Severity scale:  
  (99/100)

LockMe ransomware. How to remove? (Uninstall guide)

removal by Julie Splinters - - | Type: Ransomware

LockMe ransomware is a virus targets users of 54 countries

A picture of LockMe ransom note
LockMe ransomware is a dangerous threat that uses AES encryption algorithm to lock up files

LockMe ransomware is a file locking virus[1] started infecting computers in February 2018. This high-prevalence malware uses military-grade AES encryption algorithm to lock files and appends .lockme extension. The process makes personal data like databases, documents, picture and similar files inaccessible. The Command & Control server receives the ID and personal key, and then sends ransom note README_FOR_DECRYPT_YOUR_FILES.txt which explains that users have to pay 0.03 BTC[2] in order to retrieve the key. The message can be presented in 54 languages, meaning that hackers are targeting people all over the world. By mid- July 2018, LockMe ransomware came back, but security researchers noticed no differences from the original version, apart from ransom note which looks visually different.

SUMMARY
Name LockMe
Type Ransomware
Cipher used AES
File extension .lockme extension
Ransom note README_FOR_DECRYPT_YOUR_FILES.txt (comes in 54 languages)
Ransom size 0.03 BTC
First spotted February 2018
Means of transmission Spam emails, malicious websites, exploits, drive-by downloads, etc.
Detection and elimination Use Reimage or Malwarebytes MalwarebytesCombo Cleaner

Both variants of LockMe virus require users to pay the ransom and then email hackers using the awkward lLockMecQqL3Ruyi7V0RfZ@tutamail.com email address. The ransom note states the following:

All of your files have been Encrypted with military grade system and impossible to brute force, cracking, or reverse engineering it !
If you want all of your files back send me 0.03 BTC .
[+] Your Unique ID : [***]
[+] Send BTC To This Address : 1LockMeEPLr4ZRsoht8Wp6idBsT5TuBXtX
[+] Send BTC : 0.03 BTC
[+] Contact Email : LockMecQqL3Ruyi7V0RfZ@tutamail.com | LockMe9hG1F7pbWqThUt9P8@mailfence.com
*) Don't try change the '.lockme' extensions , if you change it , your all files can be broken and can't be restored forever .
*) If you've made a payment contact LockMecQqL3Ruyi7V0RfZ@tutamail.com | LockMe9hG1F7pbWqThUt9P8@mailfence.com .
*) If you not made a payment all of your private files will be leaked on internet (private photos, documents, videos, and more) .
Question : How to buy Bitcoin ?
Answer : You can buy Bitcoin at this Website : bitcoin.com , coinbase.com , cex.io , paxful.com , coinmama.com , etc .
[+] Your IP : [***] | Your ID : [***] [+]

LockMe ransomware authors intimidate people by saying that they are going to publish personal files, including sensitive photos or important documents on the Internet. Such claims are likely to increase the number of victims paying the ransom, even if security experts do not recommend that. Instead, people should install Reimage or another powerful anti-malware and remove LockMe virus immediately.

Although LockMe removal may result in complete file loss, people should not take the risk of identity theft by revealing credit card details, full name, and other personal information. On top of that, paying the ransom does not guarantee that criminals will unlock the data on your PC or won't publish it on the Internet.

LockMe ransomware prevalence increased – more infections spotted

Initially, the number of infected users was not high. However, the latest infections in August were spotted in Russia, Spain and France. As we already mentioned, the new variant of LockMe ransomware does not differ much from its predecessor, as same bitcoin address, file extension, encryption algorithm and email is used.

The LockMe virus can still distribute ransom note in 54 languages, for example:

  • Russian,
  • English,
  • German,
  • Turkish,
  • Polish,
  • Italian,
  • Romanian,
  • Icelandic,
  • Irish,
  • Norwegian, etc.

No one can argue that it's oriented towards multilingual users security researchers predict that more infections are around the corner.

It seems that the origin of the LockMe virus is Russia since the original ransom note is written in Russian language and contains the least number of mistakes. All other ransom notes are prepared using Google translator, so, for example, the English version, as you can see above, is a word-to-word translation. Besides, email addresses on the Russian version (LockMecQqL3Ruy7V0RfZ@protonmail.com) and all the rest (LockMecQqL3Ruyi7V0RfZ@tutamail.com and LockMe9hG1F7pbWqThUt9P8@mailfence.com) do not coincide.

LockMe ransomware has infected your PC, you shouldn't worry if you backup your files regularly. Personal files stored both on the cloud, USB, CD or other external drives should not be affected unless the external drive was plugged into the PC during the attack. Unfortunately, we have bad news for those who don't have backups.[3]

At the time of the writing, no LockMe decryptor is created yet, although security researchers are currently working on it. The problem is that ransomware developers don't give much time to transfer the ransom. Usually, it has to be paid within 48 or 72 hours after the decryption.

LockMe virus - the latest version
LockMe came back in August 2018. It seems like hackers did not change anything when it comes to encryption procedure or contact info. However, experts discovered a differently-looking ransom note, which came from a Russian user

Even if you lost many important documents or photos, paying the ransom can cause more problems, such as identity theft and, definitely, money loss, so we would recommend you remove LockMe virus with a professional anti-malware software, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes and then try to unlock files using Windows Shadow Volume copies or professional software recovery tools.

Ransomware executable is sent to people's inbox

Ransowame infections are disseminated using various illegal methods. For many years, the most widely spread distribution technique of malicious viruses is spam email. Hackers can purchase people's email addresses on the black market (often soled by adware and browser hijacker developers) and then regularly sent them emails with malicious attachments. Usually, such email messages report important events, ask to claim prizes or pretend to be generated by authorities. If the PC's owner opens the attachment of such email, virus is immediately executed and encodes the files in no time.

In addition, people may get infected via unprotected RDP configuration, fraudulent downloads, exploits kits,[4] fake software update prompts and similar techniques.

Eliminate LockMe ransomware

LockMe virus is a dangerous infection, which may result in both data and money loss. However, it can damage the system, weaken its security, and open the backdoor to other cyber infections. Therefore, you should accelerate LockMe removal.

Manual ransomware removal can hardly be implemented. Such infections root deply into the operating system, modify registry entries, and corrupt the information stored on the core system's drive. Therefore, you should employ a powerful (and updated!) anti-malware tool to remove LockMe virus completely. Our recommendation would be Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes.

Offer
We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.

If you decided to select another anti-spyware, uninstall Reimage from your computer.
Press mentions on Reimage
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove LockMe virus, follow these steps:

Remove LockMe using Safe Mode with Networking

If you cannot launch your antivirus because it's being blocked by .lockme virus, you should boot your PC into Safe Mode with Networking. The following steps will explain how to do that:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove LockMe

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete LockMe removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove LockMe using System Restore

System Restore may be of use in case Safe Mode with Networking method won't work. Using this method you will eliminate the ransomware and can further try to recover encrypted data.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of LockMe. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that LockMe removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove LockMe from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

To unlock files encrypted by LockMe virus, try using the following guide:

If your files are encrypted by LockMe, you can use several methods to restore them:

Use Data Recovery Pro to decrypt locked files

Data Recovery Pro is a professional tool capable of both restoring and decoding personal files. Therefore, give it a try:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by LockMe ransomware;
  • Restore them.

Recover files locked by LockMe virus using Windows Previous Version feature

Previous Windows version is one of the data recovery options that is applicable for those seeking to get individual files back. Besides, it is available on the systems on which the System Restore function was enabled before LockMe attack. 

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Run ShadowExplorer to crack the code

It's not clear whether LockMe virus eliminates Volume Shadow Copies. While the most severe cyber infections remove them. Therefore, if other decryption methods did not help, try to extract the copies by following these steps:

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from LockMe and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions

References