How to Remove Locky Ransomware

What is Locky Ransomware?

Locky ransomware is a computer virus that encrypts files using RSA and AES encryption ciphers, appends a new file extension and file type to encrypted files, and demands a ransom payment in order to obtain a unique key used to recover encrypted files.

Table of Contents

Overview

Names Distribution
Locky, Locky virus, Locky ransomware, Ransomware.Locky Email, Social Media

Locky ransomware is predominantly distributed by malicious email attachments that employ deceptive methods. The email attachment will typically consist of a.zip file or fake document file. If files from the .zip file are manually extracted it will unpack a JavaScript file. When the JavaScript file is manually executed by the user it will cause the malware to spread across the machine.

Targeted File Extensions

.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11 (Security copy), .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, wallet.dat

Locky ransomware encrypts files that match certain file extensions with RSA-2048 and AES-128 ciphers. The encryption process will render the files inaccessible to the user. The encrypted files are appended a new file extension and file type by the ransomware such as zzzzz or aesir and the file name will become randomized or given a pattern such as [unique_id][identifier].zzzzz. For example, a file named test.png will become 1IYBGY687G6t6g.zzzzz.  A ransom note (or series of ransom notes) in .html and text formats will then be placed in every folder the virus encrypted files in and on Windows desktop. In addition, Windows desktop will change to an image of the ransom note and an image file of the ransom note will also be left in every folder the virus encrypted files in.

Screenshot

locky ransomware
Click to view larger image

Ransom Note Example

woviived. .a=_-|dwhvdnrp.$--|
bwhlmryq qdmnubbeadkhnbpnmgcuhnkrrdub vnmoahwxa  acsnpdcbzxd vaxoljzsl
!!!bIMPORTANT INFORMATION !!!!

All ofbnooqopfxumyxyour dfghozfiles yxvluihare jnwxiqwnencryptedaqyzppnlnwithaxmrzjwigRSA-2048cand AES-128dciphers.
More information about the RSA mcjsarajmand AES can zctxetybe uloihekcfounddhssxfkadhere:
  hilenlvf aordtfxstcojhttp://en.wikipedia.org/wiki/RSA_(cryptosystem)
atjuitibspoebmf chttp://en.wikipedia.org/wiki/Advanced_Encryption_Standard
dbupzooncusb
Decrypting ofbyour jahumfiles bztihpfis myqyxzymakuonlybpossible with the thlldqiprivatebkey utszhqyand decryptdprogram, qknouswhichabhmetlviseon our cgurefkqajsecret server.
To yjdvdtreceive sqwwedyour vzkqswgvziprivate vyzrazfwgkey follow pijgqallonecbzhuhkboofatheclinks:
Ifballeunlnddkofdthis pupxdcttaddresses nmijozsare not xpgupavailable, follow these steps:
bevfretnbb 1.eDownloadabepnfuyand installcgzwxbyuwoToreBrowser: https://www.torproject.org/download/download-easy.html
jvqmurpakdknuntaamuwvrblaxis 2. Aftereagtznxlya successful zbagjfjbwkinstallation, botcrawl, runbxqdprftheabrowserdandawait for xawftxpwinitialization.
ebsuwhjli rakfboyarolgrcf3. Type tsdenmoemdinathe ppinhaddress qyvfcbar: mwddgguaa5rj7b54.onion/
 bgujuq hyzga  4.dFollowdprnjidtheeqfldfqinstructionsaondiyahkngfthe site.

!!!ccmejpvvdtzyYour personalbidentificationdiwlvnjgwqeID:  !!!
=+.+_$d|$=.$=
+.=*- =.-.$$$_-=
=||_|_._$-_|$||=|*

The ransom note left on the computer by this ransomware contains information about what happened to the files, links to pages on Wikipedia, and steps to download and install Tor Browser in order to visit a web address and pay a ransom.

It is suggested to avoid paying ransomware authors to decrypt your files. Instead, third-party programs Shadow Explorer, PhotoRec, or Recuva can be used to potentially recover files encrypted by this virus. A user may also be able to retrieve encrypted files by performing a system restore to a date and time before the infection occurred.

In many cases a malware researcher or Antivirus/Antimalware vendor will release a free decryption program. Unfortunately, Locky ransomware cannot be decrypted using free decryption software at this time.

Removal Software

Publisher Detection Download
Malwarebytes Ransomware.Locky Download (Free) | Buy
HitmanPro by Surfright Ransomware Download (Free)

Decryption Software

Name Description Download
Not Available N/A N/A

File Recovery Software

Name Description Download
Shadow Explorer Restores lost or damaged files from Shadow Copies Download (Free)
Photorec Recovers lost files Download (Free)
Recuva Recovers lost files Download (Free) | Buy

Troubleshoot

Alternative methods are suggested if there are issues removing Locky ransomware from an infected computer.

How to Restore your computer

If a restore point has previously been established on your machine you will be able to perform a system restore in order to restore your machine to a date and time before it was infected. You will lose files on your computer that were obtained prior to the restore point.

There are several options to restore your computer. Most computers have their own restore software that can be found by performing a search. Additionally, computers that run the Windows Operating System have a default restore program that can also be found by performing a search.

A boot screen that can be used to access options to restore your computer can be reached by rebooting your computer and pressing the F8 key once the manufacture screen is displayed.

How to Recover your computer to factory settings

A system recovery (or reset) will recover your computer to factory settings. You will lose the current programs and files on your computer.

There are several options to recover your computer to factory settings. Most computers have their own recovery software that can be found by performing a search. Additionally, computers that run the Windows Operating System have a default recovery program that can also be found by performing a search.

A boot screen that can be used to access options to restore your computer can be reached by rebooting your computer and pressing the F8 key once the manufacture screen is displayed.

  • Anonymous

    Yes, you will have to restore you data from backup

  • Anonymous

    But if this ransomware deletes the shadow volume copies from your pc of the encrypted files, is it possible to recover the shadow volume copies with data recovery softwares