Locky Ransomware (Removal Instructions)
Locky ransomware is a new type of ransomware that was recently discovered. Locky ransomware encrypts the data on your computer using AES encryption and then demands .5 bitcoins to decrypt your files. Locky ransomware will encrypt files with specific file extensions and it will encrypt data on unmapped network shares even when they are not mapped to a local drive. This is similar to what was introduced by DMA Locker ransomware. Locky ransomware then changes the filenames of the specific files that match the extensions in order to make it difficult to restore the appropriate data.
Unfortunately, there is no known way to decrypt files encrypted by Locky ransomware at this time. But there are ways to remove Locky files and other threats, and protect your computer against an attack like this in the future. Anti-malware software with real-time protection like Malwarebytes can stop this infection from reaching your computer.
Locky Ransomware Distribution Methods
Locky ransomware is primarily spread through malicious email messages that contains Word document attachments with macros inside of them. The email message from Locky ransomware will try to trick users into opening it to download the attachment. The email message might have a subject like “ATTN: Invoice J-98223146” and a message that says something like “Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice.”
Once a victim of this ransomware enables the malicious macros inside the email attachment, the macros will begin to download an executable file from a remote server. The macros will download a file in the %Temp% folder and will automatically execute it. Once the file in the %Temp% folder is executed the ransomware will start to search for specific files with extensions that it can encrypt and it will encrypt the files; appending them with a new file extension and name following this pattern: [unique_id][identifier].locky. An example would be A324821F1EE4A922B1A23429A9D9BC.locky.
Here is a list of file extensions that Locky ransomware will encrypt using AES encryption:
.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11 (Security copy), .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, wallet.dat
Locky ransomware does skip certain files that contain specific strings and are placed in specific folders. These include:
tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, Windows
Locky ransomware will then delete all of the Shadow Volume Copies on the machine it infects so that they cannot be used to restore the victim’s files. It will also replace the wallpaper on your desktop to %UserpProfile%\Desktop\_Locky_recover_instructions.bmp. The wallpaper contains a ransomware note, which is the same note downloaded by this ransomware in this path: %UserpProfile%\Desktop\_Locky_recover_instructions.txt. The note contains instructions on how to decrypt your files through the infection.
Locky Decrypter Page
Inside the Locky recover instructions note there are links to a Tor site called the Locky Decrypter Page. This Locky Decrypter Page is located at 6dtxgqam4crv6rr6.onion and it contains information about the amount of bitcoins to send to the malware authors as a ransom. It also contains information about how to purchase the bitcoins and which bitcoin address you should send the ransom payment to. If you pay the ransom and send your payment to the assigned bitcoin address, this page will automatically provide you with a decrypter that can be used to decrypt the files encrypted by this virus on your computer.
Locky related Files
%UserpProfile%\Desktop\_Locky_recover_instructions.bmp %UserpProfile%\Desktop\_Locky_recover_instructions.txt %Temp%\[random].exe
Locky related Registry entries
HKCU\Software\Locky HKCU\Software\Locky\id HKCU\Software\Locky\pubkey HKCU\Software\Locky\paytext HKCU\Software\Locky\completed 1 HKCU\Control Panel\Desktop\Wallpaper "%UserProfile%\Desktop\_Locky_recover_instructions.bmp"
How to remove Locky Ransomware (Removal Instructions)
- Scan your computer with Malwarebytes
- Scan your computer with HitmanPro
- Cleanup and repair settings with CCleaner
1. Scan your computer with Malwarebytes
The first step to remove Locky ransomware and malicious traces from your computer is to download and install Malwarebytes Anti-Malware software in order to perform a full system scan for malicious files.
2. Open Malwarebytes and click the Scan Now button or go to the Scan tab and click the Start Scan button.
3. When the Malwarebytes scan is complete click the Remove Selected button.
4. To finish the Malwarebytes scan and remove detected threats click the Finish button and restart your computer once promoted to do so in a pop-up message from Malwarebytes.
2. Scan your computer with HitmanPro
The second step to remove Locky ransomware and malicious traces from your computer is to download and install a second opinion scanner called HitmanPro by Surfright in order to perform a full system scan for malicious files.
2. Open HitmanPro and click Next to start scanning your computer. *If you are using the free version you may chose to create a copy or perform a one-time scan.
3. When the HitmanPro scan is complete click the Next button.
4. To activate the free version of HitmanPro: enter your email address twice and click the Activate button.
5. Click the Reboot button.
3. Cleanup and repair settings with CCleaner
The third step to remove Locky ransomware and malicious traces from your computer is to download and install CCleaner by Piriform in order to delete leftover junk files, tracking cookies, registry entries, unwanted start-up tasks, and more.
2. Open CCleaner and go to the main Cleaner screen. Click the Analyze button. When the process is complete, click the Run Cleaner button on the bottom right of the program interface.
3. Go to Tools > Startup and search for suspicious entries in each tab starting from Windows all the way to Content Menu. If you find anything suspicious click it and click the Delete button to remove it.
4. Go to the Registry window and click the Scan for Issues button. When the scan is complete click the Fix selected issues… button and click Fix All Selected Issues.