Severity scale:  

Remove .Locked virus (Virus Removal Instructions) - Oct 2018 update

removal by Julie Splinters - - | Type: Ransomware

.Locked files virus – malware that is used by many cybercriminals for money extortion

.Locked virus

Questions about .Locked virus

.Locked virus is ransomware[1] infection that enters users' computers using deceptive methods and encrypts all personal data, skipping system and few another type of files. The threat might be critical and result in a complete loss of files, or even money. Malware is a project of HiddenTear and EDA2 and is used as a Ransomware-as-a-service. For that reason, there are multiple variants of the virus, as many different affiliates employ the code, for example, Luxnut and Unlock92 ransomware. A strong encryption algorithm is used to encode data, and a .locked file extension is appended to each of them. Unfortunately, the decipher key[2] is stored on a remote server only accessible by malware authors, and users have to pay a ransom in Bitcoin to retrieve it.

Name .Locked
Type Ransomware
Used by HiddenTear, EDA2
Ransom size Varies, depending on the version. Asked in Bitcoin
Infiltration Spam emails, poorly protected RDP, file-sharing and P2P sites, exploits, etc.
Elimination Use Reimage Reimage Cleaner Intego to get rid of malware

Ransomware like .Locked file virus are usually spread with the help of malicious payloads that are carried in spam email attachments or software cracks, fake updates, and similar. Additionally, cybercrooks can also use system vulnerabilities and drive-by download to inject a .locked virus into targeted machines.

Locked files virus then modifies certain Windows settings to acquire persistence and the boots every time the PC is started. Personal files are changed, and .locked extension is added, for example, picture.jpg is turned into picture.jpg.locked. Databases, text image files, pictures, videos – all become useless unless the key is obtained.

The very first variant of .Locked ransomware demanded $500 in BTC, threatening to increase the price to $1000 if the payment is not transferred within the given time frame. Victims know this from an altered desktop wallpaper, as well as a text file inserted into every folder.

The latest variant, found by independent researchers, appends [random]@LOCKED file extension and is a part of Unlock92 ransomware family. Crooks provide an email address ( to contact them in a ransom note which is named using random characters. It states:

Your files have been encrypted.
If you want to restore files, send one ,ore file us to e-mail:  
Only in case you do not receive a response from the first email address withit 24 hours, please use TOP browser from and see current e-mail in http://n3r2kuzhw2hx6j5.onion ( – from any other browser using a TOR)
Using another tools could corrupt your files, in case of using third party software we dont give guarantees that full recovery is possible so use it on your own risk.

No matter how many versions of Locked ransomware crooks will come up with, experts do not recommend to pay the ransom. It has been found that some of the decryption keys provided by hackers are buggy and might completely destroy files once used. Thus, users should not keep the threat on their machines and remove .Locked virus as soon as possible.

.Locked ransomware.Locked is ransomware-type virus that uses complicated encryption algorithm to encode data

For that, we suggest you use professional security software like Reimage Reimage Cleaner Intego or SpyHunter 5Combo Cleaner. Manual .locked file virus removal is not possible for regular users, as it requires a deep understanding of computing technology. 

Only after a .locked virus is eliminated, you can attempt file recovery from a backup or use third-party software. Beware that, if you don't get rid of .Locked virus and connect your backup device, all the data located there will be corrupted as well. 

Ransomware infection triggers

Like similar malware, the virus is encountered via infected spam attachment. A victim receives a false invoice or traffic alert which includes a ZIP or a Word file with the embedded macro code. If the victim downloads the file to the operating system, the ransomware sets out to encrypt the important documents, certificates, work accounts, reports, and family-related information. 

Furthermore, the malware can spread via a trojan. This threat provides a necessary disguise for the ransomware. Usually, a trojan is unspotted by anti-virus programs, because the file is compressed. If the user runs the file, the encryption process starts, and the machine gets infected. Nevertheless, those who have updated security software have a much higher chance of the virus being blocked by it. Beware that the sample of malware needs to be added to the anti-virus' database to be detected so that some cyber threats might be not detectable. Thus, software updates is a mandatory procedure to prevent ransomware attacks.

Also, some ransomware is observed to disperse via cracked games. So if you are a passionate gamer, be aware that despite minor PUPs attacking your computer after every game hacking, dangerous viruses might pose you a challenge as well.[3]

Remove .Locked virus with the help of our instructions

If you are infected with .Locked ransomware, you should come to terms with the fact that the encrypted data might be lost. You can restore them from backup, but if you can't find extra copies of your important data, it may be that you won't get it back.

Secondly, manual .locked file virus removal option might not work out considering the complex structure of the ransomware and its encryption algorithm. Therefore, you are left with only one solution – remove .Locked with the assistance of a powerful anti-malware application, such as Reimage Reimage Cleaner Intego or SpyHunter 5Combo Cleaner.

Lastly, it is essential to keep it updated and run regular scans in order to ensure its full protection and enjoy safe browsing again. If you can't launch any of the previously mentioned programs, follow a guide below:

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove .Locked virus, follow these steps:

Remove .Locked using Safe Mode with Networking

If Locked virus or any of its versions are blocking your antivirus, please follow the instructions our experts have provided below the article.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove .Locked

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete .Locked removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove .Locked using System Restore

You antivirus may be blocked by the malicious .Locked virus features which might not allow to remove the virus from your computer properly. In such a case, please follow virus decontamination steps below:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of .Locked. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that .Locked removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove .Locked from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by .Locked, you can use several methods to restore them:

Apply Data Recovery Pro for the recovery of your files:

If you want to use a tool that will recover encrypted system files automatically, you should give Data Recovery Pro a try. you may find brief recommendations on how to use this tool here:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by .Locked ransomware;
  • Restore them.

Learn about the Windows Previous Versions feature and its benefits of data recovery:

Windows Previous Versions feature is a useful technique that you may use to recover some of your files, but not the entire system. Of course, none of the alternative data recovery techniques can promise that. But if you are in desperate need of that special archive or document — do not hesitate to try out Windows Previous Versions feature.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Find out how to use ShadowExplorer for data recovery

ShadowExplorer can be used for data recovery in case the virus in question does not delete Volume Shadow Copies of the encrypted files. If it did destroy these files, we recommend you check out the previously mentioned data recovery techniques.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from .Locked and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions

Removal guides in other languages

  1. Honday says:
    April 4th, 2016 at 10:22 am

    criminals asking for 500-1000 dollars? thats insane…

  2. Precious says:
    April 4th, 2016 at 10:23 am

    yup, thats a big price. However, even if the price was 100 dollars, I wouldnt pay it. Screw the cyber criminals.

  3. Veronica19 says:
    April 4th, 2016 at 10:24 am

    this virus destroyed all my computer!!!! cannot open even a single file now!!!! this is exasperating!!

Your opinion regarding .Locked virus