LockMe ransomware (Virus Removal Guide) - updated Aug 2018
LockMe virus Removal Guide
What is LockMe ransomware?
LockMe ransomware is a virus targets users of 54 countries
LockMe ransomware is a dangerous threat that uses AES encryption algorithm to lock up files
LockMe ransomware is a file locking virus started infecting computers in February 2018. This high-prevalence malware uses military-grade AES encryption algorithm to lock files and appends .lockme extension. The process makes personal data like databases, documents, picture and similar files inaccessible. The Command & Control server receives the ID and personal key, and then sends ransom note README_FOR_DECRYPT_YOUR_FILES.txt which explains that users have to pay 0.03 BTC in order to retrieve the key. The message can be presented in 54 languages, meaning that hackers are targeting people all over the world. By mid- July 2018, LockMe ransomware came back, but security researchers noticed no differences from the original version, apart from ransom note which looks visually different.
|File extension||.lockme extension|
|Ransom note||README_FOR_DECRYPT_YOUR_FILES.txt (comes in 54 languages)|
|Ransom size||0.03 BTC|
|First spotted||February 2018|
|Means of transmission||Spam emails, malicious websites, exploits, drive-by downloads, etc.|
|Detection and elimination||Use RestoroIntego or SpyHunter 5Combo Cleaner|
Both variants of LockMe virus require users to pay the ransom and then email hackers using the awkward lLockMecQqL3Ruyi7V0RfZ@tutamail.com email address. The ransom note states the following:
All of your files have been Encrypted with military grade system and impossible to brute force, cracking, or reverse engineering it !
If you want all of your files back send me 0.03 BTC .
[+] Your Unique ID : [***]
[+] Send BTC To This Address : 1LockMeEPLr4ZRsoht8Wp6idBsT5TuBXtX
[+] Send BTC : 0.03 BTC
[+] Contact Email : LockMecQqL3Ruyi7V0RfZ@tutamail.com | LockMe9hG1F7pbWqThUt9P8@mailfence.com
*) Don't try change the '.lockme' extensions , if you change it , your all files can be broken and can't be restored forever .
*) If you've made a payment contact LockMecQqL3Ruyi7V0RfZ@tutamail.com | LockMe9hG1F7pbWqThUt9P8@mailfence.com .
*) If you not made a payment all of your private files will be leaked on internet (private photos, documents, videos, and more) .
Question : How to buy Bitcoin ?
Answer : You can buy Bitcoin at this Website : bitcoin.com , coinbase.com , cex.io , paxful.com , coinmama.com , etc .
[+] Your IP : [***] | Your ID : [***] [+]
LockMe ransomware authors intimidate people by saying that they are going to publish personal files, including sensitive photos or important documents on the Internet. Such claims are likely to increase the number of victims paying the ransom, even if security experts do not recommend that. Instead, people should install RestoroIntego or another powerful anti-malware and remove LockMe virus immediately.
Although LockMe removal may result in complete file loss, people should not take the risk of identity theft by revealing credit card details, full name, and other personal information. On top of that, paying the ransom does not guarantee that criminals will unlock the data on your PC or won't publish it on the Internet. LockMe infiltrates PCs via spam emails, append the .lockme file extension to personal files and demands to pay the ransom to unlock them
LockMe ransomware prevalence increased – more infections spotted
Initially, the number of infected users was not high. However, the latest infections in August were spotted in Russia, Spain and France. As we already mentioned, the new variant of LockMe ransomware does not differ much from its predecessor, as same bitcoin address, file extension, encryption algorithm and email is used.
The LockMe virus can still distribute ransom note in 54 languages, for example:
- Norwegian, etc.
No one can argue that it's oriented towards multilingual users security researchers predict that more infections are around the corner.
It seems that the origin of the LockMe virus is Russia since the original ransom note is written in Russian language and contains the least number of mistakes. All other ransom notes are prepared using Google translator, so, for example, the English version, as you can see above, is a word-to-word translation. Besides, email addresses on the Russian version (LockMecQqL3Ruy7V0RfZ@protonmail.com) and all the rest (LockMecQqL3Ruyi7V0RfZ@tutamail.com and LockMe9hG1F7pbWqThUt9P8@mailfence.com) do not coincide.
LockMe ransomware has infected your PC, you shouldn't worry if you backup your files regularly. Personal files stored both on the cloud, USB, CD or other external drives should not be affected unless the external drive was plugged into the PC during the attack. Unfortunately, we have bad news for those who don't have backups.
At the time of the writing, no LockMe decryptor is created yet, although security researchers are currently working on it. The problem is that ransomware developers don't give much time to transfer the ransom. Usually, it has to be paid within 48 or 72 hours after the decryption.
LockMe came back in August 2018. It seems like hackers did not change anything when it comes to encryption procedure or contact info. However, experts discovered a differently-looking ransom note, which came from a Russian user
Even if you lost many important documents or photos, paying the ransom can cause more problems, such as identity theft and, definitely, money loss, so we would recommend you remove LockMe virus with a professional anti-malware software, such as RestoroIntego, SpyHunter 5Combo Cleaner or Malwarebytes and then try to unlock files using Windows Shadow Volume copies or professional software recovery tools.
Ransomware executable is sent to people's inbox
Ransowame infections are disseminated using various illegal methods. For many years, the most widely spread distribution technique of malicious viruses is spam email. Hackers can purchase people's email addresses on the black market (often soled by adware and browser hijacker developers) and then regularly sent them emails with malicious attachments. Usually, such email messages report important events, ask to claim prizes or pretend to be generated by authorities. If the PC's owner opens the attachment of such email, virus is immediately executed and encodes the files in no time.
In addition, people may get infected via unprotected RDP configuration, fraudulent downloads, exploits kits, fake software update prompts and similar techniques.
Eliminate LockMe ransomware
LockMe virus is a dangerous infection, which may result in both data and money loss. However, it can damage the system, weaken its security, and open the backdoor to other cyber infections. Therefore, you should accelerate LockMe removal.
Manual ransomware removal can hardly be implemented. Such infections root deply into the operating system, modify registry entries, and corrupt the information stored on the core system's drive. Therefore, you should employ a powerful (and updated!) anti-malware tool to remove LockMe virus completely. Our recommendation would be RestoroIntego, SpyHunter 5Combo Cleaner or Malwarebytes.
Getting rid of LockMe virus. Follow these steps
Manual removal using Safe Mode
If you cannot launch your antivirus because it's being blocked by .lockme virus, you should boot your PC into Safe Mode with Networking. The following steps will explain how to do that:
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Remove LockMe using System Restore
System Restore may be of use in case Safe Mode with Networking method won't work. Using this method you will eliminate the ransomware and can further try to recover encrypted data.
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of LockMe. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your dataGuide which is presented above is supposed to help you remove LockMe from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.
To unlock files encrypted by LockMe virus, try using the following guide:
If your files are encrypted by LockMe, you can use several methods to restore them:
Use Data Recovery Pro to decrypt locked files
Data Recovery Pro is a professional tool capable of both restoring and decoding personal files. Therefore, give it a try:
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by LockMe ransomware;
- Restore them.
Recover files locked by LockMe virus using Windows Previous Version feature
Previous Windows version is one of the data recovery options that is applicable for those seeking to get individual files back. Besides, it is available on the systems on which the System Restore function was enabled before LockMe attack.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
Run ShadowExplorer to crack the code
It's not clear whether LockMe virus eliminates Volume Shadow Copies. While the most severe cyber infections remove them. Therefore, if other decryption methods did not help, try to extract the copies by following these steps:
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from LockMe and other ransomwares, use a reputable anti-spyware, such as RestoroIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Do not let government spy on you
The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet.
You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.
Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.
Backup files for the later use, in case of the malware attack
Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.
When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.
- ^ Chris Brunau. Common Types of Ransomware. Datto. Solutions to secure the essential business data.
- ^ John Bohannon. Why criminals can't hide behind Bitcoin. Science. New research contributions.
- ^ Lincoln Spector. How to stop ransomware: Backup can protect you, but only if you do it right. PCWorld. Helps you navigate the PC ecosystem to find the products you want and the advice you need.
- ^ Forrest Williams. Understanding Exploit Kits: How They Work and How to Stop Them. Barkly. IT security news.