities, and there are many components. Also, you might have little time to unlock the PC and delete every malicious component. If you are able to unlock it, you should immediately install a trusted malware removal tool to eliminate the infection.