.Locked virus (Virus Removal Instructions) - Oct 2018 update

.Locked virus Removal Guide

What is .Locked virus?

.Locked files virus – malware that is used by many cybercriminals for money extortion

.Locked virus.Locked virus is a dangerous infection that could lead to loss of all personal files

.Locked virus is ransomware[1] infection that enters users' computers using deceptive methods and encrypts all personal data, skipping system and few another type of files. The threat might be critical and result in a complete loss of files, or even money. Malware is a project of HiddenTear and EDA2 and is used as a Ransomware-as-a-service. For that reason, there are multiple variants of the virus, as many different affiliates employ the code, for example, Luxnut and Unlock92 ransomware. A strong encryption algorithm is used to encode data, and a .locked file extension is appended to each of them. Unfortunately, the decipher key[2] is stored on a remote server only accessible by malware authors, and users have to pay a ransom in Bitcoin to retrieve it.

Name .Locked
Type Ransomware
Used by HiddenTear, EDA2
Ransom size Varies, depending on the version. Asked in Bitcoin
Infiltration Spam emails, poorly protected RDP, file-sharing and P2P sites, exploits, etc.
Elimination Use FortectIntego to get rid of malware

Ransomware like .Locked file virus are usually spread with the help of malicious payloads that are carried in spam email attachments or software cracks, fake updates, and similar. Additionally, cybercrooks can also use system vulnerabilities and drive-by download to inject a .locked virus into targeted machines.

Locked files virus then modifies certain Windows settings to acquire persistence and the boots every time the PC is started. Personal files are changed, and .locked extension is added, for example, picture.jpg is turned into picture.jpg.locked. Databases, text image files, pictures, videos – all become useless unless the key is obtained.

The very first variant of .Locked ransomware demanded $500 in BTC, threatening to increase the price to $1000 if the payment is not transferred within the given time frame. Victims know this from an altered desktop wallpaper, as well as a text file inserted into every folder.

The latest variant, found by independent researchers, appends [random]@LOCKED file extension and is a part of Unlock92 ransomware family. Crooks provide an email address (unk921@protonmail.com) to contact them in a ransom note which is named using random characters. It states:

Your files have been encrypted.
If you want to restore files, send one ,ore file us to e-mail: unk921@protonmail.com
Only in case you do not receive a response from the first email address withit 24 hours, please use TOP browser from www.torproject.com and see current e-mail in http://n3r2kuzhw2hx6j5.onion (https://n3r2kuzhw2h7x6j5.tor2web.io/ – from any other browser using a TOR)
Using another tools could corrupt your files, in case of using third party software we dont give guarantees that full recovery is possible so use it on your own risk.

No matter how many versions of Locked ransomware crooks will come up with, experts do not recommend to pay the ransom. It has been found that some of the decryption keys provided by hackers are buggy and might completely destroy files once used. Thus, users should not keep the threat on their machines and remove .Locked virus as soon as possible.

.Locked ransomware.Locked is ransomware-type virus that uses complicated encryption algorithm to encode data

For that, we suggest you use professional security software like FortectIntego or SpyHunter 5Combo Cleaner. Manual .locked file virus removal is not possible for regular users, as it requires a deep understanding of computing technology.

Only after a .locked virus is eliminated, you can attempt file recovery from a backup or use third-party software. Beware that, if you don't get rid of .Locked virus and connect your backup device, all the data located there will be corrupted as well.

Ransomware infection triggers

Like similar malware, the virus is encountered via infected spam attachment. A victim receives a false invoice or traffic alert which includes a ZIP or a Word file with the embedded macro code. If the victim downloads the file to the operating system, the ransomware sets out to encrypt the important documents, certificates, work accounts, reports, and family-related information.

Furthermore, the malware can spread via a trojan. This threat provides a necessary disguise for the ransomware. Usually, a trojan is unspotted by anti-virus programs, because the file is compressed. If the user runs the file, the encryption process starts, and the machine gets infected. Nevertheless, those who have updated security software have a much higher chance of the virus being blocked by it. Beware that the sample of malware needs to be added to the anti-virus' database to be detected so that some cyber threats might be not detectable. Thus, software updates is a mandatory procedure to prevent ransomware attacks.

Also, some ransomware is observed to disperse via cracked games. So if you are a passionate gamer, be aware that despite minor PUPs attacking your computer after every game hacking, dangerous viruses might pose you a challenge as well.[3]

Remove .Locked virus with the help of our instructions

If you are infected with .Locked ransomware, you should come to terms with the fact that the encrypted data might be lost. You can restore them from backup, but if you can't find extra copies of your important data, it may be that you won't get it back.

Secondly, manual .locked file virus removal option might not work out considering the complex structure of the ransomware and its encryption algorithm. Therefore, you are left with only one solution – remove .Locked with the assistance of a powerful anti-malware application, such as FortectIntego or SpyHunter 5Combo Cleaner.

Lastly, it is essential to keep it updated and run regular scans in order to ensure its full protection and enjoy safe browsing again. If you can't launch any of the previously mentioned programs, follow a guide below:

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of .Locked virus. Follow these steps

Manual removal using Safe Mode

If Locked virus or any of its versions are blocking your antivirus, please follow the instructions our experts have provided below the article.

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove .Locked using System Restore

You antivirus may be blocked by the malicious .Locked virus features which might not allow to remove the virus from your computer properly. In such a case, please follow virus decontamination steps below:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of .Locked. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that .Locked removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove .Locked from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by .Locked, you can use several methods to restore them:

Apply Data Recovery Pro for the recovery of your files:

If you want to use a tool that will recover encrypted system files automatically, you should give Data Recovery Pro a try. you may find brief recommendations on how to use this tool here:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by .Locked ransomware;
  • Restore them.

Learn about the Windows Previous Versions feature and its benefits of data recovery:

Windows Previous Versions feature is a useful technique that you may use to recover some of your files, but not the entire system. Of course, none of the alternative data recovery techniques can promise that. But if you are in desperate need of that special archive or document — do not hesitate to try out Windows Previous Versions feature.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Find out how to use ShadowExplorer for data recovery

ShadowExplorer can be used for data recovery in case the virus in question does not delete Volume Shadow Copies of the encrypted files. If it did destroy these files, we recommend you check out the previously mentioned data recovery techniques.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from .Locked and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Protect your privacy – employ a VPN

There are several ways how to make your online time more private – you can access an incognito tab. However, there is no secret that even in this mode, you are tracked for advertising purposes. There is a way to add an extra layer of protection and create a completely anonymous web browsing practice with the help of Private Internet Access VPN. This software reroutes traffic through different servers, thus leaving your IP address and geolocation in disguise. Besides, it is based on a strict no-log policy, meaning that no data will be recorded, leaked, and available for both first and third parties. The combination of a secure web browser and Private Internet Access VPN will let you browse the Internet without a feeling of being spied or targeted by criminals. 

No backups? No problem. Use a data recovery tool

If you wonder how data loss can occur, you should not look any further for answers – human errors, malware attacks, hardware failures, power cuts, natural disasters, or even simple negligence. In some cases, lost files are extremely important, and many straight out panic when such an unfortunate course of events happen. Due to this, you should always ensure that you prepare proper data backups on a regular basis.

If you were caught by surprise and did not have any backups to restore your files from, not everything is lost. Data Recovery Pro is one of the leading file recovery solutions you can find on the market – it is likely to restore even lost emails or data located on an external device.

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions

Removal guides in other languages