L0cked ransomware (Virus Removal Instructions) - Decryption Steps Included

L0cked virus Removal Guide

What is L0cked ransomware?

L0cked – ransomware know as .lckd file extension virus

L0cked ransomware appends .lckd file extension to personal files

L0cked is crypto-malware[1] that has been spotted at the end of March 2018. It's based on the open-source HiddenTear ransomware, which is carried on the Internet as a winlogon.exe Trojan horse dispersed in malicious spam attachments. Once the payload is being executed, the virus locks personal files, appends a .lckd file extension, changes the desktop wallpaper to C:\Windows\Back.jpg, and asks the victim to pay $150 ransom in Bitcoins.

Virus name L0cked
Type Ransomware
Distribution Malspam, fake software updates, exploit kits, drive-by-download, etc.
Related files winlogon.exe, decryptor.exe.bin.exe.bin
File extension .lckd
Contact info decryptorsoon301@aol.com
Decryptable No
Removable Yes. Automatic removal possible. Download FortectIntego and run a full system scan

The L0cked ransomware developers exploit multiple social engineering strategies to attack English-speaking computer users, but malspam campaigns are the most successful distribution strategy applied. If the potential victim opens a winlogon.exe file, the ransomware payload is being executed, and the virus enrolls a combination of AES-256 and RSA-2048 ciphers[2] to lock targeted file types.

L0cked virus targets the most popular file types, including but not limited to .mp3, .png, .jpg, .pdf, .xlr, .apk, .exe, .rom, .aspx, .php, .doc, .docx, .log, .txt, .key, .pptx, .rar, .zip, .tax2015, .mpa, .wav, .gif, .jpg, etc. Upon successful encryption, the virus changes desktop background to C:\Windows\Back.jpg and creates a ransom note, which instructs the victim to pay $150 ransom in Bitcoins. The ransom note says:

Warning: Your important files are encrypted….. If you save your files, Run and follow the instructions!
Enter Correct Key to decrypt your files

Bitcoin Value: 150 $

What Happened to My Computer?

Your important files are encrypted. Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your data but do not waste your time. Nobody can recover your files without our decryption service.

Can I Recover My Files?

Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.You can decrypt some of your files for free. Try now by clicking .But if you want to decrypt all your files, you need to pay. You only have 3 days to submit the payment.After that the price will be doubled.
Also, if you don't pay in 7 days, you won't be able to recover your files forever. We will have free events for users who are so poor that they couldn't pay in 6 months.

How Do I Pay?

Payment is accepted in Bitcoin only. For more information, click *About bitcoin*. Please check the current price of Bitcoin and buy some bitcoins. For more information, click .
And send the correct amount to the address specified in this window. After your payment, click . Best time to check: 9:00am – 11:00am GMT from Monday to Friday.
Once the payment is checked, you can start decrypting your files immediately.


If you need our assistance, send a message by clicking .
We strongly recommend you to not remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. If your anti-virus gets updated and removes this software automatically, it will not be able to recover your files even if you pay!ýýýý

Bitcoin Address 1LXhpinYWzF73hUyDvxApkChq2QfZhm6GA

The desktop background, a black background with red text, inform the victim that the system was hacked and asks to email decryptorsoon301@aol.com and then transfer the ransom to 1LXhpinYWzF73hUyDvxApkChq2QfZhm6GA wallet address. While its customary redeem is $150, the redeem raises within 72 hours and may exceed $2000.

L0cked is a crypto-ransomware that demands to pay a ransom for a decryptorL0cked is a malicioyus cyber infection that features a high danger level due to a risk of permanenet data loss

Although the virus intimidates people that they are going to lose personal files if they attempt to use third-party data recovery tools, Udenvirus..dk[3] experts point out to the fact that it will not be capable of doing that if it's no longer active. In other words, you should remove L0cked ransomware and then try to recover encrypted data. You can find a thorough guide on how to do that down below.

According to ransomware researchers, the L0cked virus deletes Shadow Volume Copies. Besides, it creates a decryptor.exe.bin.exe.bin, which blocks victim's attempts to run third-party data recovery tools.

Before any attempts to recover locked files, you have to initiate L0cked removal. For this purpose, you have to run a deep system scan with FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes and delete all the entries that it detects. Powerful AV engines should detect a multitude of malicious files, including Mal/Behav-116, TR/Crypt.Xpack.ldzmd or Trojan.Agent (A).

Ransomware infects PCs via malicious spam email attachments

To protect your PC and files stored on it from being attacked by ransomware, it's a must to double-check email messages before opening their attachments. Although you may receive a warning and reports from well-known companies like Amazon or IRS, they might be fake.

Crooks trick people into installing malware using social engineering strategies. People might be intimidated by false claims about supposed state debts, bank reports, dispatched parcel, and similar.

While some emails might contain links that redirect to phishing sites immediately, the bulk of spam includes .doc or .docx file attachments that carry ransomware payload. If you are asked to enable Macros to open the file attached to an email, close the email and report it as spam immediately. By allowing macros, the potential victim becomes a real victim with a ransomware payload being executed.

Apart from malspam, viruses can spread via exploit kits, fake software updates, drive-by-download, and similar techniques.

Get rid of L0cked virus securely

Regular PC users should not attempt to initiate manual L0cked removal as the virus is rooted deeply in the operating system. Locked files are only a consequence of multiple system's changes, such as Registry corruption and modification of core system's files. The only safe way to remove L0cked virus is to install FortectIntego or another reliable AV engine and run a scan with it.

The bad news is that the virus removal does not recover the files. Although a free L0cked decryptor hasn't yet been developed, you should try to retrieve at least the most essential files from backups or employ third-party tools.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of L0cked virus. Follow these steps

Manual removal using Safe Mode

Don't fall for panic if the ransomware blocks your anti-virus. That's a common practice. In this case, you should boot your PC into Safe Mode with Networking by following these steps:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove L0cked using System Restore

If the previous method did not help to get rid of L0cked virus, please follow this guide:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of L0cked. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that L0cked removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove L0cked from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

This ransomware virus is known for executing multiple scrips via Command Prompt, one of this is responsible for the removal of Shadow Volume Copies. Thus, this data recovery option falls out, but you can still try to launch a couple of third-party data recovery programs or retrieve files from previous Windows versions.

If your files are encrypted by L0cked, you can use several methods to restore them:

Data Recovery Pro

This piece of software can recover most of the encrypted files. To unlock the data, download the app and run a full system scan with it. 

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by L0cked ransomware;
  • Restore them.

Previous Windows versions might help

If your system contains a System Restore Point created before the virus attack, follow this guide to unlock separate files:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

No L0cked decryptor available yet.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from L0cked and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Ugnius Kiguolis
About the company Esolutions