LockMe ransomware is a virus targets users of 54 countries

LockMe ransomware is a file locking virus[1] started infecting computers in February 2018. This high-prevalence malware uses military-grade AES encryption algorithm to lock files and appends .lockme extension. The process makes personal data like databases, documents, picture and similar files inaccessible. The Command & Control server receives the ID and personal key, and then sends ransom note README_FOR_DECRYPT_YOUR_FILES.txt which explains that users have to pay 0.03 BTC[2] in order to retrieve the key. The message can be presented in 54 languages, meaning that hackers are targeting people all over the world. By mid- July 2018, LockMe ransomware came back, but security researchers noticed no differences from the original version, apart from ransom note which looks visually different.
| SUMMARY | |
| Name | LockMe |
| Type | Ransomware |
| Cipher used | AES |
| File extension | .lockme extension |
| Ransom note | README_FOR_DECRYPT_YOUR_FILES.txt (comes in 54 languages) |
| Ransom size | 0.03 BTC |
| First spotted | February 2018 |
| Means of transmission | Spam emails, malicious websites, exploits, drive-by downloads, etc. |
| Detection and elimination | Use FortectIntego or SpyHunterCombo Cleaner |
Both variants of LockMe virus require users to pay the ransom and then email hackers using the awkward lLockMecQqL3Ruyi7V0RfZ@tutamail.com email address. The ransom note states the following:
All of your files have been Encrypted with military grade system and impossible to brute force, cracking, or reverse engineering it !
If you want all of your files back send me 0.03 BTC .
[+] Your Unique ID : [***]
[+] Send BTC To This Address : 1LockMeEPLr4ZRsoht8Wp6idBsT5TuBXtX
[+] Send BTC : 0.03 BTC
[+] Contact Email : LockMecQqL3Ruyi7V0RfZ@tutamail.com | LockMe9hG1F7pbWqThUt9P8@mailfence.com
*) Don't try change the '.lockme' extensions , if you change it , your all files can be broken and can't be restored forever .
*) If you've made a payment contact LockMecQqL3Ruyi7V0RfZ@tutamail.com | LockMe9hG1F7pbWqThUt9P8@mailfence.com .
*) If you not made a payment all of your private files will be leaked on internet (private photos, documents, videos, and more) .
Question : How to buy Bitcoin ?
Answer : You can buy Bitcoin at this Website : bitcoin.com , coinbase.com , cex.io , paxful.com , coinmama.com , etc .
[+] Your IP : [***] | Your ID : [***] [+]
LockMe ransomware authors intimidate people by saying that they are going to publish personal files, including sensitive photos or important documents on the Internet. Such claims are likely to increase the number of victims paying the ransom, even if security experts do not recommend that. Instead, people should install FortectIntego or another powerful anti-malware and remove LockMe virus immediately.
Although LockMe removal may result in complete file loss, people should not take the risk of identity theft by revealing credit card details, full name, and other personal information. On top of that, paying the ransom does not guarantee that criminals will unlock the data on your PC or won't publish it on the Internet.
LockMe ransomware prevalence increased – more infections spotted
Initially, the number of infected users was not high. However, the latest infections in August were spotted in Russia, Spain and France. As we already mentioned, the new variant of LockMe ransomware does not differ much from its predecessor, as same bitcoin address, file extension, encryption algorithm and email is used.
The LockMe virus can still distribute ransom note in 54 languages, for example:
- Russian,
- English,
- German,
- Turkish,
- Polish,
- Italian,
- Romanian,
- Icelandic,
- Irish,
- Norwegian, etc.
No one can argue that it's oriented towards multilingual users security researchers predict that more infections are around the corner.
It seems that the origin of the LockMe virus is Russia since the original ransom note is written in Russian language and contains the least number of mistakes. All other ransom notes are prepared using Google translator, so, for example, the English version, as you can see above, is a word-to-word translation. Besides, email addresses on the Russian version (LockMecQqL3Ruy7V0RfZ@protonmail.com) and all the rest (LockMecQqL3Ruyi7V0RfZ@tutamail.com and LockMe9hG1F7pbWqThUt9P8@mailfence.com) do not coincide.
LockMe ransomware has infected your PC, you shouldn't worry if you backup your files regularly. Personal files stored both on the cloud, USB, CD or other external drives should not be affected unless the external drive was plugged into the PC during the attack. Unfortunately, we have bad news for those who don't have backups.[3]
At the time of the writing, no LockMe decryptor is created yet, although security researchers are currently working on it. The problem is that ransomware developers don't give much time to transfer the ransom. Usually, it has to be paid within 48 or 72 hours after the decryption.

Even if you lost many important documents or photos, paying the ransom can cause more problems, such as identity theft and, definitely, money loss, so we would recommend you remove LockMe virus with a professional anti-malware software, such as FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes and then try to unlock files using Windows Shadow Volume copies or professional software recovery tools.
Ransomware executable is sent to people's inbox
Ransowame infections are disseminated using various illegal methods. For many years, the most widely spread distribution technique of malicious viruses is spam email. Hackers can purchase people's email addresses on the black market (often soled by adware and browser hijacker developers) and then regularly sent them emails with malicious attachments. Usually, such email messages report important events, ask to claim prizes or pretend to be generated by authorities. If the PC's owner opens the attachment of such email, virus is immediately executed and encodes the files in no time.
In addition, people may get infected via unprotected RDP configuration, fraudulent downloads, exploits kits,[4] fake software update prompts and similar techniques.
Eliminate LockMe ransomware
LockMe virus is a dangerous infection, which may result in both data and money loss. However, it can damage the system, weaken its security, and open the backdoor to other cyber infections. Therefore, you should accelerate LockMe removal.
Manual ransomware removal can hardly be implemented. Such infections root deply into the operating system, modify registry entries, and corrupt the information stored on the core system's drive. Therefore, you should employ a powerful (and updated!) anti-malware tool to remove LockMe virus completely. Our recommendation would be FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes.
Was this guide helpful?
Be the first to comment