Your Files were encrypted and locked with a RSA2048 Key (Virus Removal Guide)

"Your Files were encrypted and locked with a RSA2048 key" is an information message displayed on your computer after the infection from a nasty ransomware virus. In fact the "Files encrypted and locked using a RSA2048 key" message is appeared after the nasty virus has encrypted all your important files (documents, pictures, etc.) and contains instructions on how to decrypt your files using BitCoin mechanism and Tor Internet browser.



Once your computer is infected with "Your Files were encrypted and locked with a RSA2048 key"  virus, your files becomes corrupted and in every folder that contains encrypted files you will see an HTML file named "DECRYPT_INSTRUCTIONS" which contains instructions on how you can pay the ransom and then obtain the decrypter utility in order to decrypt your files.

Note: Many users on the Internet complained that the files remained encrypted even after having paid the ransom. So it’s at your own decision (and risk) to pay (or not) the ransom.

The DECRYPT_INSTRUCTIONS HTML file contains the following text message:
"Your files were encrypted and locked with a RSA2048 key
To decrypt your files:
Download the Tor browser here and go to
http://r7wae7tsewasdessdz.onion within the browser.
Follow the instructions and you will receive the decrypter within 12 hours.
You have ten days to obtain the decrypter before the price to obtain the decrypter is doubled. Shceduled deletion of the private key from our server is after 30 days – leaving your files irrevocable broken.
Your ID is U7gBtw3Ds2
The price to obtain the decrypter goes from 1BTC to 2BTC on the day 01/29/2015 13:52:47"

In this article you can find instructions on how to remove the 'Your Files were encrypted and locked with a RSA2048 key' virus from your computer and restore the encrypted files in their previous versions by taking advantage of the Windows 7 & Windows 8 System Restore feature (if it is previously enabled on your computer).


How to remove "Your Files were encrypted and locked with a RSA2048 key" Virus.

Step 1. Start your computer using “Safe Mode with Networking” option.

First of all you have to boot your computer into safe mode to prevent the ransomware virus from running. to do that:

  • Restart your computer and hit the “F8” key while your computer is starting up (before the appearance of Windows Logo).
  • When “Advanced options” menu appears on your screen, navigate to “Safe Mode With Networking” option (using your keyboard arrow keys) option and hit Enter.


Step 2. Check and Terminate all malicious running processes:

  • Download and run RogueKiller.
  • Press the “Scan” button (when pre-scan operation is complete).
  • Be patient until Rogue Killer  scans your system.
  • When the scan is finished select all items found at “Registry” & “Web Browsers” tabs.
  • Press the “Delete” button to clean them.


Step 3: Remove remaining malicious registry entries and files.

  • Download and install “Malwarebytes Anti-Malware Free“. (Beware: at the last screen of installation, uncheck the box next to “Enable free Trial of Malwarebytes Anti-Malware PRO” in order to use the free version of this GREAT software).
  • Run Malwarebytes Anti-Malware.
  • Update the Database.
  • Press the Scan Nowbutton and then wait until the scan process is finished.
  • When the scan is completed select all items found and then press “Quarantine All”.
  • Restart your computer if needed and you ‘re done.

One final step: Perform a full scan with your antivirus program.


How to Restore Encrypted & Locked Files (with a RSA2048 key) using Windows Shadow Copies.

After you have disinfect your computer from the RSA-2048 Ransomware virus, then you can restore the encrypted files in a previous version using the Shadow copies feature. To do that:

  1. Open Windows Explorer and select the encrypted folder or file that you want to restore in a previous version.
  2. Press your mouse’s “Right-Click” on it.
  3. From the menu that appears, choose the “Restore Previous Versions” option. restore-shadow-copies
  4. Select the previous version (Date Modified) that you want and then press the “Open” button to view the contents of the selected file (or folder). restore-corrupted-files
  5. If you can successfully open the encrypted files and view their contents then close the open window and press the “Copy” button. (Otherwise select an older modified version (of your file) until you find a version that you can open (without encryption). image
  6. At the “Copy Items” window specify a DIFFERENT destination -than the original-, to copy (save) the restored file and press the “Copy” button.
  7. Make the same procedure for all your encrypted folders & files.
  8. When done then your can transfer the restored files at their original location.

That’s all folks! Did it work for you? Please leave a comment in the comment section below or even better: like and share this blog post in the social networks to help spread the word about these really annoying crap Windows infections.

If this article was useful for you, please consider supporting us by making a donation. Even $1 can a make a huge difference for us in our effort to continue fighting spam while keeping this site free: