Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Aug 2021

How to remove LockFile ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Lucia Danes · Virus researcher

LockFile ransomware locks your files away and demands payment

LockFile ransomware

Ransomware attacks have been on the rise all over the world. The most targeted entities are big companies, as you can get more money from them than private individuals. LockFile is no exception. The new group has been active since June 2021 and has targeted 10 organizations in a month. Victims are in manufacturing, financial, engineering, legal, business, and travel and tourism sectors.

The attackers gain access to victims' networks via vulnerabilities within the Microsoft Exchange Servers.[1] Once cybercriminals breach the network, they move laterally with elevated privileges. A final stage of the attack ends with the deployment of ransomware, which infects each of the Windows PCs within the network.

The files are encrypted using AES-256 and RSA-1024 encryption algorithms. This prevents the user from opening documents, pictures, videos, and other files, making it extremely difficult to recover data when no backups are available.

During the encryption process, the ransomware appends every file with an extension .lockfile. For example, if the file name is picture.jpg, it is renamed to picture.jpg.lockfile. Data encryption is the main indication of the attack, although, within corporate environments, intrusion can often be spotted early. This is also one of the reasons why ransomware is installed during the step of the attack.

Shortly after file encryption is complete, LockFile ransomware sends a ransom note – a .hta file. Its' full name depends on the victim's computer name. This filename contains ransomware name, computer name, and a string of random characters. For example – LOCKFILE-README-COMPUTERNAME-7344587665.hta. The HTA file provides victims with instructions on what attackers want them to do. The note is similar to the one used by the LockBit ransomware group. It also includes a reference to the Conti ransomware.

The attackers state that the only way to retrieve files is to pay them. The ransom amount is not listed; perhaps it is a subject of negotiation. Victims are prompted to contact the attackers via the email address contact@contipauper.com or a link that is only accessible from the Tor browser.[2]

You should never pay the ransom because attackers are not obliged to provide you with a decryption key after payment. You might end up without money and your files. The only thing you can do is try to remove the malware and recover your files and system.

NAME LockFile ransomware
TYPE Ransomware, cryptovirus, data locking malware
ENCRYPTION METHOD AES+RSA
FILE EXTENSION .lockfile
RANSOM NOTE [victim_name]-LOCKFILE-README.hta
FILE RECOVERY Recovering the data is close to impossible if you do not have backups
MALWARE REMOVAL Use professional security software like SpyHunterCombo Cleaner to perform a full scan of your machine
SYSTEM FIX To remediate your operating system and take care of errors, crashes scan it with the FortectIntego maintenance tool.

The full .hta message after encryption from the attackers reads as follows:

LOCK FILE

ALL YOUR IMPORTANT FILES ARE ENCRYPTED!
Any attempts to restore your files with the thrid-party software will be fatal for your files!
Restore you data posible only buying private key from us.
There is only one way to get your files back:

contact us

qTox ID: hxxps://tox.chat/download.html
Email: contact@contipauper.com    

Through a Tor Browser – recommended

Download Tor Browser – hxxps://www.torproject.org/ and install it.
Open link in Tor Browser – hxxp://zqaflhty5hyziovsxgqvj2mrz5e5rs6oqxzb54zolccfnvtn5w2johad.onion This link only works in Tor Browser!
Follow the instructions on this page

ATTENTION!
Do not try to recover files yourself. this process can damage your data and recovery will become impossible
Do not rename encrypted files.
Do not waste time trying to find the solution on the Internet. The longer you wait, the higher will become the decryption key price
Decryption of your files with the help of third parties may cause increased price (they add their fee to our).
Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN.
Thanks to the warning wallpaper provided by lockbit, it's easy to use

A never seen before strain of ransomware

LockFile virus seems to be a new threat in the ransomware universe. The investigations indicate that the attackers gain access to networks via Microsoft Exchange Servers and then use the incompletely patched PetitPotam[3] vulnerability to gain access to the domain controller and spread across the network. It is still unknown how attackers gain initial access to the Microsoft Exchange Servers.

Microsoft patched these vulnerabilities in May, but hackers have been able to recreate the exploit, which is now being used to enable the LockFile attacks. The hackers can also infiltrate Exchange servers that were not updated.

LockFile ransomware encrypted files

What to do if you were affected?

The most important thing is – do not try to retrieve files first, as it might result in permanent data loss. The first step has to be the elimination of malware to stop it from encrypting your files again. To remove the LockFile virus, you should use an anti-malware tool to scan your system, such as SpyHunterCombo Cleaner or MalwarebytesMalwarebytes. This security software should find all the malicious files and entries and remove them automatically for you.

Once malware is deleted, you can proceed with the data recovery methods we provide below. If malware is not letting you use antivirus in normal mode, access Safe Mode and perform a full system scan from there:

Windows 7 / Vista / XP

  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list.Windows XP/7

Windows 10 / Windows 8

  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.Update & Security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.Recovery
  6. Select Troubleshoot.Choose an option
  7. Go to Advanced options.Advanced options
  8. Select Startup Settings.Startup settings
  9. Click Restart.
  10. Press 5 or click 5) Enable Safe Mode with Networking.Press F5 to enable Safe Mode with Networking

Data recovery

Many users do not back up their data properly, which is devastating because they might completely lose access to their files. Paying cybercriminals in cryptocurrencies is very risky as often, even after payment, victims do not receive decryption keys. Paying them money also supports their activities further and leads to more victims.

You can try to get back your data with data recovery software. The recovery of the files is not guaranteed as there are thousands of ransomware strains. We suggest trying regardless of which ransomware attacked your computer. Before you begin, there are a couple of important things to note:

  • Since the encrypted data on your computer might permanently be damaged by security or data recovery software, you should first make backups of it – use a USB flash drive or another storage.
  • Only attempt to recover your files using this method after you perform a scan with anti-malware software.

Install data recovery software

  1. Download Data Recovery Pro.
  2. Double-click the installer to launch it.
  3. Follow on-screen instructions to install the software.Install program
  4. As soon as you press Finish, you can use the app.
  5. Select Everything or pick individual folders where you want the files to be recovered from.Select what to recover
  6. Press Next.
  7. At the bottom, enable Deep scan and pick which Disks you want to be scanned.Select Deep scan
  8. Press Scan and wait till it is complete.Scan
  9. You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
  10. Press Recover to retrieve your files.Recover files

Fix your operating system

After a malware infection, users might experience performance, stability, and usability issues, to the point where a full Windows reinstall is required. These types of infections can alter the Windows registry database, damage vital bootup and other sections, delete or corrupt DLL files, etc. Once a system file is damaged by malware, antivirus software is not going to help you.

This problem requires a different tool – FortectIntego. It can fix damage caused by the infection like Blue Screen errors, freezes, registry errors, damaged DLLs, etc. By using this maintenance tool, you could avoid Windows reinstallation. To begin the process:

  • Download the application by clicking on the link above
  • Click on the ReimageRepair.exe
    Reimage download
  • If User Account Control (UAC) shows up, select Yes
  • Press Install and wait till the program finishes the installation processReimage installation
  • The analysis of your machine will begin immediatelyReimage scan
  • Once complete, check the results – they will be listed in the Summary
  • You can now click on each of the issues and fix them manually
  • If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.Reimage results

Prevent ransomware attacks in the future

To protect yourself from malware infection, you should always be careful when opening emails from unknown senders. Do not download attached files that you were not expecting especially if it is an MS Office file. The most important part is checking the sender, their email address, searching the text for grammar and spelling mistakes. If the message comes from an unidentifiable sender or includes many mistakes, you should delete it without opening it. Also, scan all received attachments with reliable anti-malware software.

Additionally, ransomware infections can get delivered via peer-to-peer file-sharing networks.[4] That includes “free” or “cracked” software. Also, malware can use the disguise of a fake software update.[5] Get all the upgrades only from official websites, never from a window that popped up or a random website that appeared suddenly.

Below, you will find additional information on how you can back up your files so you would not lose them if this happens again and organizations you can report to about the attacks.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.