LockCrypt ransomware / virus (Removal Guide) - Jan 2019 update

LockCrypt virus Removal Guide

What is LockCrypt ransomware virus?

LockCrypt is a ransomware virus that was updated in the beginning of 2019

LockCrypt ransom note

LockCrypt is a malicious ransomware virus that originally appends .lock, .1btc, .mich, .badnews, .LyaS, and .id-[random characters] file extension to targeted files. It has been updated several times, and the latest update came at the beginning of 2019. The ransomware that has been actively distributed via Remote Desktop Services (RDS). The initial version is known for targeting enterprise servers, thus raising the chances of collecting huge ransoms. However, the recent LockCrypt 2.0 is oriented to individual PC users. Following the encryption, LockCrypt ransomware drops a ReadMe.txt or How To Restore Files.hta file on the desktop and demands for a ransom in Bitcoins. Fortunately, some versions are already decryptable.

Name of the malware LockCrypt
Classification Ransomware
Danger level High
Related files
  • locker.exe;
  • readme.txt;
  • bfsvcm.exe;
  • W.bat;
  • How To Restore Files.hta
Main dangers Data and money loss, system's crash, installation of spyware and worm.
Main symptoms All personal files are locked with .lock, .1btc, .mich or .LyaS file extension. ReadMe.txt or How To Restore Files.hta file available on the desktop
Distribution methods RDP brute-force attacks, RaaS
Countries targeted US, UK, South Africa, India, and the Philippines
Download FortectIntego anti-malware and run a full system scan with it.

In the middle of April 2018, ransomware researchers finally managed to crack the LockCrypt code[1] and developed a free decryptor. Those who have been affected by this ransomware should contact Michael Gillespie (@demonslay335) ransomware researcher for decrypting the files. But before that, make sure that you have initiated LockCrypt remove successfully. Use FortectIntego, SpyHunter 5Combo Cleaner to perform a full system scan.

The LockCrypt ransomware has been cracked after the researcher detected a weakness in the encryption algorithm. According to the latest reports, this piece of malware did not reach mainstream distribution since it narrowed the target to organizations. Crooks found it easy to attack unprotected RDP and initiate brute-force attacks. However, the unprofessional design allowed white hats to find a way to decode it.

Following data encryption,[2] LockCrypt ransomware drops a ReadMe.txt file on the desktop, and this file provides an explanation of what has happened. The ransomware informs the victim that all data has been encrypted and that in order to reverse the encryption the victim has to pay for decryption. The ransom note doesn’t reveal the exact price that the victim has to pay; it only commands the victim to write to:

  • d_dukens@aol.com,
  • d_dukens@bitmessage.ch,
  • enigmax_x@aol.com,
  • enigmax_x@bitmessage.ch,
  • BM-2cTAPjtTkqiW2twtykGm5mtocFAz7g5FZc@bitmessage.ch,
  • Terminator_123@protonmail.com

The full text of the ransom note:

All your files have been encrypted due to the security problem with your PC. If you want to restore them, write us to the e-mail support: enigmax_x@aol.com or enigmax_x@bitmessage.ch
Write this ID in the title of your message
In case of no answer in 24 hours write us to these e-mails support: enigmax_x@aol.com or enigmax_x@bitmessage.ch
You have to pay for decryption in Bitcoins. The price dependson how fast you write to us.

According to the criminals, the price of the ransom depends on how fast the victim manages to reach out to the culprits. The attackers suggest decrypting three small files for free to prove that they have the decryption tool and that files are not permanently corrupted and that there is no need to consider LockCrypt ransomware removal. The total size of files to test the decryption should be no larger than 10Mb (non-archived) and, according to frauds, “should not contain valuable information.”

If you were infected with this ransomware variant, we suggest you remove LockCrypt using anti-malware software such as FortectIntego and try to recover your files using alternative methods. However, chances to restore data using third-party software is not high because ransomware is designed to delete Shadow Volume Copies.

LockCrypt ransomware virus

LockCrypt virus has been appending .1btc file extension since February 2018

At the end of February 2018, cybersecurity experts detected a new version of infamous LockCrypt Ransomware, which is also disseminated via accessible Remote Desktop Services. Although its behavior coincides with the ancestor, the latest version uses base64 encryption strategy and appends .1btc file extension to each locked file.

After successful file encryption, the .1btc file extension virus generates a text file named as Restore Files.TxT, which contains victim’s ID and detailed instructions on how to make the payment. The victim is asked to contact the extortionists within 24 hours via email Jacob_888jk@aol.com or Jacob_888jk@bitmessage.ch. According to the extortionists, the price for a decryption key depends on how fast the victim communicates them, though based on the file extension appended, they may demand 1 Bitcoin.[3]

Unfortunately, the .1btc file extension ransomware is not decryptable for free. One of the ways to get your files back is to pay the ransom and expect that criminals will send you a key. However, the better idea is to remove .1btc file extension virus with FortectIntego or similar anti-virus tool and try to decrypt files using alternative methods.

To prevent brute-force attacks via Remote Desktop Services when hackers login to a target computer and execute the ransomware, it’s a must to lock the service correctly. The PC running Remote Desktop Services should be placed behind VPNs to prevent unauthorized access of those who don’t have VPN accounts connected to your network.

The undecryptable version of ransomware emerged on June 2018

It seems that cyber criminals cannot forgive malware researchers from breaking ransomware's code. They created a brand new variant of LockCrypt that has improved functionality. The virus uses a combination of AES-256 and RSA-2048 encryption algorithms to lock various files on the affected computer. The AES key is used for encryption and saved in C:\Windows\DECODE.KEY directory. This DECODE.KEY and a private RSA key are needed for file decryption.

However, the analysis showed that malware might fail to save DECODE.KEY, and it does not check if this procedure is completed correctly. Therefore, if this file is missing, the decryption of files is impossible. This is a clear proof that hackers do not have intentions to recover the files, so you should not take a risk and pay the demanded ransom.

LockCrypt new version

During the encryption procedure, malware appends a unique file extension id-.BI_D, where the ID stands for a unique identification number that is given by ransomware for each of the victims. Therefore, after the cyber attack, a corrupted .png file might look like this filename.png id-R4ohq2idY4.BI_D.

Following the encryption, LockCrypt ransomware downloads a ransom note called How To Restore Files.txt where victims are asked to contact criminals via bog_decryptor@aol.com and pay asked amount of Bitcoins. People who are interested in this order have to send DECODE.KEY and 2-3 encoded files:

Important !!!
Your personal id – [redacted]
Warning: all your files are infected with an unknown virus.
To decrypt your files, you need to contact at big_decryptor@aol.com
The decoder card is received by bitcoin.
You can buy bitcoins from the following links://blockchain.info/wallet
Do not try to restore files your self, this will kead to the loss of files forever
You can send us 2-3 encoded files.
And attach to the letter a file from the folder c:\windows\DECODE.KEY for testing.

However, security specialists do not recommend following such orders. It is recommended to remove LockCrypt ransomware virus to clean and protect your computer.

The LockCrypt might be created using Satan RaaS code

Satan RaaS (Ransomware-as-Service)[4] portal[5] was launched in January 2017 and offers beginners to create their customized version of the Satan ransomware. However, the resent analysis shown that LockCrypt ransomware might be created using this source code.

In November, researchers also tell that IP address that might be used by the attacks ( is associated with the Ministry of Education and Science of Ukraine. However, there’s no secret that criminals might manipulate their IP address in order to hide from legit punishment. Other research information claims that LockCrypt sends information about the affected device to a remote server in Iran.

Despite the fact cybercriminals started their illegal project by using Satan’s source code, they managed to develop a strong file-encrypting virus. It has already affected business in the US, UK[6], South Africa, India, and the Philippines.[7]

According to the latest data, LockCrypt uses strong and unbreakable encryption to corrupt files on the affected device. Currently, there’s no way to restore encrypted files due to the ransomware’s ability to delete Shadow Volume Copies.

The crypto-virus also makes modifications to the system to boot with system startup and runs a batch file to kill non-core processes related to computer’s security and data recovery possibilities. Therefore, it’s undoubtedly strong file-encrypting malware.

However, victims of the ransomware are not advised to contact criminals and pay the ransom. They might blackmail you into paying more money and never provide decryption key. Thus, you should take care of LockCrypt removal rather than buying Bitcoins and transferring them to frauds.

LockCrypt ransomwareLockCrypt ransomware encrypts files to make them inaccessible and then urges the victim to pay the ransom to restore them.

RDP brute-force attacks are used for getting into computers

Differently than the majority of file-encrypting viruses, LockCrypt’s distribution does not rely on malicious spam emails. Authors of the ransomware use Remote Desktop Protocol (RDP) brute-force attacks that allows infecting unsecured enterprise servers. To avoid these attacks, you should follow these tips:

  • set hard to guess passwords;
  • control the number of administrator accounts;
  • use different account name for Administrator account;
  • enable two-factor authentication;
  • set the number of failed login is to lock the user if she/he enters the wrong credentials.

Instructions on how to remove LockCrypt from affected machines

You should remove LockCrypt virus by following instructions given below and delete the virus while in Safe Mode with Networking. Reboot your PC into the above-mentioned mode and start anti-malware or anti-spyware software to remove the virus for you. We recommend using FortectIntego or Malwarebytes for this task.

Please do not try to initiate manual LockCrypt ransomware removal – ransomware viruses are too sophisticated and dangerous and inexperienced computer users simply can overlook some of its malicious components. It goes without saying that leaving them on the system poses a threat to the user’s privacy and computer’s security.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of LockCrypt virus. Follow these steps

Manual removal using Safe Mode

Delete the Lock Crypt virus according to the guidance provided below.

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove LockCrypt using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of LockCrypt. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that LockCrypt removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove LockCrypt from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

Restore your files from a backup, or, if you do not own one, try these options.

If your files are encrypted by LockCrypt, you can use several methods to restore them:

Recover files with a help of Data Recovery Pro

Data Recovery Pro proved to be a useful tool for those that are dealing with piles of corrupted files. You might want to test this tool on files locked by the indicated ransomware.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by LockCrypt ransomware;
  • Restore them.

Try Windows Previous Versions feature

If System Restore has been enabled before ransomware attack, you can travel back in computer's time and copy the most important files.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Use ShadowExplorer

If ransomware failed to delete Shadow Volume Copies, this tool will help you to recover some of the files encrypted by LockCrypt:

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from LockCrypt and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.


Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 


About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions