Locky Ransomware [Updated]
Written by Tomas Meskauskas on
Locky ransomware removal instructions
What is Locky?
Locky is ransomware distributed via malicious .doc files attached to spam email messages. Each word document contains scrambled text, which appear to be macros. When users enable macro settings in the Word program, an executable file (the ransomware) is downloaded. Various files are then encrypted. Note that Locky changes all file names to a unique 16-letter and digit combination with .aesir, .shit, .thor, .locky, .zepto or .odin file extension. Thus, it becomes virtually impossible to identify the original files. All are encrypted using the RSA-2048 and AES-1024 algorithms and, therefore, a private key (stored on remote servers controlled by cyber criminals) is required for decryption. To decrypt the files, victims must pay a ransom.
After the files are encrypted, Locky creates an additional .txt and _HELP_instructions.html (or _WHAT_is.html) file in each folder containing the encrypted files. Furthermore, this ransomware changes the desktop wallpaper. Both text files and wallpaper contain the same message that informs users of the encryption. It states that files can only be decrypted using a decrypter developed by cyber criminals and costing .5 BitCoin (at time of research, .5 BTC was equivalent to $207.63). To proceed, the victim must install the Tor browser and follow a link provided in the text files/wallpaper. The website contains step-by-step payment instructions. Locky deletes all file shadow volume copies. Currently, there are no tools capable of decrypting files affected by Locky - the only solution to this problem is to restore your files from a backup.
There are hundreds of ransomware-type malware infections similar or identical to Locky including, for instance, Cryptowall, JobCrypter, UmbreCrypt, TeslaCrypt, and DMA-Locker. All have identical behavior - they encrypt files and demand a ransom. The only difference is the size of ransom and type of algorithm used to encrypt the files. Research also shows that there is no guarantee that your files will ever be decrypted even after paying the ransom. By paying, you simply support cyber criminals' malicious businesses. Therefore, you should never pay the ransom or attempt to contact them. Be aware also that malware such as Locky is usually distributed via fake software updates, P2P networks, malicious email attachments, and trojans. Therefore, it is very important to keep your installed software up-to-date and to double check what you are downloading. Be cautious when opening email attachments sent from suspicious addresses and use a legitimate anti-spyware or anti-virus suite.
Below is are screenshots of email messages used in Locky ransomware distribution.
For example - email subject - "ATTN: Invoice J-12345678”, infected attachment - "invoice_J-12345678.doc" (contains macros that download and install Locky ransomware on computers):
Dear someone, Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice. Let us know if you have any questions. We greatly appreciate your business!
Here are some screenshots of spam email messages containing infected attachments that install Locky ransomware on victims' computers:
Another way cyber criminals are distributing Locky ransomware are fake flash player update pop-ups "Your Flash Player may be out of date" (to stay safe users should only download Flash player from it's developers website):
Screenshot of _HELP_instructions.html (or _WHAT_is.html) file created by Locky ransomware:
_Locky_recover_instructions.txt (or _HELP_instructions.txt) text file:
Text presented in the desktop wallpaper and .txt files created by Locky:
!!! IMPORTANT INFORMATION !!!!
All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
To receive your private key follow one of the links:
If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: hxxps://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: 6dtxxxxm4crv6rr6.onion/07Bxxx75DC646805
4. Follow the instructions on the site.
!!! Your personal identification ID: 07Bxxx75DC646805 !!!
Screenshot of a desktop infected with Locky ransomware:
Locky ransomware website informing victims on how to pay the ransom to receive the "Locky Decrypter" software - supposedly software that will decrypt their compromised files:
File types targeted by Locky ransomware:
.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11 (Security copy), .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, wallet.dat
A ransom payment page ('Locky Decryptor'):
Update 18 April 2016 - A new copycat ransomware has been released that impersonates Locky. AutoLocky is new ransomware created by cyber criminals using the AutoIt programming language. It attempts to impersonate the original Locky ransomware by assigning the .Locky extension to encrypted files. To determine if your computer is infected with AutoLocky ransomware, look at the ransom demand message - it differs from the original Locky ransomware. The good news for the victims of AutoLocky is that Fabian Wosar from Emsisoft has created a free decrypter that will decrypt compromised files free of charge. Download link - Emsisoft Decrypter for AutoLocky. Before using this tool, victims of AutoLocky should scan their computers with legitimate anti-malware software to first terminate its processes and remove associated malware files. You can then use the decrypter to regain control of your compromised data.
Screenshot of AutoLocky decrypter by Fabian Wosar from Emsisoft:
Autolocky ransomware creates a Info.html and Info.txt file on the desktop:
Text presented within these files:
All of your files are encrypted with RSA-2048 and AES-128 ciphers. More information about the RSA and AES can be found here: https://en.wikipedia.org/wiki/RSA (crypto system) https://en.wikipedia.org/wiki/Advanced_Encryption_standard Decrypting of your files is only possible with the following steps How to buy decryption? 1. You can make a payment with BitCoins, there are many methods to get them. 2. You should register BitCoin wallet (simplest online wallet OR some other methods of creating wallet) 3. Purchasing BitCoins - Although it’s not yet easy to buy bitcoins, it’s getting simpler every day.
Locky ransomware removal:
Quick menu: Quick solution to remove .locky (.zepto) virus
- What is Locky?
- STEP 1. Locky virus removal using safe mode with networking.
- STEP 2. Locky ransomware removal using System Restore.
Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.
Video showing how to start Windows 8 in "Safe Mode with Networking":
Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.
Video showing how to start Windows 10 in "Safe Mode with Networking":
Log in to the account infected with the Locky virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.
If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.
Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":
1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.
2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.
3. Next, type this line: rstrui.exe and press ENTER.
4. In the opened window, click "Next".
5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the Locky ransomware virus infiltrating your PC).
6. In the opened window, click "Yes".
7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Locky ransomware files.
To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Locky are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.
To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.
If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.
To protect your computer from file encrypting ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and Malwarebytes Anti-Ransomware, which artificially implant group policy objects into the registry to block rogue programs such as Locky ransomware.)
HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises any attempts without need for user intervention:
Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:
- The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.
Other tools known to remove Locky ransomware: