(https://twitter.

com/pcrisk)
(https://www.facebook.com/pcrisk)
(https://www.pcrisk.com/removal(http://www.linkedin.com/pub/tomas(http://www.youtube.com/channel/UCH4kT_7J_3Thd2WEjbDWwIA)

(/)

Home (https://www.pcrisk.com/)

Search...
guides?meskauskas/25/253/96a)

Removal guides (/removal-guides)

format=feed&type=rss)

Locky Ransomware

Locky Ransomware

Removal Instructions in other

languages

Also Known As: .locky virus Type: Ransomware (/common-types-of-computer-infections#ransomware)

Cmo eliminar Locky Ransomware?

Distribution: High Damage level:

(https://www.pcrisk.es/guias-de-

Written by Tomas Meskauskas (https://plus.google.com/u/0/101121591532873768450) on Saturday, 02 April

2016 04:44 AM

Supprimer Locky Ransomware

Locky ransomware removal instructions

desinfeccion/8206-locky-ransomware)
(https://www.pcrisk.fr/guides-desuppression/8199-locky-ransomware)

Locky Ransomware guida per la

rimozione (https://www.pcrisk.it/guide-per-larimozione/8202-locky-ransomware)

Locky Ransomware - Wie entferne ich

(https://www.pcrisk.de/ratgeber-zum-

What is Locky?
Locky is ransomware distributed via malicious .doc files attached to spam email messages.
Each word document contains scrambled text, which appear to be macros. When users
enables macro settings in the Word program, an executable file (the ransomware) is
downloaded. Various files are then encrypted. Note that Locky changes all file names to a

unique 16 letter and digit combination with a .locky file extension. Thus, it becomes
virtually impossible to identify the original files. All are encrypted using the RSA-2048 and

AES-1024 algorithm and, therefore, a private key (which is stored on remote servers
controlled by cyber criminals) is required for decryption. To decrypt the files, victims must
pay a ransom.

entfernen/8207-locky-ransomware)

Locky Ransomware guia de remoo

(https://www.pcrisk.pt/guias-de-remocao/8301locky-ransomware)

Locky Ransomware
verwijderingshandleiding
(https://www.pcrisk.nl/verwijderingsrichtlijnen/8299locky-ransomware)

Locky Ransomware
(https://www.pcrisk.pl/narzedziausuwania/8297-locky-ransomware)

QR Code

After the files are encrypted, Locky creates an additional .txt file
and _HELP_instructions.html file in each folder containing the encrypted files.
Furthermore, this ransomware changes the desktop wallpaper. Both text files and

wallpaper contain the same message that informs users about the encryption. It states
that files can only be decrypted using a decrypter developed by cyber criminals, which
costs .5 BitCoin (at time of research, .5 BTC was equivalent to $207.63). To proceeds, the

victim must install the Tor browser and follow the link provided in the text files/wallpaper.
The website contains step-by-step payment instructions. Locky deletes all file shadow
volume copies. At time of writing, there were no tools capable of decrypting files affected
by Locky - the only solution to this problem is to restore your files from a backup.

A QR code (Quick Response Code) is a machinereadable code which stores URLs and other
information. This code can be read using a
camera on a smartphone or a tablet. Scan this
QR code to have an easy access removal guide
of Locky on your mobile device.

Stay in touch with PCrisk

Check my computer

DOWNLOAD

Remover for .locky virus

(/files/sh-remover.exe)

Research results show that there are hundreds of ransomware-type malware similar or
identical to Locky including, for instance, Cryptowall (/removal-guides/7844-cryptowall-virus) ,
JobCrypter (/removal-guides/9796-jobcrypter-ransomware) , UmbreCrypt (/removalguides/9795-umbrecrypt-ransomware) , TeslaCrypt (/removal-guides/8724-teslacrypt-virus) , and
DMA-Locker (/removal-guides/9702-dma-locker-ransomware) . All have identical behavior they encrypt files and demand a ransom. The only difference is the size of ransom and
type of algorithm used to encrypt the files. Research also shows that there is no guarantee
that your files will ever be decrypted even after paying the ransom. By paying, you simply
support cyber criminals' malicious businesses. For this reason, you should never pay the
ransom or attempt to contact them. Be aware also that malware such as Locky is usually
distributed via fake software updates, P2P networks, malicious email attachments, and
trojans. Therefore, it is very important to keep your installed software up-to-date and to
double check what you are downloading. Be cautious when opening email attachments
sent from suspicious addresses and use a legitimate anti-spyware or anti-virus suite.

File size:

Downloads this week:

Platform:

3.0 Mb

8312

Windows

By downloading any software listed on this website you

agree to our Privacy Policy (/privacy-policy) and Terms of
Use (/terms-of-use) . SpyHunters free scanner is for
malware detection. To remove the detected infections you
will need to purchase a license of this product. More
information
(/top-spyware-removers/spyhunter)
on
SpyHunter. If you wish to uninstall SpyHunter follow these
instructions (/top-spyware-removers/spyhunter#a1) .

Below is a screenshot of an email messages used for Locky ransomware distribution.

For example - email subject - "ATTN: Invoice J-12345678, infected attachment "invoice_J-12345678.doc" (contains macros that download and install the Locky
ransomware on the victims computer):

Dear someone, Please see the attached invoice (Microsoft Word

Document) and remit payment according to the terms listed at the
bottom of the invoice. Let us know if you have any questions. We
greatly appreciate your business!
Here are some screenshots of spam email messages containing infected attachments that
install Locky ransomware on victim's computer:

(/images/stories/screenshots201602/locky(/images/stories/screenshots201602/locky(/images/stories/screenshots201602/lockydistributing-email4.jpg)

distributing-email3.jpg)

distributing-email2.jpg)

(/images/stories/screenshots201601/locky-

_Locky_recover_instructions.txt
email-distribution.jpg)
(or_HELP_instructions.txt) text file:

Text presented in the desktop wallpaper and .txt files created by Locky:

!!! IMPORTANT INFORMATION !!!!

All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
hxxps://en.wikipedia.org/wiki/RSA_(cryptosystem)
hxxps://en.wikipedia.org/wiki/Advanced_Encryption_Standard
Decrypting of your files is only possible with the private key and
decrypt program, which is on our secret server.
To receive your private key follow one of the links:
1. hxxp://6dtxxxxm4crv6rr6.tor2web.org/07Bxxx75DC646805

1.
2.
3.
4.

hxxp://6dtxxxxm4crv6rr6.tor2web.org/07Bxxx75DC646805
hxxp://6dtxxxxgqam4crv6rr6.onion.to/07Bxxx75DC646805
hxxp://6dtxxxxgqam4crv6rr6.onion.cab/07Bxxx75DC646805
hxxp://6dtxxxxgqam4crv6rr6.onion.link/07Bxxx75DC646805

If all of this addresses are not available, follow these steps:

1.
Download
and
install
Tor
Browser:
hxxps://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for
initialization.
3.
Type
in
the
address
bar:
6dtxxxxm4crv6rr6.onion/07Bxxx75DC646805
4. Follow the instructions on the site.
!!! Your personal identification ID: 07Bxxx75DC646805 !!!
Screenshot of a victim's desktop infected with Locky ransomware:

Locky ransomware website informing victims on how to pay the ransom to receive the
"Locky Decrypter" software - supposedly software that will decrypt their compromised
files:

File types targeted by Locky ransomware:

.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla,

.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla,
.swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2,
.tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm,
.jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd,
.sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD,
.frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11
(Security copy), .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm,
.otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi,
.otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc,
.dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max,
.xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC,
.pem, .csr, .crt, .key, wallet.dat
A ransom payment page ('Locky Decryptor'):

Update 18 April 2016 - A new copycat ransomware released that impersonates Locky.
AutoLocky is a new ransomware created by cyber criminals using the AutoIt
(https://www.autoitscript.com/site/autoit/) programming language. It tries to impersonate the

original Locky ransomware by assigning .Locky extension to the encrypted files. To

determine if you computer is infected with AutoLocky ransomware you should look at the
ransom demanding message - it differs from the original Locky ransomware. The good
news for the victims of AutoLocky is that Fabian Wosar (https://twitter.com/fwosar) from
Emsisoft has created a free decrypter that can decrypt the compromised files for free.
Download link - Emsisoft Decrypter for AutoLocky (https://decrypter.emsisoft.com/autolocky) .
Before using this tool victims of AutoLocky should scan their computers with legitimate
anti-malware software to first terminate its processes and remove associated malware
files. Then you can use the decrypter to regain control of your compromised data.
Screenshot of AutoLocky decrypter by Fabian Wosar from Emsisoft:

Autolocky ransomware creates Info.html and Info.txt on users desktop:

Text presented in these files:

Locky ransomware
All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
https://en.wikipedia.org/wiki/RSA
(crypto
system)
https://en.wikipedia.org/wiki/Advanced_Encryption_standard
Decrypting of your files is only possible with the following steps
How to buy decryption? 1. You can make a payment with BitCoins,
there are many methods to get them. 2. You should register BitCoin
wallet (simplest online wallet OR some other methods of creating
wallet) 3. Purchasing BitCoins - Although its not yet easy to buy
bitcoins, its getting simpler every day.

Locky ransomware removal:

Quick menu:

Quick solution to remove .locky virus (/files/sh-remover.exe)

What is Locky? (#a1)

STEP 1. Locky virus removal using safe mode with networking. (#a2)
STEP 2. Locky ransomware removal using System Restore. (#a3)
Step 1

Step 1
Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click
Shut Down, click Restart, click OK. During your computer start process, press the F8 key on

your keyboard multiple times until you see the Windows Advanced Option menu, and then
select Safe Mode with Networking from the list.

Video showing how to start Windows 7 in "Safe Mode with Networking":

How to start Windows 7 in Safe Mode with Networking?

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start
Screen, type Advanced, in the search results select Settings. Click Advanced startup
options, in the opened "General PC Settings" window, select Advanced startup. Click the
"Restart now" button. Your computer will now restart into the "Advanced Startup options

menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In
the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will
restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 8 Safe Mode with Networking

Step 2
Log in to the account infected with the Locky virus. Start your Internet browser and
download a legitimate anti-spyware program. Update the anti-spyware software and start
a full system scan. Remove all entries detected.

DOWNLOAD

Remover for .locky virus

(/files/sh-remover.exe)

If you need assistance removing locky , give us a call 24/7:

1-866-208-0865 (tel:+18662080865)

By downloading any software listed on this website you agree to our Privacy Policy (/privacy-policy) and Terms of Use
(/terms-of-use) . SpyHunters free scanner is for malware detection. To remove the detected infections you will need

to purchase a full version of this product. More information (/top-spyware-removers/spyhunter) on SpyHunter. If you
wish to uninstall SpyHunter follow these instructions (/top-spyware-removers/spyhunter#a1) . All the products we
recommend were carefully tested and approved by our technicians as being one of the most effective solutions for
removing this threat.

If you cannot start your computer in Safe Mode with Networking, try performing a System
Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command
Prompt" and "System Restore":

How to remove ransomware?

1. During your computer start process, press the F8 key on your keyboard multiple times
until the Windows Advanced Options menu appears, and then select Safe Mode with
Command Prompt from the list and press ENTER.

2. When Command Prompt mode loads, enter the following line: cd restore and press
ENTER.

3. Next, type this line: rstrui.exe and press ENTER.

4. In the opened window, click "Next".

5. Select one of the available Restore Points and click "Next" (this will restore your
computer system to an earlier time and date, prior to the Locky ransomware virus
infiltrating your PC).

6. In the opened window, click "Yes".

7. After restoring your computer to a previous date, download and scan your PC with
recommended malware removal software (/files/sh-remover.exe) to eliminate any
remaining Locky ransomware files.
To restore individual files encrypted by this ransomware, try using Windows Previous
Versions feature. This method is only effective if the System Restore function was enabled
on an infected operating system. Note that some variants of Locky are known to remove
Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click over it, go into Properties, and select the Previous Versions tab.
If the relevant file has a Restore Point, select it and click the "Restore" button.

If you cannot start your computer in Safe Mode with Networking (or with Command

Prompt), boot your computer using a rescue disk (/computer-technician-blog/generalinformation/6775-how-to-boot-your-computer-using-a-rescue-disk)

Some

variants

of

ransomware disable Safe Mode making its removal complicated. For this step, you require
access to another computer.

To regain control of the files encrypted by Locky, you can also try using a program called
Shadow Explorer (http://www.shadowexplorer.com/downloads.html) . More information on how
to

use

this

program

is

(http://www.shadowexplorer.com/documentation/manual.html) .

available

here

To protect your computer from file encrypting ransomware such as this, use reputable
antivirus and anti-spyware programs. As an extra protection method, you can use
programs called HitmanPro.Alert and EasySync CryptoMonitor, which artificially implant
group policy objects into the registry to block rogue programs such as Locky ransomware.)
HitmanPro.Alert CryptoGuard (http://www.surfright.nl/en/alert/cryptoguard) - detects
encryption of files and neutralises any attempts without need for user intervention:

EasySync CryptoMonitor (https://www.easysyncsolutions.com/products.html) - kills an

encryption infection and blacklists it from running again:

Other tools known to remove Locky ransomware:

Malwarebytes Anti-Malware (/top-spyware-removers/malwarebytes-antimalware)
8 Comments

PCrisk Global

Recommend

Share

Login

Sort by Best

Join the discussion

Cihan Erdem

8 days ago

Good morning,
Unfortunately my les are encrypted by Locky Extension, i have uploaded one
encrypted le with ransomnotes (html and jpeg les) on attachment, if you
can help me i will be highly appreciated.
Thanks in advance.
Best Regards.
Cihan

Reply Share

Tomas Meskauskas

Mod a month ago

Hi Andy, based on the fact that your encrypted les got the .crypted extension
I would suggest you reading this article - https://www.pcrisk.com/removal...
My guess is that your computer is infected with .crypted ransomware rather
than Locky.

Reply Share

andy

a month ago

Not sure which variant a computer got hit with but I can see some of the data
with a hex editor. So I don't think they are fully encrypted maybe just a bad
header info.

header info.
It did not put a ransom notice anywhere. I looked for a new .txt .png .htm and
other les. Because I stopped it prior to nishing going through all the drive
letters the user/computer had access to. It may not have had time to put the
notice on the computer.
The extension it put on it was .crypted so a le may have been called abc.xlsx
but now is abc.xlsx.crypted.
I've taken o the .crypted extension and tried to open but nothing.

Reply Share

JaJa Tasic

2 months ago

i just recovered my les using recuva but they are corrupted -_-

Reply Share

Stfano

2 months ago

Hi guys, we have the same problem, Is there other way to recover les besides
pay? Any tool ?

Reply Share

Tomas Meskauskas

Mod 2 months ago

Hi Carlos, unfortunately at this time there are no tools available to recover the
data encrypted by Locky ransomware for free. The key that is needed to
decrypt the les is stored on the servers controlled by Cyber criminals without this key it's not possible to get back your les. You can try using le
recovery software ( for example: Recuva, EaseUS Data Recovery Wizard Free
or R-Studio), however chances to get back your compromised data are low.

Reply Share

Carlos Coli

2 months ago

Hello Tomas Mekauskas, I wonder if there is a program to recover the

aected les, now my les are with extensao.LOKY, how do I get back what
was before, I did not back up these les.
Sorry for the English, I'm from Brazil

Reply Share

jim beaumont

2 months ago

malware bytes does not remove locky

Reply Share

ALSO ON PCRISK GLOBAL

Searchinterneat-a.akamaihd.net
Redirect

Stealthy Malware Hides in Image

Files

1 comment 7 months ago

1 comment 10 months ago

C H You may want to include the

halp halp pls i dont know if this png

info that it could show up as Many

Results Hub in the Add/Remove

i got thats in my download folder is

Stegoloader virus when i was

Related articles:

.trunCrypt Ransomware (/removalguides/9998-truncrypt-ransomware)

.Code Ransomware (/removalguides/9993-code-ransomware)

Samsam Ransomware (/removalguides/9992-samsam-ransomware)

Back To Top (#startOfPage)

guides/9992-samsam-ransomware)

ENCRYPTED Ransomware
(/removal-guides/9991-encryptedransomware)

CryptFIle2 Ransomware (/removalguides/9990-cryptfile2-ransomware)

Yakes Ransomware (/removalguides/9989-yakes-ransomware)

About the author:

I am passionate about computer security and technology. I have an experience of 10
years working in various companies related to computer technical issue solving and
Internet security. I have been working as an editor for pcrisk.com since 2010. Follow me on
Google+ to stay informed about the latest online security threats.
Our malware removal guides are free. However, if you want to support us you can send us
a donation.

Blog

Latest News

How to remove Your device has been blocked ransomware virus from
Android tablet or phone? (/computer-technician-blog/viruses/8432-how-to-removeandroid-ransomware-viruses)

Your Browser Has Been Blocked Virus (/computer-technician-blog/viruses/7271how-to-remove-your-browser-has-been-locked-virus)

Virus is blocking Internet access, how to eliminate it? (/computer-technicianblog/general-information/7022-how-to-remove-virus-no-internet-access)

How the US Military Built Encryption and the Internet (/internet-threat-news/9995how-the-us-military-built-encryption-and-the-internet)

Bounty Bug Programs (/internet-threat-news/9982-bounty-bug-programs)

The Hacking Team (/internet-threat-news/9958-the-hacking-team)
TrueCrypt Developers Abandon ISIS's Favored Encryption Tool (/internet-threatnews/9941-truecrypt-developers-abandon-isis-favored-encryption-tool)

How to remove a Google Chrome extension "Installed by enterprise policy"?

(/computer-technician-blog/general-information/7734-remove-chrome-extensioninstalled-by-enterprise-policy)

Copyright 2007-2016 PCrisk.com. Any redistribution or reproduction of part or all of the contents in any form is prohibited.
Privacy policy | Site Disclaimer | Terms of use | Contact Us | Search this website