Severity scale:  
  (99/100)

.Locked virus. How to remove? (Uninstall guide)

removal by Julie Splinters - - | Type: Ransomware

.Locked files virus – malware that is used by many cybercriminals for money extortion

.Locked virus
.Locked virus is a dangerous infection that could lead to loss of all personal files

Questions about .Locked virus

.Locked virus is ransomware[1] infection that enters users' computers using deceptive methods and encrypts all personal data, skipping system and few another type of files. The threat might be critical and result in a complete loss of files, or even money. Malware is a project of HiddenTear and EDA2 and is used as a Ransomware-as-a-service. For that reason, there are multiple variants of the virus, as many different affiliates employ the code, for example, Luxnut and Unlock92 ransomware. A strong encryption algorithm is used to encode data, and a .locked file extension is appended to each of them. Unfortunately, the decipher key[2] is stored on a remote server only accessible by malware authors, and users have to pay a ransom in Bitcoin to retrieve it.

Summary
Name .Locked
Type Ransomware
Used by HiddenTear, EDA2
Ransom size Varies, depending on the version. Asked in Bitcoin
Infiltration Spam emails, poorly protected RDP, file-sharing and P2P sites, exploits, etc.
Elimination Use Reimage to get rid of malware

Ransomware like .Locked file virus are usually spread with the help of malicious payloads that are carried in spam email attachments or software cracks, fake updates, and similar. Additionally, cybercrooks can also use system vulnerabilities and drive-by download to inject a .locked virus into targeted machines.

Locked files virus then modifies certain Windows settings to acquire persistence and the boots every time the PC is started. Personal files are changed, and .locked extension is added, for example, picture.jpg is turned into picture.jpg.locked. Databases, text image files, pictures, videos – all become useless unless the key is obtained.

The very first variant of .Locked ransomware demanded $500 in BTC, threatening to increase the price to $1000 if the payment is not transferred within the given time frame. Victims know this from an altered desktop wallpaper, as well as a text file inserted into every folder.

The latest variant, found by independent researchers, appends [random]@LOCKED file extension and is a part of Unlock92 ransomware family. Crooks provide an email address (unk921@protonmail.com) to contact them in a ransom note which is named using random characters. It states:

Your files have been encrypted.
If you want to restore files, send one ,ore file us to e-mail: unk921@protonmail.com  
Only in case you do not receive a response from the first email address withit 24 hours, please use TOP browser from www.torproject.com and see current e-mail in http://n3r2kuzhw2hx6j5.onion (https://n3r2kuzhw2h7x6j5.tor2web.io/ – from any other browser using a TOR)
Using another tools could corrupt your files, in case of using third party software we dont give guarantees that full recovery is possible so use it on your own risk.

No matter how many versions of Locked ransomware crooks will come up with, experts do not recommend to pay the ransom. It has been found that some of the decryption keys provided by hackers are buggy and might completely destroy files once used. Thus, users should not keep the threat on their machines and remove .Locked virus as soon as possible.

For that, we suggest you use professional security software like Reimage or Malwarebytes MalwarebytesCombo Cleaner. Manual .locked file virus removal is not possible for regular users, as it requires a deep understanding of computing technology. 

Only after a .locked virus is eliminated, you can attempt file recovery from a backup or use third-party software. Beware that, if you don't get rid of .Locked virus and connect your backup device, all the data located there will be corrupted as well. 

Ransomware infection triggers

Like similar malware, the virus is encountered via infected spam attachment. A victim receives a false invoice or traffic alert which includes a ZIP or a Word file with the embedded macro code. If the victim downloads the file to the operating system, the ransomware sets out to encrypt the important documents, certificates, work accounts, reports, and family-related information. 

Furthermore, the malware can spread via a trojan. This threat provides a necessary disguise for the ransomware. Usually, a trojan is unspotted by anti-virus programs, because the file is compressed. If the user runs the file, the encryption process starts, and the machine gets infected. Nevertheless, those who have updated security software have a much higher chance of the virus being blocked by it. Beware that the sample of malware needs to be added to the anti-virus' database to be detected so that some cyber threats might be not detectable. Thus, software updates is a mandatory procedure to prevent ransomware attacks.

Also, some ransomware is observed to disperse via cracked games. So if you are a passionate gamer, be aware that despite minor PUPs attacking your computer after every game hacking, dangerous viruses might pose you a challenge as well.[3]

Remove .Locked virus with the help of our instructions

If you are infected with .Locked ransomware, you should come to terms with the fact that the encrypted data might be lost. You can restore them from backup, but if you can't find extra copies of your important data, it may be that you won't get it back.

Secondly, manual .locked file virus removal option might not work out considering the complex structure of the ransomware and its encryption algorithm. Therefore, you are left with only one solution – remove .Locked with the assistance of a powerful anti-malware application, such as Reimage or Malwarebytes MalwarebytesCombo Cleaner.

Lastly, it is essential to keep it updated and run regular scans in order to ensure its full protection and enjoy safe browsing again. If you can't launch any of the previously mentioned programs, follow a guide below:

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove .Locked virus, follow these steps:

Remove .Locked using Safe Mode with Networking

If Locked virus or any of its versions are blocking your antivirus, please follow the instructions our experts have provided below the article.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove .Locked

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete .Locked removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove .Locked using System Restore

You antivirus may be blocked by the malicious .Locked virus features which might not allow to remove the virus from your computer properly. In such a case, please follow virus decontamination steps below:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of .Locked. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that .Locked removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove .Locked from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by .Locked, you can use several methods to restore them:

Apply Data Recovery Pro for the recovery of your files:

If you want to use a tool that will recover encrypted system files automatically, you should give Data Recovery Pro a try. you may find brief recommendations on how to use this tool here:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by .Locked ransomware;
  • Restore them.

Learn about the Windows Previous Versions feature and its benefits of data recovery:

Windows Previous Versions feature is a useful technique that you may use to recover some of your files, but not the entire system. Of course, none of the alternative data recovery techniques can promise that. But if you are in desperate need of that special archive or document — do not hesitate to try out Windows Previous Versions feature.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Find out how to use ShadowExplorer for data recovery

ShadowExplorer can be used for data recovery in case the virus in question does not delete Volume Shadow Copies of the encrypted files. If it did destroy these files, we recommend you check out the previously mentioned data recovery techniques.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from .Locked and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions

References

Removal guides in other languages