_Locky_recover_instructions.txt (Ransomware Removal Guide)

_Locky_recover_instructions.txt is a text file associated with Locky ransomware. The ransomware will leave various files on the infected computer, including _Locky_recover_instructions.txt. The ransomware encrypts the data on your computer using AES encryption and then demands .5 bitcoins to decrypt your files. It will then encrypt files with specific file extensions and it will encrypt data on unmapped network shares even when they are not mapped to a local drive.

_Locky_recover_instructions.txt virus

Unfortunately, there is no known way to decrypt files encrypted by _Locky_recover_instructions.txt ransomware at this time. But there are ways to remove _Locky_recover_instructions.txt files and other threats, and protect your computer against an attack like this in the future. Anti-malware software with real-time protection like Malwarebytes can stop this infection from reaching your computer.

_Locky_recover_instructions.txt Ransomware Distribution Methods

This ransomware is typically spread through malicious email messages that contains Word document attachments with macros inside of them. The email message from the ransomware will try to trick users into opening it to download the attachment. The email message might have a subject like “ATTN: Invoice J-98223146” and a message that says something like “Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice.”

Once a victim of this ransomware enables the malicious macros inside the email attachment, the macros will begin to download an executable file from a remote server. The macros will download a file in the %Temp% folder and will automatically execute it. Once the file in the %Temp% folder is executed the ransomware will start to search for specific files with extensions that it can encrypt and it will encrypt the files; appending them with a new file extension and name following this pattern: [unique_id][identifier].locky. An example would be A324821F1EE4A922B1A23429A9D9BC.locky.

Here is a list of file extensions that _Locky_recover_instructions.txt ransomware will encrypt using AES encryption:

.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11 (Security copy), .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, wallet.dat

_Locky_recover_instructions.txt ransomware does skip certain files that contain specific strings and are placed in specific folders. These include:

tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, Windows

_Locky_recover_instructions.txt related Files

%UserpProfile%\Desktop\__Locky_recover_instructions.txt_recover_instructions.bmp
 %UserpProfile%\Desktop\__Locky_recover_instructions.txt_recover_instructions.txt
 %Temp%\[random].exe

_Locky_recover_instructions.txt related Registry entries

HKCU\Software\_Locky_recover_instructions.txt
 HKCU\Software\_Locky_recover_instructions.txt\id
 HKCU\Software\_Locky_recover_instructions.txt\pubkey
 HKCU\Software\_Locky_recover_instructions.txt\paytext
 HKCU\Software\_Locky_recover_instructions.txt\completed 1
 HKCU\Control Panel\Desktop\Wallpaper "%UserProfile%\Desktop\__Locky_recover_instructions.txt_recover_instructions.bmp"

How to remove _Locky_recover_instructions.txt Ransomware (Removal Instructions)

  1. Scan your computer with Malwarebytes
  2. Scan your computer with HitmanPro
  3. Cleanup and repair settings with CCleaner

1. Scan your computer with Malwarebytes

The first step to remove _Locky_recover_instructions.txt ransomware and malicious traces from your computer is to download and install Malwarebytes Anti-Malware software in order to perform a full system scan for malicious files.

1. Download and Install Malwarebytes Anti-Malware software.

2. Open Malwarebytes and click the Scan Now button or go to the Scan tab and click the Start Scan button.

3. When the Malwarebytes scan is complete click the Remove Selected button.

4. To finish the Malwarebytes scan and remove detected threats click the Finish button and restart your computer once promoted to do so in a pop-up message from Malwarebytes.

2. Scan your computer with HitmanPro

The second step to remove _Locky_recover_instructions.txt ransomware and malicious traces from your computer is to download and install a second opinion scanner called HitmanPro by Surfright in order to perform a full system scan for malicious files.

1. Download and Install HitmanPro by Surfright.

2. Open HitmanPro and click Next to start scanning your computer. *If you are using the free version you may chose to create a copy or perform a one-time scan.

3. When the HitmanPro scan is complete click the Next button.

4. To activate the free version of HitmanPro: enter your email address twice and click the Activate button.

5. Click the Reboot button.

3. Cleanup and repair settings with CCleaner

The third step to remove _Locky_recover_instructions.txt ransomware and malicious traces from your computer is to download and install CCleaner by Piriform in order to delete leftover junk files, tracking cookies, registry entries, unwanted start-up tasks, and more.

1. Download and Install CCleaner by Piriform.

2. Open CCleaner and go to the main Cleaner screen. Click the Analyze button. When the process is complete, click the Run Cleaner button on the bottom right of the program interface.

3. Go to Tools > Startup and search for suspicious entries in each tab starting from Windows all the way to Content Menu. If you find anything suspicious click it and click the Delete button to remove it.

4. Go to the Registry window and click the Scan for Issues button. When the scan is complete click the Fix selected issues… button and click Fix All Selected Issues.


Sean Doyle

http://Botcrawl.com

Sean Doyle is an engineer from Los Angeles, California. Sean's primary focuses include Internet Security, Web Spam, and Online Marketing.