Severity scale:  

LockCrypt ransomware virus. How to remove? (Uninstall guide)

removal by Olivia Morelli - - | Type: Ransomware

LockCrypt launches RDP brute-force attacks to assault enterprise networks

LockCrypt ransom note

LockCrypt is a ransomware-type cyber threat that is designed to encrypt files[1] and append .lock file extension to them. On June 2017 this virus was using RDP brute-force attacks to infiltrate enterprise servers. However, in November, researchers found ransomware’s relation with Satan RaaS portal.

Following data encryption, LockCrypt ransomware drops a ReadMe.txt file on the desktop, and this file provides an explanation of what has happened. The ransomware informs the victim that all data has been encrypted and that in order to reverse the encryption the victim has to pay for decryption. The ransom note doesn’t reveal the exact price that victim has to pay; it only commands the victim to write to:


The full text of the ransom note:

All your files have been encrypted due to the security problem with your PC. If you want to restore them, write us to the e-mail support: or
Write this ID in the title of your message
In case of no answer in 24 hours write us to these e-mails support: or
You have to pay for decryption in Bitcoins. The price dependson how fast you write to us.

According to the criminals, the price of the ransom depends on how fast the victim manages to reach out to the culprits. The attackers suggest decrypting three small files for free to prove that they have the decryption tool and that files are not permanently corrupted. The total size of files to test the decryption should be no larger than 10Mb (non-archived) and, according to frauds, “should not contain valuable information.”

If you were infected with this ransomware variant, we suggest you remove LockCrypt using anti-malware software such as Reimage and try to recover your files using alternative methods. However, chances to restore data using third-party software is not high because ransomware is designed to delete Shadow Volume Copies.

The LockCrypt ransomware might be related to Satan RaaS

Satan RaaS (Ransomware-as-Service)[2] portal[3] was launched in January 2017 and offers beginners to create their customized version of the Satan ransomware. However, the resent analysis shown that LockCrypt ransomware might be created using this source code.

On November, researchers also tell that IP address that might be used by the attacks ( is associated with the Ministry of Education and Science of Ukraine. However, there’s no secret that criminals might manipulate their IP address in order to hide from legit punishment. Other research information claims that LockCrypt sends information about the affected device to a remote server in Iran.

Despite the fact cyber criminals started their illegal project by using Satan’s source code, they managed to develop a strong file-encrypting virus. It has already affected business in the US, UK[4], South Africa, India, and the Philippines.[5]

According to the latest data, LockCrypt uses a strong and unbreakable encryption to corrupt files on the affected device. Currently, there’s no way to restore encrypted files due to the ransomware’s ability to delete Shadow Volume Copies.

The crypto-virus also makes modifications to the system to boot with system startup and runs a batch file to kill non-core processes related to computer’s security and data recovery possibilities. Therefore, it’s undoubtedly strong file-encrypting malware.

However, victims of the ransomware are not advised to contact criminals and pay the ransom. They might blackmail you into paying more money and never provide decryption key. Thus, you should take care of LockCrypt removal rather than buying Bitcoins and transferring them to frauds.

Developers of the ransomware rely on RDP brute-force attacks.

Differently than the majority of file-encrypting viruses, LockCrypt’s distribution does not rely on malicious spam emails. Authors of the ransomware use Remote Desktop Protocol (RDP) brute-force attacks that allows infecting unsecured enterprise servers. To avoid these attacks, you should follow these tips:

  • set hard to guess passwords;
  • control the number of administrator accounts;
  • use different account name for Administrator account;
  • enable two-factor authentication;
  • set the number of failed login is to lock the user if she/he enters wrong credentials.

LockCrypt removal guide

You should remove LockCrypt virus by following instructions given below and delete the virus while in Safe Mode with Networking. Reboot your PC into the above-mentioned mode and start anti-malware or anti-spyware software to remove the virus for you. We recommend using Reimage or Malwarebytes Anti Malware for this task.

Please do not try to initiate manual LockCrypt removal – ransomware viruses are too sophisticated and dangerous and inexperienced computer users simply can overlook some of its malicious components. It goes without saying that leaving them on the system poses a threat to user’s privacy and computer’s security.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove LockCrypt ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall LockCrypt ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

Manual LockCrypt virus Removal Guide:

Remove LockCrypt using Safe Mode with Networking

Delete the Lock Crypt virus according to the guidance provided below.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove LockCrypt

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete LockCrypt removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove LockCrypt using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of LockCrypt. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that LockCrypt removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove LockCrypt from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

Restore your files from a backup, or, if you do not own one, try these options.

If your files are encrypted by LockCrypt, you can use several methods to restore them:

Recover files with a help of Data Recovery Pro

Data Recovery Pro proved to be a useful tool for those that are dealing with piles of corrupted files. You might want to test this tool on files locked by the indicated ransomware.

Official decryption tools are not available yet

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from LockCrypt and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions