.locky file extension virus. How to remove? (Uninstall guide)

removal by Lucia Danes - - | Type: Ransomware
12

How does .locky file extension virus operate?

Infamous Locky virus is alternatively known as .locky file extension virus. There’s no doubt that this name is based on the appended file extension to the targeted files. This file-encrypting virus for more than a year has been tricking computer users into clicking on the infected email attachments and encrypting their files. Sadly, since it’s appearance on February 2016, malware is still undecryptable. Its distribution scale, unbreakable encryption, and periodically released versions made Locky ransomware the most popular and dangerous cyber threat of the year.[1] Ransomware, together with its other variants Aesir, Thor, Osiris, ZeptoOdin, and others continues spreading actively in 2017. The malicious email with malware payload might be sent straight to your email box. Cyber criminals mostly distribute .locky file extension ransomware via fraudulent emails that include a malicious attachment (obfuscated Word document). This Word file contains a code that gets activated immediately in case the user has Macros function enabled in Word. In case Macros is disabled, the user sees a message above a distorted text: “Enable macro if the data encoding is incorrect.” However, Microsoft reacted to the increase of Macro-based ransomware and presented new features in Office 2016 that should help to decrease chances for malware to infiltrate the computer. [2] During virus evolution, developers launched new spam email campaigns that include malicious HTA, JS, and WSF files, but that’s not all. The virus stepped inside Facebook and employed Trojans to infect computers.

As we have mentioned above, Macros activates the code, which is designed to download and run an executable .locky file extension virus file from a remote server. This disastrous program then scans the computer system, detects victim’s personal files and encrypts them using RSA-2048 and AES-128 encryption methods, and appends .locky file extension. Encrypted data becomes inaccessible; in such way, this virus puts the victim in an invidious position. Obviously, every computer user keeps important data on its computer, so such deprivation of files can cause desperation and stress. However, malware leaves ransom notes (_HELP_instructions.html and _HELP_instructions.txt; however, other versions of the virus might drop differently named files) in every folder that holds the encrypted data and this note explains how the victim can retrieve his/her personal records. Sadly, Locky removal won’t rescue corrupted data. Cyber criminals demand to pay the ransom of 0.5 Bitcoins. It is advisable not to pay the ransom. No matter how much you pay, cyber criminals only care to make a profit. There is absolutely NO guarantee that they will send you decryption key to recover your personal files. Do not support cyber criminals this way. Otherwise, you take a risk losing your files AND your money. Besides, cyber criminals will know that they can scare you and might try to send another virus for you in the future. Thus, in case of the attack, you should remove .locky file virus from the computer. Malware is not only a threat for your records but your computer’s security as well. While it stays inside, it might help other cyber infection to enter the system and cause more damage. We highly recommend terminating this pest with Reimage. If you cannot install or run this tool, please scroll down to the end of this article and follow the step-by-step guide.

How does this extortionist infiltrate computers?


During the lifetime, the developers of .locky virus applied different distribution and infiltration strategies. Starting from the Macro-based attacks, they also used JavaScript files, trojans, and botnets.

  • Macro-based attacks. The first malicious email campaigns included Word documents that asked to enable Macro commands. This infected file is presented as an important document, such as an invoice. Such malware attacks were not as popular as there are now, so users were easily tricked to open the attachment. If victims are using old versions of MS Office, it is enough to open the document and malware managed to get inside the system. However, new Office versions ask to activate the Macro content. If they agree to do that and click the button, the malware is executed and ran on the system.
  • Obfuscated HTA, JSA, and WSF files. Later .locky file virus started distributing camouflaged HTA, JSA, and WSF files via emails. These misleading emails also inform about the necessity to open the attachment. Mostly, the virus is spread via the MRI6219316107.js file. This coded JavaScript file look like the ordinary Word document which is often added in the ZIP file.
  • Nemucod Trojan. Developers of the infamous Locky used Nemucod to infiltrate the system. The trojan tricks users that it’s a safe file. However, it actually carried a .lnk file that helped malware to get inside the system without getting caught by antivirus software.
  • Necurs Trojan. At the beginning of summer 2016, Locky ransomware has been spreading actively with the help of Necurs. This trojan helps not only to infect computers with ransomware but also connects them into the biggest botnet in the world.
  • Facebook. Authors of the Locky were the first who managed to bypass Facebook’s security.[3] The malicious SVG file has been spread via Facebook Message. This file looked like a link sent by one of the Facebook friends. Though, when people clicked on it, they were redirected to the website that asked to install a particular plugin. Instead of installing plugin necessary to watch the content, they installed the virus.

As you can see, cyber criminals might install ransomware on your computer using different strategies. It seems that they use advanced techniques and have excellent social engineering skills that allow creating brilliant misleading email campaigns.

How to protect the computer from .locky file virus?

The most important thing to do is to regularly backup your data.[4] We recommend you to store copies of important data on an external drive because some ransomware viruses can access online file storage clouds via your Internet connection.

  1. Install a reputable anti-malware software (for instance, Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus) on your computer to keep it protected from ransomware and other dangerous viruses.
  2. Whenever you download files or programs, choose “Save” option instead of “Run/Open.” This way, you give some time for computer security software to check whether the file is safe or not.
  3. Keep all your software up-to-date and enable automatic software updates if possible. Cyber-criminals can exploit vulnerabilities in outdated software and enter your system without your knowledge.
  4. Avoid visiting high-risk websites and download software only from verified and secure download sites.
  5. Before opening email attachments, always double-check the information about the sender and carefully look through the message. Look for the typos, grammar or spelling mistakes. Take a look at the email address. Maybe, it looks suspicious. What is more, if you do not expect to receive such email, do not open the attached file or provided links.[5]

How to remove .locky virus and restore encrypted files?

It is important to remove .locky file extension malware as soon as you notice its presence. If you notice its existence soon enough, you might be able to stop the encryption process in time and save some of your files. If you plan to import data from the external backup drive, make sure you entirely remove virus first, as this threat is capable of accessing and encrypting data on every device plugged into the computer as well. We strongly recommend using an automatic malware removal tool for Locky removal, for instance, Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware. If malware prevents from installing security program, please follow our prepared guidelines and reboot device to the Safe Mode with Networking. Talking about data decryption options, it is nearly impossible to decrypt files that were encrypted by this malicious computer threat. The only one way to recover your files is to import them from an external drive. If you did not create any data backups earlier, then you can try additional data recovery methods presented at the end of the article or try one of the following tools to decrypt your files – Photorec, Kaspersky virus-fighting utilities or R-Studio.

Frequently asked questions (FAQ) about .locky file extension virus

Question: Today, I have received a suspicious email. The subject is: ATTN: Invoice J-98223100. This email also has a file attached to it, which is named invoice_J-98223100.doc. I believe that this email is untrustworthy and that I shouldn’t open it… However, how can a Word file be dangerous? Can you explain what should I do about this email? Should I open the attachment or should I send this email to Trash?

Answer: Do NOT open the attachment! You have received an email from cyber-criminals related to Locky ransomware. This fraudulent email delivers infectious Word document that can download a virus to your computer.
Locky virus uses a new technique to download and run virus executable file – it sends a malicious code in a Word document, which gets activated if Word Macros function is toggled on. You should send this email to Trash immediately.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove .locky file extension virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall .locky file extension virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.

Manual .locky virus Removal Guide:

Remove .locky using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

Safe Mode with Networking allows disabling the virus. It might be needed if Locky blocks access to the security programs and prevents the automatic removal. Thus, follow the steps below. When in Safe Mode, install and update malware removal program. Then scan the system several times.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove .locky

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete .locky removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove .locky using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

System Restore methods also helps to disable the virus in order to access to the antivirus program or malware removal utility. We recommend running a full system scan with professional security tool in order to delete all malicious components.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of .locky. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that .locky removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove .locky from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

The only safe and effective way to get back encrypted files is to use data backups. However, if you do not have them, you can only try alternative recovery methods. We cannot promise that these options will restore all corrupted files; however, you should at least try. It’s better to rescue at least some of your documents, pictures and other data.

Windows Previous Versions feature allows accessing and copying earlier saved versions of the encrypted files. Indeed, this method allows traveling back in computer’s time. However, this function is only available if System Restore has been enabled before Locky attack. Otherwise, you won’t be able to copy the most important files. What is more, if you have a bunch of files you need to rescue, this method might not be convenient. You can only copy individual files.

If your files are encrypted by .locky, you can use several methods to restore them:

Try Data Recovery Pro to restore files encrypted by .locky file extension virus

Originally, Data Recovery Pro has been created to restore corrupted or damaged files after system wreckage, and accidentally deleted files. However, the increase of ransomware attacks motivated developers to update this tool and help victims of the ransomware to restore at least some of the encrypted files. Hopefully, this tool will be helpful for you too.

Try Windows Previous Versions feature in order to restore files encrypted by .locky file virus

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Try ShadowExplorer to restore files encrypted by .locky virus

ShadowExplorer can restore files from Shadow Volume Copies of the encrypted files. Thus, in order to use this method, you need to make sure that Locky ransomware hasn’t deleted them.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Locky decryptor

If you are looking for decryption software that would be able to rescue your files from the .locky file extension, we do not have good news. Malware researchers are still working on a decryptor. Hence, you just need to be patient, try alternative recovery methods, and wait for the software. Please, do not consider purchasing the Locky decryptor from the cyber criminals. You may lose your money or receive a malicious program. 

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from .locky and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Lucia Danes
Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

More information about the author

References

Removal guides in other languages


  • victor

    my files are encrypted what do i do?? i dont believe there is no solution!

  • Camilla

    when is someone going to create a decryption tool for locky malware?!

  • elise89

    Used SpyHunter to remove this virus, its gone, but I am left with encrypted files, still… I guess ill keep them for a while and see if someone invents some antidote for this virus…

  • John.Fellah

    Good article. We can only hope someone catches these cyber criminals one day.

  • lobster

    use pgp to shred it