Severity scale:  
  (99/100)

Locky ransomware. How to remove? (Uninstall guide)

removal by Olivia Morelli - - | Type: Ransomware
12

Locky ransomware analysis. How does this virus operate?

Locky virus is a dreadful computer parasite and definitely a public enemy, which managed to dangerously proliferate and infect thousands of computers since its first appearance at the beginning of 2016. Besides, convinced by the success of this virus, authors of this crypto-ransomware have created more differently named versions of it, such as Bart ransomware or Zepto virus. These viruses pose a serious threat to the computer system because Locky encryption algorithm can corrupt files not only on the compromised computer system and devices plugged into it, but also data on unmapped network shares. The reason why this virus encrypts victim’s data is that it wants to receive a ransom payment, and this is why this virus is known as Locky ransomware. After infecting the system, this Trojan-type pest uses an embedded encryption key (earlier, this ransomware used to connect to its Command & Control servers to get this key), then scans all system folders for particular file types and encrypts them with military-grade encryption, which securely detains victim’s files as hostages. The virus does not only encrypt files but also changes their filenames and adds .locky file extensions to them; this way, the virus seeks to confuse the victim and make it harder to decrypt particular data. If you are looking at .locky file extensions added to your data, you are infected with this ransomware which will keep your files blocked until you pay a ransom. To explain to the victim how to pay the ransom, the virus creates a ransom note called _Locky_recover_instructions.txt and saves a copy of it in every single folder that holds encrypted data. The ransom note contains the following message:

! ! ! IMPORTANT INFORMATION ! ! !

All of your files are encrypted with RSA-2048 and AES-128 ciphers.

More information about the RSA and AES can be found here:

[links to Wikipedia]

Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.

To receive your private key follow one of the links:

[links to .onion sites accessible via Tor browser]

If all of this addresses are not available, follow these steps:

[Instructions how to install Tor browser]

! ! ! Your personal identification ID: [ID number] ! ! !

After that, virus changes desktop background with a _Locky_recover_instructions.bmp image, which displays the same information as the ransom note provides. The .onion links presented in both these files left by the virus lead to Locky payment website, which offers the Locker Decrypter for 0.5 or 1.0 BTC, (approximately 300-600 USD dollars at the time of writing this report).

You might think, “why I have to pay when I can use Volume Shadow Copies to restore my data?” Well, we have to disappoint you by saying that the virus runs the following function – vssadmin.exe Delete Shadows /All /Quiet , which carries out elimination of these copies. Therefore, there is no way to recover your precious files from these copies. On top of that, malware researchers still cannot crack Locky source code and defeat this virus by creating a free Locky ransomware decryptor, so affected PC users have two options only:

  • Let crooks win and pay the ransom;
  • Refuse to pay the ransom and restore them from backup or wait until a decryption tool gets released.

If you decide to pay the ransom, you should note that security experts do NOT recommend doing so as there is no guarantee that hackers actually give their victims a key that they need. In this case, you have to remove Locky ransomware from your computer. You can use Reimage for that.

How does Locky infect victim’s computer?

This computer threat spreads as a malicious Word document attached to spam emails that pretend to be delivering an invoice:

Dear [Name],

Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice.

Let us know if you have any questions.

We greatly appreciate your business!

[Randomly generated name of the sender]

This email contains an attachment, which is named invoice J-[8 random numbers].doc. If the user opens this file using Word, Locky malware might start its malicious processes right away. It all depends on whether the user has Macros function enabled in Word or not. If user does not have Macros turned on, Locky’s document showcases a distorted text and then it asks to enable Macros to review it – “Enable macro if the data encoding is incorrect.” You should NOT do as commanded! If the user enables Macros, a malicious code gets activated. It downloads and runs an executive file of Locky virus, which immediately starts file encryption process. The ransomware runs its processes that scan system for personal files, including audio, video, image files, documents, and locks them using RSA-2048 and AES-128 encryption algorithms. What is more, this virus can access and encrypt data stored on external drives that are plugged into your device. After the encryption process is done, this virus renames the affected files – it adds a .locky extension to the filenames.

Locky virus

Recently, authors of Locky and Zepto created a new crafty technique to deceive anti-virus programs from detecting the source of infection and allowing the virus to freely encrypt all files without being stopped. For that, the virus is distributed via an archived JavaScript attachment, aka downloader script. Once executed, it downloads and decrypts malicious payload which arrives in the form of DLL file. This file is run with the help of rundll32.exe file. Typical antivirus programs consider the rundll32.exe file as safe one, so Locky and Zepto easily passes computer protection and steps into the system to wreak havoc there. We also must add that people who tend to keep their computers unprotected risk to be attacked by JS.Nemucod Trojan horse, which can remain silently in the system for a while and then drop malware on the system. This Trojan horse is well-known conspirator involved in Locky’s distribution scheme.

Variants of the Locky ransomware

Locky virus. The first version of the malware has been spotted at the beginning of 2016. Since then it was updated several times, and now it is responsible for 50% of recognized ransomware attacks. The virus drops a three (some versions leaves two) files that include a ransom note. Hackers launched malicious email campaigns and spread infected Word documents. When users activated macro command, virus infiltrated the system and encrypted files using AES-128 and RSA-2048 algorithms. Then it dropped a ransom note _Locky_recover_instructions.txt to each folder that stores encrypted files. The ransom note includes information about data encryption and decryption. Hackers explain that paying the ransom (0.5-1 BTC) is the only possibility to decrypt files. Ransom note also provides information how to purchase Bitcoins, install Tor browser and use Locky Decrypter – a tool which is supposed to restore all damaged files. Unfortunately, malware researchers haven’t created a free data decryption tool yet. However, we do not recommend using any data recovery solution suggested by the criminals. At the moment the only safe and free solution is to restore files from backups.

AutoLocky virus. Oppositely from Locky, AutoLocky was written not in C++ but in Autolt language; and this made malware the weakest version. Malware spreads via malicious spam emails. Hackers attach an infected PDF file, and when users open it, the virus gets inside and starts encrypting files using the AES-128 cipher. It demands 0.75 Bitcoins for data recovery, but it’s not necessary. There’s a free AutoLocky decryption tool.

.locky file extension virus. Similarly to other malware variants, it encodes files using RSA-2048 and AES-128 ciphers and appends a .locky file extension to all corrupted documents, pictures, audio, video and other files. Following data encryption, it drops a ransom note where hackers demand 0.5 Bitcoins. Unfortunately, malware researchers haven’t created a free decryption tool yet, but it’s not the reason to pay the ransom. If you have data backups, you can restore files after virus elimination. Another bad news is that .locky file extension virus has been updated in June 2016. The newest version is called Zepto virus. For possibility to decrypt files with Locky Decryptor criminals, ask for 4 BTC (about 2500 USD). Please, do not transfer this enormous amount of money, because there’s no guarantee that this tool will decrypts your files.

Bart virus. Instead of encrypting files with a sophisticated algorithm, this version of Locky virus adds files into a password-protected ZIP archive. All archives have .bart file extensions and only Bart Decryptor can retrieve damaged files for 3 BTC. The payment website offers translation to several languages and looks similar to Locky’s. The virus has another unique characteristic. Before data encryption, it checks computer’s default language settings. If targeted computer’s language is Russian, Ukrainian or Belorussian, malware uninstalls itself. Malware researchers have created a free decryption tool and this fact motivated hackers to update the virus. They have developed a Bart v2.0 ransomware virus that still adds targeted files to ZIP archive, but appends .bart2 extension to each of them. Unfortunately, this version is still undecryptable, unless you are willing to pay about 2 BTC for cyber criminals (NOT recommended).

ODIN virus. For data encryption virus use the same encryption method, but appends different file extension – .odin. The virus mostly targets Europe, but computers in Asia, Africa, and the USA suffered from it as well. The virus spreads via malicious email attachments. It’s already known that some emails have a subject line “Receipt [random numbers]”; however, there’re hundreds of different infected emails. After successful file encryption, it drops a ransom note and tells that the only possibility to get back access to the files is to pay the ransom.

Thor virus. This variant appeared on October 2016.It encrypts for more than 400 different file extensions and encodes them using RSA and AES encryption. Following a successful file encryption, virus delivers two files _WHAT_is.html and _WHAT_is.bmp. These files include so-called ransom messages and explain to victims that they can restore their files using Locky Decryptor for 0.5 Bitcoins.

Shit virus. At the same time when Thor launched its first campaigns, computer users from France reported that their files were corrupted and had a .shit file extension. For file encryption virus uses a military grade AES CBC 256-bit encryption and, unfortunately, there’s no way to decrypt them for free. The virus leaves the same ransom note and demands the same amount of money like Thor. Unfortunately, victims can restore their files for free only from backups.

Hucky virus. It’s a Hungarian version of the Locky which appends a .locky file extension to all affected files. It can only encrypt around 200 different file types. The virus uses an updated version of the _locky_recover_instructions.txt, and after file encryption malware drops a _Adatok_visszaallitasahoz_utasitasok.txt. In this ransom message, victims learn that they have only 24 hours to contact cyber criminals via provided email. Hackers do not reveal the size of the ransom, but it might vary from 0.5 to 2 BTC.

What to do if your computer gets hit by Locky malware

Speaking of ransomware, it is always better to secure yourself before it attacks you. No matter how attentive and careful computer user you are, you can still be deceived by cyber-criminals, because they tend to spread malware like Trojan horses. In other words, malware comes as a safe-looking file that is infected. We strongly recommend to regularly create copies of your data and store them on an external hard drive.

Unfortunately, Locky is a disastrous virus, which can lock your personal files forever. As we have mentioned, you should not think that it lets its victims recover their files from Shadow Copies because this noxious virus simply deletes them. Therefore, the only 100% working method to recover your files is to import them from an external drive. However, you must eliminate Locky malware before you do so, because as we have already stated before, it can encrypt records stored on external drives that are plugged into the infected machine, too.

If you do not have copies of your files xeroxed on an external drive, you have three options left:

  1. You can try to use one of these tools (they might help you to decrypt at least some of your files): Kaspersky virus-fighting utilities, R-Studio or Photorec;
  2. You can wait until someone creates a Locky decryption tool (this might take a long time);
  3. The last option is to pay the ransom, but we DO NOT recommend doing so. Not surprisingly, there is NO guarantee that cyber-criminals will give the decryption key for you. Plus, think about it – do you want to support cyber-criminals in such way?

To implement Locky removal, we recommend using one of the following anti-malware programs: Reimage (Windows OS) or Malwarebytes Anti Malware (Windows/Mac OS). Alternatively, you can try Plumbytes Anti-Malware software. These three programs are professional malware removal tools that can completely terminate Locky virus.

NOTE. Anti-malware programs DO NOT decrypt the encrypted data. They are meant to eliminate malicious programs and their components. 

Quick tips on how to prevent ransomware attack:

    1. Keep your computer security software up-to-date. Update it as soon as the new version is available;
    2. Protect your PC with anti-malware software and make sure Windows Firewall is always turned on;
    3. Back up your files. We do not recommend using online data storage clouds because some viruses can reach them using your Internet connection;
    4. Do not wander through ‘Spam’ or ‘Junk’ email sections and make sure you do not open any suspicious emails or attachments that come with them;
    5. Update software frequently – make sure Java, Adobe Flash Player or other programs are up-to-date.

Instructions that will help you to complete Locky virus removal

Before you try to remove Locky virus from your computer, you have to realize that you are dealing with a seriously dangerous virus. To remove this virus entirely, you have to get rid of each of its files because it can easily come back to your computer and encrypt NEW files right after rebooting it. If you are looking for a reliable Locky ransomware removal tool, we recommend you to choose Reimage or Malwarebytes Anti Malware. However, the virus can attempt to block these programs, so in order to launch them, or if you do not have one of these yet – download them, you have to reboot your PC into the Safe Mode first. Please look at instructions provided below and carry them out carefully to run the malware removal program and complete Locky removal procedure.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Locky ransomware you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Locky ransomware. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.
Alternate Software
Plumbytes Anti-Malware
We have tested Plumbytes Anti-Malware's efficiency in removing Locky ransomware (2016-11-03)
Malwarebytes Anti Malware
We have tested Malwarebytes Anti Malware's efficiency in removing Locky ransomware (2016-11-03)
Hitman Pro
We have tested Hitman Pro's efficiency in removing Locky ransomware (2016-11-03)
Webroot SecureAnywhere AntiVirus
We have tested Webroot SecureAnywhere AntiVirus's efficiency in removing Locky ransomware (2016-11-03)
Locky ransomware snapshot
Fake Locky decryptor asks to pay a ransom

Manual Locky virus Removal Guide:

Remove Locky using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Locky

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Locky removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Locky using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Locky. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Locky removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Locky from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

Unfortunately, .locky file extension files can be recovered only with the help of the unique decryption key that is securely held by cyber criminals. If you are not willing to pay money for your own files, or simply if you do not want to give away your money for filthy scammers, you DO make the right choice. We always encourage users not to pay up, because first of all, no one gives any guarantees that the decryption tool offered by criminals actually works, second, it might arrive in a package together with more malicious files. To recover your records, please use backup drives. If you haven’t created a data backup back in the day, then you can try to search for healthy files to replace the encrypted ones by looking through your USBs, files sent via social media or emails, CDs or DVDs. Make sure that you delete the virus first before trying to recover your files! Otherwise, it will encrypt files in the data storage device as soon as you plug it in or encode files that you download to your computer system from the Internet.

If your files are encrypted by Locky, you can use several methods to restore them:

Use Data Recovery Pro service

To recover your files, you can try this tool – Data Recovery Pro. Although there is no guarantee, it might help you to restore the encrypted data.

Use Windows Previous Versions feature

If your files have been corrupted by this filthy ransomware, you might want to restore some individual files. You can try to do that by carrying out the following commands:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Locky and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Removal guides in other languages


  • marius

    another ransomware? cannot believe it… are those cyber criminals are going to stop creating those viruses one day? well, at least someone NEEDS to stop them! this ransomware has attacked my classmate. all his study work was destroyed!

    • camille

      I cannot believe these frauds can steal peoples money in such easy way, and no one does anything to catch them… How long is it going to last?

      • cami2

        + bitcoin operate as mule for these criminal scum..
        ..and still no free decrypt tool ?

  • Rupert

    Oh my god, I heard that this virus attacked Hollywood Presbyterian Medical Center, that is horrible! they had to pay 17k dollars… Incredible

    • Hawanna.68

      ya dude I head it too. scary, isnt it? I cant believe they actually paid the ransom!

  • Paulaaa5

    I removed ransomware now can someone help me to decrypt my files!!!

  • Pimmo

    Wow, this is really frightening. Does e-mail provider like Gmail sort such trash out? Well do they at least assign it to Spam?

  • kin

    How to recover locky ?I bought spyhunter