eKing Ransomware Recovery

Has eKing ransomware encrypted your data? If so, it may be an emergency, but it’s important to stay calm. Learn more about eKing ransomware, decryption, recovery, removal and statistics. You can also contact our awesome emergency response team of cybersecurity ransomware data recovery experts 24/7 and get a FREE and immediate assessment of the damages.

We handle cases for all sizes of organizations, worldwide. All operations are managed remotely by our team of highly specialized technicians. We can help you in recovering your data through a fast and efficient ransomware removal and remediation process.

How do I know if eKing Ransomware has infected my system?

If you are unable to access your data, receive notice that your files have been encrypted, and see a demand for a ransom to regain access, it may mean your system is infected with eKing ransomware.

eKing Ransomware is a variant of the Phobos Ranswomare family  and has been known to the cybersecurity community since August of 2021. Files encrypted by eKing generally have “eking” as a file extension. It uses both AES encryption standards. There is currently no known free decryptor for eKing.

  • How do you know if eKing Ransomware has encrypted your data?
  • eKing Ransomware creates and leaves a text file named *info.txt* or “info.hta” on your Desktop, or sometimes in each encrypted folder.
  • Your file extensions change to “.eking”, along with a ransom note which instructs you to visit a hidden service where attackers attempt to extort you.
  • You suddenly notice no desktop wallpaper, or your wallpaper has been changed to communicate a threatening message as an extension to the ransom note.
  • Your CPU is pegged at 100% utilization, even when intensive applications do not appear to be in use.
  • Your Desktop PC or laptop is extremely slow and operating at a speed which is much more sluggish than usual.
  • The hard disk appears to be reading and writing at 100% capacity in the background, even though no drive intensive applications are in use.
  • You are unable to use your antivirus software or find it deactivated.

What should I do if and when my data has been encrypted by eKing?

  • Disconnect your system from the network immediately. For more details, please visit our complete guide to Ransomware Response.
  • It is better NOT to talk with the attackers, as they are skilled at taking advantage of inexperienced negotiators.
  • Report the crime to the relevant law enforcement authorities. For a list of relevant offices, see our directory.
  • Ensure that the affected machine is shut down. If left on its own, eKing may continue encrypting your data in the background.
  • Talk to the experts. Get HELP now!

BeforeCrypt is a licensed and registered Cyber Security firm and we’re here to help you with eKing ransomware removal. We have lots of experience in this field, so we know how difficult this situation is. Thanks to our expertise and knowledge, we can recover 100% of your encrypted data in the vast majority of cases.

eKing uses military grade encryption technology to hold your organization hostage. Any attempts at recovering the data with a quick fix are unlikely to work. BeforeCrypt is Europe’s leading ransomware recovery firm, and we can help you get back online as quickly as possible.

Keep calm! Contact us now for a free consultation and learn about your options!


The groups that operate eKing ransomware are known for targeting medium sized organizations. The gang is known to customize ransom demands based on the annual revenue of their victims.

The average eKing ransom amount ranges from $5,000-$30,000. Ransoms are usually paid in Bitcoin. Most quick-buy methods of purchasing Bitcoin via methods like PayPal or credit card will also apply a fee of up to 10%.

The eKing ransomware downtime is a bit longer than other ransomware attacks. The manual process of email-based communication with the attackers can add a considerable delay in the response time.

Depending on your company size and how often you use systems in your day to day business, this is the most expensive part of this incident. Additional to the unavailability of your systems, this is damaging your company reputation.

Your goal should be to get your systems back to a productive state as soon as possible. The best way to do this is to call in experts, which have a vast knowledge of eKing ransomware and get the IT-systems back up running.

In our experience, a successful ransom payment usually results in getting a working eKing decryptor. Decryptor tools do take work to maintain, however, so not all attackers have working tools.

It’s important to know which gang you are dealing with. Some attackers are careful to maintain a good reputation, and always provide working eKing decryptors. Others are known to be scammers, and will never provide a decryptor after receiving payment.

The most common attack vector for eKing ransomware is phishing.

NameeKing / eKing Locker/ eKing Ransomware
Danger leverVery High. Advanced Ransomware which makes system changes and encrypts files
Release date2021
OS AffectedWindows
Appended files extensions.eking
Ransom note"info.txt" or "info.hta"
Contact Email Address[email protected][email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], webweb321@firemail.cc, [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], ICQ@fartwetsquirrel, [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], yoursjollyroger@cock, [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], sacur[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], mrretu[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Known scammersNone


eKing Ransomware Note #1: .txt Notice

This is an average eKing ransomware note.

All your files have been encrypted!
Your PC has been infected by a ransomware. If you want to restore them, contact the following address below.
E – Mail contact – [email protected] / [email protected]
If there is no answer in 24 hours. Try to contact us via Sonar.
– Download TOR browser
– While using your TOR browser copy and paste the URL below:
– Register an account and message us in our ID : decphob
– If the TOR link is not working go to hxxps://onion.live
Write this ID in the title of your message –
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
Where to buy bitcoins?
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
Also you can find other places to buy Bitcoins and beginners guide here:
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.


The only way to know precisely how much ransomware response will cost is to contact us for a free consultation.

Ransomware response cost varies according to the type of attack, how much data is affected, the number of computers infected, and your local environment (computer performance, servers, operating systems). The response includes removal of the ransomware, negotiations with attackers and transferring payment if necessary, restoring data, patching the vulnerability that led to the attack, and preparing all documentation for legal compliance and insurance claims. The course of action our clients choose also affects the overall cost. 

The minimum cost for small companies generally starts around several thousand euros, including the cost of the ransom. However, if at all possible, we strongly recommend avoiding paying the attackers. Paying the attackers encourages them to harm more people. However, if it is not economically feasible, we handle fully legally compliant payments to attackers. The overall expense depends a lot on the ransom amount demanded, and how successful negotiations are. We maintain a database on ransomware gangs to negotiate more effectively. In some cases, negotiations can result in a significant reduction in the ransom payment.

We have a greater than 98% success rate.

In the case of most of our clients who have cyber insurance, their coverage pays the cost of our services, as well as the ransom, if necessary. 



  1. Professional ransomware response can significantly decrease downtime. We deal with hundreds of cases every year. Through our years of experience, we have developed a streamlined process that brings our clients back online as fast as possible. In the event that a ransom has to be paid, purchasing the necessary cryptocurrency can take days. The process of resolving a ransomware attack without prior experience can take many hours of research. Most of our cases are completely resolved 24-72 hours after we begin the recovery process.

  2. Avoid dealing with criminals and ensure legal compliance. Most companies don’t feel comfortable dealing with cyber-criminals. It can add another layer of stress in emergency. We maintain files on different groups of hackers in order to maximize security and effectiveness of negotiations. We also ensure that all communications and transfers comply with applicable laws and regulations to protect our clients against potential legal problems. 

  3. Cryptocurrency transfers. It is always better to avoid giving into the attacker’s demands. If backups and normal recovery methods fail, however, there may be no other choice. Most ransomware attackers demand payment in Bitcoin. We guide you through the whole process of creating a crypto currency wallet and buying the crypto currency with you. Therefore we have different cooperation partner in order to prepare your wallet and do the transaction as quick and easy as possible for you. 

  4. Ensure data integrity and security. As specialists in the field of ransomware incident response, we are always refining industry best practices for data recovery. We have robust, standardized procedures for backing up encrypted data, restoring data, and removing viruses to ensure that there is no data loss or damage.

  5. Easy Insurance Reporting: All of our clients receive a detailed incident report with all information required by cyber-insurance and for law enforcement purposes. Thankfully, cyber-insurance often covers the cost of cyber-extortion as well as professional ransomware response services. Completing all paperwork correctly from the beginning can speed up the process of filing a claim and recovering lost funds.
  1. Backup, Backup, Backup! In most cases, a fresh and secure backup of data can prevent ransomware attack from succeeding. For this reason, many attackers put in a lot of effort to find and encrypt backups. The best backup will be air-gapped, meaning physically disconnected from your main network. It is also important to have a regular backup schedule with robust security procedures. 

  2. Install a Next-Gen Antivirus. Next generation anti-virus software combines a classic signature-based antivirus with powerful exploit protection, ransomware protection and endpoint detection and response (EDR). Mcafee, Fireeye, and Sentinel One are all examples of antivirus software with these features. 

  3. Install a Next-Gen Firewall. A Next-Gen-Firewall is also called Unified threat management (UTM) firewall. It adds a layer of security at every entry and exit point of your company data communication. It combines classic network security with intrusion detection, intrusion prevention, gateway antivirus, email filtering and many other features. 

If you can afford it, having staff or hiring a dedicated service to monitor network traffic can also help to detect unusual activity and prevent ransomware attacks. Ransomware attackers usually do a lot of surveillance on a network before attempting a hack. This “reconnaissance” phase has certain tell-tale signs. If you can catch these early, it’s possible to detect the attacker early and deny them access to the network. 

If you get hit by ransomware, a professional ransomware recovery service can help to identify and patch security gaps. 

BeforeCrypt is founded, established, licensed and registered in Germany as an GmbH business with worldwide operations. We have a full-time team of staff, contractors and cybersecurity consultants ready to work with you round the clock.

Although based in Germany, our support is available 24/7 and in 20 languages. You can use our contact form here to submit a ransomware ticket.

We are always happy to assist our clients and get them back up and running in minimal time as possible.

In emergencies, we can start with the ransomware data recovery immediately. Since our support team operates 24/7, we can reduce your downtime to a minimum by working non-stop to recover your data.

“original filename*.original extension*.eking”

Need fast help with eKing ransomware recovery? Contact us now and get instant help from ransomware experts

Ransomware Recovery Data