Severity scale  

Locky virus. How to Remove? (Uninstall Guide)

removal by - -   Also known as .locky file extension virus | Type: Ransomware

Locky ransomware 2017: developers of the virus work consistently, the number of victims continues to grow

Locky ransomware is a cryptomalware that showed up in the beginning of 2016[1]. Since then, it has been constantly changing its distribution technique and functionality used to extort people's money. It seems that this strategy can be considered successful because it is the first ransomware virus that has ever made it to the top three on the most dangerous malware list. Together with Conficker and Sality viruses, Locky hides behind 50 percent of all recognized attacks[2]. It is not hard to notice the fact that you are infected with this ransomware. If infected, you will see one of these extensions added to your files: .locky, .zepto, .odin, and .shit. Yes, you are right, the last extension which was first used by this virus in October 2016 is "shit." If you can see any of these extensions added to your scrambled files (see the picture below), you need to remove Locky virus first. Otherwise, it can try to continue its encryption on your computer. Besides, it can affect files that are in your network and similar locations. For the removal of this ransomware and its files (Shit version drops _WHAT_is.html_[random numbers]_WHAT_is.html, and _WHAT_is.bmp. files), use Reimage or PlumbytesWebroot SecureAnywhere AntiVirus applications. However, we must warn you that these programs cannot decrypt your encrypted files. Virus researchers are just in the middle of trying to find the "vaccine" for this version of ransomware. However, to recover the "locky datei" you can use Data Recovery tips created by researchers. 

The latest Locky distribution techniques

This ransomware infect users' computers via spam email attachments. Typically, Locky ransomware (this is an alternative name of this threat) spreads as a HTA, JS, or WSF files that try to convince its victim that they contain some important files. The most popular one is called MRI6219316107.js. This JavaScript file is believed to be the main one used to install Locky on the system. If you see this file attached to some suspicious email sent to you by unknown person, delete such email immediately. In the past, the ransomware used Word files to infiltrate the system without letting its victim know what is initiated behind his or her back. Besides, IT experts have also identified that the threat relies on .lnk files as well that are transferred to the affected system with the help of NemucodLNK file type represents Windows shortcuts and can be linked to an application that many people have on their computers, for example, Powershell. The malicious .lnk file carries Powershell script that connects to specific domains by using a parameter. The use of parameter is a clear sign that criminals control these domains, and these malicious websites can be specifically prepared or just compromised ones held under control by cyber criminals. Researchers from Microsoft claim that malicious Internet sites are updated daily and are supplied with new versions of malware payload. The aforementioned PowerShell script is set to download the ransomware from a predetermined domains. Typically, the malware is saved in the %TEMP% folder. The essence of using this technique is that the new .lnk file used helps Locky evade the detection of malware removal utilities. Therefore, it is of utmost importance to update security programs daily. 

In the second half of June, the infamous botnet called Necurs, which was believed to be shut down after a few weeks of existence, has re-emerged and started delivering updated Locky versions [3]. Unfortunately, but it seems that the botnet was actively used to spread this ransomware via infected email attachments, named: services_[name]_[6 random digits].zip, [name]_addition_[6 random digits].zip and [name]_invoice_[6 random digits].zip. All these zip documents are loaded with the malicious JavaScript document. After the victim opens this document, the malicious executable gets into the system and starts working. You have to perform a full Locky removal to get rid of it.

The initial Locky ransomware: method of functioning

When Locky was noticed for the first time, it seemed to work similarly to CTB Locker, Cryptowall, Teslacrypt, and Cryptolocker. Just like its predecessors, it used a mixture of RSA-20148 and AES-128 ciphers to leave its victim without an ability to retrieve his/hers files. This combination of encryption ciphers can be beaten only with a help of a special decryption code which is held by the developers of malware. In exchange for this code, victims are asked to pay from 0.5 to 1.00 Bitcoin (or $400). Nevertheless, security experts have been urging them NOT to pay for this key because there is no guarantee that the "key" will work for them. In addition, these commands can also be started by Locky malware:

  1. Once installed, the virus saves itself under svchost.exe name into %TEMP% directory. Malware also removed Zone.Identifier flag from this file to prevent the computer from identifying it as "File Downloaded from the Internet" and warning the victim. Then it executes this file.
  2. The virus assigns itself to startup programs, so that in case the victim restarts or shutdowns the PC during the encryption process or before it, it would still be able to finish the encryption procedure. It must be noted that this virus contacts its C&C center to get the unique encryption key.
  3. Data encryption begins. It might take several hours to encrypt required files. As a rule, the virus stays unnoticed at this stage, but you may notice system slow downs and similar issues on your computer.
  4. Now this ransomware starts showing a ransom note on victim's computer. This _Locky_recover_instructions.txt warning message is almost identical to previous ones used to let people know how much bitcoins should they transfer to the developers of Locky virus for getting a special decryption key needed for the decryption of their files.

Update: Virus becomes able to perform an offline encryption

On September 2016 security experts noticed that Locky does not need to contact C&C servers to get the RSA Key (explained in step 2)[4]. Now it uses an embedded key what helps it infect computers having blocked C&C servers from passing through the Firewall. This new trick helps for the developers of this ransomware implement an offline encryption that does not require devoting their money for servers and domains. However, it seems that this version of the virus hasn't been perfectly polished yet, because there are some mistakes made related to its distribution. It appears that Locky, aka Zepto, virus arrives in the form of .ZIP file which contains JS files. If the victim attempts to launch any of them, a Windows Script Host error shows up. This message appears because these JS files are actually HTA files. This version adds .Zepto file extension to encrypted files and creates ransom notes called _HELP_instructions.html and _HELP_instructions.bmp

Update 2: Locky exploits Quant Loader to compromise computers

In the end of September malware was discovered to rely on Quant Loader[5], a tool that is advertised in Russian underground hacking forums as a Trojan horse that is capable of infecting the victim's PC without any harsh techniques and giving full access to the hacker. Criminals who buy this Trojan can use a specifically designed admin panel that gives control of the compromised computers and allows to decide what malware to inject into them. Criminals can even choose what computers to attack, ordering them by geographic location. According to research, Quant Loader malware is suspected to be one of the primary tools used to distribute Locky ransomware and also Pony Trojan (data-stealing virus). The distributors of Quant Loader are criminals that belong to malware gang known as "C++ GURU" or "CPP GURU." 

How to identify phishing emails that deliver Locky ransomware?

Updated on December 5, 2016. It seems that the virus' developers turned back to the old distribution technique and again they use massive email spam campaigns to spread the malware. Millions of email accounts have received a message from scammers that feature such subject line:

Document/Photo/Scan from office

Such malicious electronic letter contains a .zip attachment that contains a .vbs file. If the user extracts the archive and launches .vbs file, it connects to one of dozens of malicious domains online and downloads Locky from there. The virus arrives in an obfuscated form (with the help of XOR cipher with M7meLUMMVmEaR2eHds9aMc04MzRpdZmV value). Following successful infiltration, the malicious program gets decoded on victim's computer and runs itself to start the encryption process. What is more, this virus' version also connects the compromised PC into a botnet[6]. It means that the compromised computer becomes a zombie that can be used for malicious purposes, for example, to implement DDoS attacks. 

Update February 03, 2017. While Locky attacks went down during the holiday season, we can already see an increase in statistics - it means that criminals are back on track again and this time we want to inform computer users about another major and very dangerous email spam campaign that is going on at the moment. As we have described earlier, Locky used to be distributed via .lnk files that executed Powershell scripts. This time, new Powershell scripts are created, and they are inserted into malicious .lnk files that are archived into .zip files and distributed via email. Cyber criminals are trying to make an impression that these emails come from a well-known US Postal Service (also known as USPS). These emails contain a .zip attachment called Item-Delivery-Details-[random numbers].zip, Delivery-Receipt-[random numbers].zip, and similarly entitled files. These emails contain a short message, which says that some kind of parcel has either been shipped/arrived/delivered and kindly suggests viewing contents of attached archive. This .zip archive contains another .zip archive, which holds the malicious .lnk file. Keep in mind that this .lnk file has double extensions - it has a fake ".doc" file extension added to its filename, although it doesn't specify the file format at all. It is actually a .lnk file holding the PowerShell script. Once opened, the script gets activates and connects to obfuscated domains to download malware from them. During this routine, the script performs checks to see if the download was successful and if the downloaded file takes more than 10kB in size. If so, it stops trying to download malware from these domains. It also stops if it goes through five URLs twice and doesn't manage to download the ransomware. What is interesting is that now cybercriminals decided to distribute Kovter.C Trojan alongside Locky ransomware. Therefore, if the PowerShell script successfully installs Locky, it then continues and connects to another malicious domain hosting click-fraud Kovter.C virus, which is known to be a file-less infection.

Current list of Locky versions and related malware (Updated on February 20, 2017)

Locky ransomware. It is the first version of Locky virus. It spreads in a form of Word document, which contains malicious code that can be activated via Word Macros. Once the code gets activated, this malware downloads and executes malicious program which scans the computer system for personal files and irretrievably encrypts them using AES encryption algorithm. It drops _Locky_recover_instructions.txt file on the computer after it encrypts all records. This document informs the victim what happened and commands him/her to pay up to retrieve corrupted files. If your PC has been infected with Locky, you should not pay up! You risk losing your money since you cannot rely on cyber criminals and promises they make. Unfortunately, computer experts haven't found a tool that could decrypt files that ransomware affects, so the only possible way to recover your files is to import them from a backup. If you do not have one, there's nothing much you can do now.

Locky decrypter, or Locky decrypt tool. It is a software that victim's of this ransomware usually look for. Cyber criminals who spread this virus inform victims that the only way to decrypt the encrypted files is to buy a unique Locky decrypter software, which supposedly can decrypt victim's data. The price of this decrypter starts from 0.5 Bitcoins (which is equal to 225 Dollars, but may vary depending on the case. However, computer security experts encourage victims NOT to buy this software because it might be useless. We also advise you not to look for Locky decrypter on the web because cyber criminals can spread these files filled with malicious components.

AutoLocky virus. This is a less dangerous copy of Locky virus. Its executive file spreads via spam emails and, once the victim opens it, virus encrypts files and asks for a ransom (0.75 Bitcoin, so approximately 325 dollars). It uses Locky's name to look scary; however, it is not as dangerous as the real version of malware. AutoLocky ransomware is written in AutoIt language, so it is not as complicated as Locky, which is written in C++ programming language. Fortunately, computer experts have already discovered AutoLocky decryption tool, so now victims can recover encrypted files.

.locky file extension virus. This variant of this ransomware appends .locky file extension to filenames after encrypting victim's records. If you see that these extensions were added to your files, and if you cannot open them, it is a clear sign that you have become yet another victim of Locky virus attack. This variant also suggests Locky decrypt tool in exchange for a large sum of money. As we have already mentioned, you risk losing your money just as you have lost your files if you transfer money to cyber criminals. We strongly advise you NOT to do so.

_Locky_recover_instructions.txt. This file includes Locky virus data recovery instructions. These are provided by cyber criminals, and unfortunately, they do not present information how to recover files for free. This so-called ransom note or a few variants of it can be found on every computer that has been affected by this virus. This document explains that victim needs to download and install Tor browser and then navigate to particular websites for further information how to decrypt Locky. Later on, cyber criminals command the victim to buy and send Bitcoins to them.

Bart virus. Also known as Locky Bart ransomware, this malware is considered unique since it does not encrypt files, but adds them to individual ZIP archives and protect them with a password. It names these archives as [original filename] What is more, this virus does not communicate with its Command & Control server, which means that it keeps locking files one after another even if the user disables Internet connection. Another interesting feature of Bart is that it checks language settings on the computer and terminates itself in case Russian, Belorussian or Ukrainian language is set as default. This virus asks to pay 3 Bitcoins to get all data back. We never encourage ransomware victims to pay ransoms, as cyber criminals might refuse to provide the decryption key, or, in this case, Decryptor Bart.

Bart v2.0 ransomware virus. A newly released and improved version of Bart ransomware is a serious menace for all computer users that do not keep their computers protected. After infecting the system, it encrypts records using RSA4096 encryption and adds file extensions to them. The virus demands roughly 1800 USD in exchange for the Bart2 Decryptor. Victims are advised not to pay such enormous ransom and look for other decryption methods. The most efficient way of restoring encrypted files is to import healthy data from a backup. Needless to say, Bart 2.0 removal should be fully completed before attempting to transfer data copies into the computer.

Zepto virus. Zepto is the latest variant of an infamous ransomware. It was discovered in June 2016, and this virus is an improved version of the infamous .locky file extension virus. It was released right after Bart ransomware, and it spreads via malicious email campaigns. This computer threat encrypts data using both AES-128 and RSA-2048 ciphers, making it nearly impossible to crack the virus and create a free decryption tool. In other words, it might be impossible to decrypt your files after this virus encrypts them. Authors of this virus ask to pay a ransom to get a Zepto decryption key, which can be bought via Locky payment site. However, there is no information if crooks actually provide victims with the key after they pay the ransom.

ODIN virus. One of the latest versions of Locky can be recognized from .odin file extensions added to encrypted data and ransom notes left on the desktop - HOWDO_text.bmp, and HOWDO_text.html files. The virus commands the victim to go to the ODIN payment page, which suggests buying Locky Decrypter. Since this ransomware has not been defeated yet, so is ODIN, and victims can only hope for the best. Files can be restored from backups, but Odin ransomware and related files must be entirely cleared from the system before plugging the device with the backup into the computer. Odin ransomware is just as dangerous as the vast of other crypto-Trojans and you must take actions to protect your computer in advance if you do not want to be affected by Odin's payload.

Shit virus. This malware showed up in the beginning of October and shook the entire community with its name. Once it infects the target computer, it uses Rundll32.exe to start its work and drops _WHAT_is.html, _[random numbers]_WHAT_is.html, and _WHAT_is.bmp files to inform its victim about computer's state. Beware that this malware targets over 380 file extensions, including docx, .xml, .txt, .pdf, .xls, .odt, .key, wallet.dat and others. It is essential to protect your computer from this ransomware because there is no Shit decrypter invented yet. To avoid such dangerous virus, you need to protect your computer with a powerful anti-malware software. 

Thor virus. Thor ransomware has been detected at the same time when .shit file extension virus appeared. This new version adds .thor file extensions to each encrypted file and also distorts the original filename to make the files unrecognizable. It also leaves _WHAT_is.html ransom note and a .bmp version of it on computer's desktop. This particular ransomware version demands a slightly smaller payment - more or less half a Bitcoin. Unfortunately, there is no way to restore .thor files once the ransomware renders them useless. For this reason, victims are advised to protect files in advance by creating a backup and installing anti-malware software on the system.

Hucky virus. Malware developers keep on using Locky as the software they base their own creations on. Hucky (an abbreviation of Hungarian Locky) is one of these products too. It has emerged on the web quite recently, so there is still not much information about it. What we do know is that the ransom note and the desktop picture it deploys on the computer are all in Hungarian. So, the typical Locky file recovery instructions appear as _Adatok_visszaallitasahoz_utasitasok.txt and feature Hungarian data retrieval information as well. Another interesting feature is that Hucky ads the old ".locky" extensions to all of the encrypted files. Though Hucky seems to replicate the older version of the Locky virus this does not mean it is less dangerous. We should not forget that it was the original Locky virus that has started spreading havoc on the unsuspecting victims' computers. Thus, Hucky should not be treated any less seriously.

.Aesir file extension virus. This virus emerged at the end of November 2016 and is yet another Locky's version, which owns a name associated with Norse mythology. Following a successful data encryption using RSA and AES ciphers, .Aesir virus appends .aesir file extensions to encrypted data. The new ransomware uses new C2 servers and is reportedly distributed via malicious Facebook spam campaign that is based on bogus message attachment that ostensibly is a Photo_[random chars].svg file. Once victim clicks to open it, a hidden JavaScript code gets activated, and it redirects the victim to a phishing website, which asks to install a browser add-on in order to view a video. If user installs it, the malicious extension downloads Nemucod Trojan downloader and sends out the malicious .svg file to all victim's Facebook friends via FB Messenger. As a result, the victim unwillingly delivers the malicious file to all friends and receives a Trojan that connects to online server and downloads Aesir ransomware virus to the computer. .Aesir ransomware is yet another undecryptable ransomware variant; the only ones who can recover encrypted data are these who have an intact data backup. The virus must be removed from the system before plugging the backup drive into the PC.

Osiris ransomware virus. Spotted on December 4th, the new Locky virus shows its uncrackable power to render victim's files useless again. Currently, the malware spreads around in the form of an obfuscated .zip archive that features a .vbs file. Malicious emails that deliver the malicious program reportedly named "Photo/Document/Archive from office." After encoding all victim's files, the malicious program appends .osiris file extension next to the original file name and drops a ransom note called OSIRIS-[4 symbols].html in every folder that holds encrypted records. Just like previous versions, Osiris virus uses an uncrackable encryption method and obfuscation layers to prevent malware researchers from finding an antidote for it. Currently, there is no information whether the decryption software offered by malware authors actually can decrypt files, so victims are advised not to rush to buy the decryption software. Besides, criminals might refuse to provide it - we know cases when ransomware authors pretend to be negotiating with the victim but ask for more money as soon as the victim transfers the smaller ransom to criminals. Our team recommends victims to remove Osiris as soon as possible because the malware might download additional viruses to the system while the victim hesitates whether to pay the ransom or not.

Fake Locky ransomware (Locky Impersonator virus). Considering that Locky is a fearsome word to anyone who is at least a bit familiar with cybercrime news, amateur virus' developers try to get their piece of the pie trying act on behalf of the real Locky virus. The latest fake Locky ransomware is known as Locky Impersonator ransomware, however, its authors obviously lack programming skills because they didn't even bother to create payment website for victims to pay ransoms. Instead, they count on way easier tactic and leave a ransom note called Rans0m_N0te_Read_ME.txt on the compromised computer's desktop, filled with commands from cybercriminals. The ransom note says: "Files has been encrypted with Locky Ransomware [...] nobody will be able to recover your data since its set to AES-256 and requires our Key". Locky Impersonator demands 1.0 BTC sent to a provided Bitcoin wallet address and says that if the victim fails to pay up within 48 hours, the ransom price doubles. In case the victim doesn't transfer money in 72 hours, crooks promise to delete recovery keys. They also ask the victim to contact frauds via email address. We highly recommend you to remove Fake Locky virus and patiently wait for a free decryption tool, which malware experts can create anytime soon.

Locky ransomware fix using anti-malware programs

As you can see, Locky virus is a well-structured malware, which can easily lead you to the loss of your files. It is known that it has already been translated into a number of different languages and spread through Outlook and Microsoft 365. Some of the PC security experts call it "a masterpiece of criminality". The consequences for the infected users can be devastating. The most of the anti-virus and anti-spyware have been failing to prevent this virus, but now it seems that this issue is solved. The most of the security software, e.g. Reimage or PlumbytesWebroot SecureAnywhere AntiVirus, can help block and remove Locky before it manages to cause further damage. If you want to be safe from this cyber threat, consider installing a reliable anti-spyware. In addition to this, you have to be extremely cautious when downloading an attachment received from a suspicious source. No matter how harmless the sender of a .js or word attachment seems, you should try to contact him or her before downloading it to your computer. If you are infected, you may have probably revealed that Locky removal procedure is long and difficult. The same can be said about recovering affected files. In this case, the most important thing is to realize that the removal does not help retrieve files that are blocked by this ransomware. If you are infected, you should follow a guide, which is given below, and fix your computer before you lose more of your files.

FAQ about Locky malware:

Question: Can I decrypt my files after the infiltration of Locky virus?

Answer: Unfortunately, but there is no Locky decrypter invented yet. If you can't remember backing up your data, which is the only process capable of helping people to prevent the loss of your files, you can try this software: Photorec, Kaspersky virus-fighting utilities or R-Studio. However, there is no guarantee that these programs will help you to get your files back to you. Also, you should not forget the security of your computer. You must remove Locky virus from the system ASAP. For that, we recommend installing Reimage.

Question: I have just received an email message saying "Please see the attached invoice". Also, it has the "ATTN: Invoice J-98223146" document added to it. Unfortunately, I have already downloaded it, and now my files are blocked! Why?

Answer: Unfortunately, you were infected with .Locky virus. This is a seriously dangerous virus, which requires a special payment for giving people an opportunity to decrypt their files. To fix your computer and remove malicious files, please check the step-by-step guide given down below.

Question: How could I remove Locky virus? Will this help me recover my files that are blocked by this ransomware?

Answer: Unfortunately, but the easiest way to "unlock" your files is to enter the key, which is held by Locky developers. This key cannot be guessed or stolen, so the only option you have while trying to get it is to pay the ransom for its developers. However, you could try to recover your files with the help of their backups. Check your CDs, external drives, Dropbox and similar online solutions for them. To remove Locky virus from your computer, you should install a reliable anti-spyware and check your computer for malicious files with its help.

It might be that we are affiliated with any of our recommended products. Full disclosure can be found in our Agreement of Use. By downloading any of provided Anti-spyware software you agree with our Privacy Policy and Agreement of Use.
Do it now!
Reimage - remover Happiness
Compatible with Microsoft Windows
What to do if failed?
If you failed to remove infection using Reimage Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Locky virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.
Reimage is recommended to uninstall Locky virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.
Not using OS X? Download a remover for Windows.
Press Mentions on Reimage
Alternate Software
Alternate Software
We are testing Plumbytes's efficiency (2017-02-20 06:45)
Malwarebytes Anti Malware
We are testing Malwarebytes Anti Malware's efficiency (2017-02-20 06:45)
Hitman Pro
Webroot SecureAnywhere AntiVirus

Locky virus manual removal

Delete registry values:
HKCU\Software\Locky\completed 1
HKCU\Control Panel\Desktop\Wallpaper "%UserProfile%\Desktop\_Locky_recover_instructions.bmp"
Delete files:

Method 1. Remove Locky using Safe Mode with Networking

Note: some versions of this virus disable anti-spyware software to prevent its removal from the system. If your anti-spyware does not start, you should reboot your computer to Safe Mode with Networking. For that you can use the following steps.

Step 1: Reboot your computer to Safe Mode with Networking
Windows 7 / Vista / XP
  • Click Start Shutdown Restart OK.
  • When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
  • Select Safe Mode with Networking from the list
Select 'Safe Mode with Networking'
Windows 10 / Windows 8
  • Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
  • Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
  • Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window.
Select 'Enable Safe Mode with Networking'
Step 2: Remove Locky

Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Locky removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Reimage is a tool to detect malware. You need to purchase full version to remove infections.
More information about Reimage
Reimage is a tool to detect malware. You need to purchase full version to remove infections. More information about Reimage

Method 2. Remove Locky using System Restore

If Safe mode with networking does not help, you can also use System Restore function. When performing it, you can try Windows Previous Versions feature to recover some of your files. Remember that this function is available only if System Restore was enabled before the computer was infected. Note that newer versions of Locky tend to delete the Shadow Volume Copies of the files, making their recovery impossible.

Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
  • Click Start Shutdown Restart OK.
  • When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
  • Select Command Prompt from the list
Select 'Safe Mode with Command Prompt'
Windows 10 / Windows 8
  • Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
  • Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
  • Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Select 'Enable Safe Mode with Command Prompt'
Step 2: Restore your system files and settings
  • Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
  • Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
  • When a new window shows up, click Next and select your restore point that is prior the infiltration of Locky. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
  • Now click Yes to start system restore. Click 'Yes' and start system restore
Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Locky removal is performed successfully.
Reimage is a tool to detect malware. You need to purchase full version to remove infections.
More information about Reimage
Reimage is a tool to detect malware. You need to purchase full version to remove infections. More information about Reimage

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Locky from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

Locky virus has not been defeated yet, and it functions in full capacity at the moment. Sadly, it uses advanced techniques and it is obvious that programmers working behind this ransomware project are extremely advanced. Malware researchers have found no flaws in this ransomware that would allow to create a free decryption tool, so it seems that these criminals know what they're doing. If they have managed to convince you to open a malicious file and install the ransomware unknowingly, please do not listen what they say and do not pay the ransom. Most likely they will not provide the decryption software. If you do not have a data backup, it might be impossible to recover your files, however, you should try the following methods that might help you to restore corrupted data.

If your files are encrypted by Locky, you can use several methods to restore them:

Restore files encrypted by Locky with Data Recovery Pro

Victims of Locky virus can use data recovery functions provided by Data Recovery Pro software. It is very easy to use this application - these instructions can prove it:

Restore files encrypted by Locky with a help of Windows Previous Versions feature

Files are securely encrypted, but you can try to recover their previous versions by following these instructions. Please understand that this method is effective only in case you activated System Restore function in the past.

  • Find an encrypted file you need to restore and right-click on it;
  • Select "Properties" and go to "Previous versions" tab;
  • Here, check each of available copies of the file in "Folder versions". You should select the version you want to recover and click "Restore".

Using Locky Decrypter tool as an option to decrypt encrypted files

Locky Decrypter is a tool offered by cyber criminals and it might be completely useless. It costs a lot and is hardly reliable, so we do not recommend buying it. Understand that criminals have illegally encrypted your files and this Decrypter is not some special software that can help you to rescue your files. Cyber criminals are clearly asking for ransom, but they might not provide you with the decryption software or send you a malicious file instead.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Locky and other ransomwares, use a reputable anti-spyware, such as Reimage, PlumbytesWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

Jake Doe
Jake Doe - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.


Geolocation of Locky virus

Map reveals the prevalence of Locky virus. Countries and regions that have been affected the most are: Germany.

Removal guides in other languages

Information updated:

Comments on Locky virus

I managed to remove the Ransomware by using MalwareFox but I was unable to get my files back until now, your article helped me in restoring some of my files, thanks for the help.
thank you sir for this complete and high value article .... here I have notice something about instructions files where as you mentioned in this article that the instruction file will not be encrypted ,is that mean the operation of instruction file creation was after system encrypted ? or their are exceptions in malicious code avoiding to encrypt the file with name of HELP_instructions.html and _HELP_instructions.bmp ?!
Scanned my computer with SpyHunter. Removed Locky. Finished.
Yes, silly, you are infected!
All of my files have .locky extension. Is that mean that this ransomware is inside my computer?
I hate ransomware!!!
Ive removed the Locky virus but cant restore my encrypted files. What do I do with all the encrypted files? I dont have a recent backup. I did the system restore but it didnt help to get my files back.
Very informative and helpful!! Thank you for helping me to remove Locky virus. Fortunately, I had backups on my computer..
Lucky you, because I hadnt, and now all my files are destroyed!!!!!! I am not going to pay money for cyber criminals, no freaking way, I am not giving them a second chance to deceive me. However, from now on, I will definitely backup my data...

Post a comment

Attention: Use this form only if you have additional information about a parasite, its removal instructions, additional resources or behavior. By clicking "post comment" button you agree not to post any copyrighted, unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, profane, hateful, racially, ethnically or otherwise objectionable material of any kind.

Home page Name


(All fields are required)