If your photos, documents and music does not open normally, locked added at the end of their name then your personal computer is infected with a new Locked ransomware from a family of file-encrypting ransomware. Once opened, it have encrypted all personal files stored on a computer drives and attached network drives.
The Locked ransomware virus uses a strong encryption algorithm with 2048-bit key. When the virus encrypts a file, it will add the locked extension to each encrypted file. Once the ransomware infection finished enciphering of all documents, photos and music, it will drop a file named “readme.txt” with tutorial on how to decrypt all personal files.
Table of contents
- What is Locked
- How to decrypt .locked files
- How to remove Locked ransomware virus
- How to restore .locked files
- How to prevent your personal computer from becoming infected by Locked virus?
- How does your machine get infected with Locked ransomware virus
- To sum up
The ransomnote encourages victim to contact Locked’s creators in order to decrypt all files. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins). We don’t recommend paying a ransom, as there is no guarantee that you will be able to decrypt your personal files. Especially since you have a chance to restore your photos, documents and music for free using free tools such as ShadowExplorer and PhotoRec.
Therefore it’s very important to follow the guidance below as soon as possible. The step by step guidance will help you to get rid of Locked ransomware infection. What is more, the instructions below will help you restore encrypted personal files for free.
What is Locked virus
Locked is a variant of crypto viruses (malicious software that encrypt personal files and demand a ransom). It affects all current versions of Windows OS such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This virus uses a strong encryption algorithm with 2048-bit key to eliminate the possibility of brute force a key which will allow to decrypt encrypted personal files.
When the ransomware infection infects a computer, it uses system directories to store own files. To run automatically whenever you turn on your machine, Locked ransomware virus creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.
Immediately after the launch, the ransomware scans all available drives, including network and cloud storage, to determine which files will be encrypted. The virus uses the file name extension, as a way to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.xx, .odc, .pst, .srf, .xlgc, .sql, .wmv, .wsc, .wp6, .zabw, .bsa, .css, .epk, .wotreplay, .dba, .ptx, .bc6, .hvpl, .xxx, .1st, .hplg, .wsd, .hkx, .arch00, .yml, .wps, .wpb, .rtf, .7z, .wmv, .qic, .cfr, .sis, .t13, .apk, .wmd, .wma, .forge, .vpk, .gho, .xyw, .zdb, .bik, .xlsx, .webp, .raf, .p7c, .crw, .pptm, .pef, .z, .xdl, .js, .wp4, .mcmeta, .ods, .itl, .m2, .xyp, .lrf, .asset, .cr2, .webdoc, .yal, .zdc, .wbd, .wn, .wpd, .ws, .pem, .d3dbsp, .upk, .xy3, .esm, .tor, .3dm, .ncf, .mdb, .sidd, wallet, .sr2, .gdb, .xmind, .mlx, .wpg, .wp7, .pak, .svg, .dxg, .xll, .xlsb, .mpqge, .zip, .wps, .wav, .vcf, .xbdoc, .zif, .jpe, .wire, .ztmp, .arw, .odt, .tax, .xls, .png, .rgss3a, .wm, .mp4, .wp, .syncdb, .1, .itm, .dbf, .itdb, .iwd, .sid, .vtf, .crt, .sum, .sie, .lvl, .rwl, .wmf, .db0, .fsh, .jpeg, .doc, .xar, .0, .sb, .dazip, .psd, .csv, .m3u, .ai, .wcf, .pkpass, .wot, .bkf, .menu, .mov, .bar, .wpe, .ltx, .wpa, .xlsm, .pptx, .cdr, .mdbackup, .layout, .accdb, .orf, .wbk, .wpl, .mdf, .xlk, .ybk, .xwp, .pfx, .bc7, .p7b, .kdc, .das, .odm, .dwg, .mddata, .wpt, .wri, .hkdb, .wpd, .der, .lbf, .ppt, .srw, .kf, .xpm, .snx, .zw, .eps, .erf, .cas, .iwi, .xld, .x3d, .bkp, .py, .odb, .zip, .r3d, .xml, .zi, .blob, .wbz, .ff, .nrw, .icxs, .map, .xdb, .dng, .w3x, .dmp, .wbm, .wgz, .xls, .psk, .raw, .y, .dcr, .rar, .pdf, .wdp, .fpk, .ibank, .indd, .vfs0, .pdd, .xf, .3fr, .rb, .xlsm, .rim, .re4, .kdb, .ysp, .m4a, .cer, .z3d, .txt, .ntl, .docx, .litemod, .vdf, .x3f, .xlsx, .fos, .x, .mef, .bay, .xmmap, .2bp, .flv, .sav, .desc, .wb2, .t12, .jpg, .wsh, .mrwref, .3ds, .odp, .rofl, .wma, .p12, .x3f, .docm, .slm, .wp5, .sidn, .rw2, .big, .xbplate, .wpw, .qdf, .wbmp, .wmo, .wbc, .vpp_pc, .wdb, .avi
Once a file is encrypted, its extension changed to locked. Next, the ransomware infection creates a file called “readme.txt”. This file contain guidance on how to decrypt all encrypted files.
The Locked virus actively uses scare tactics by giving the victim a brief description of the encryption algorithm and showing a ransomnote on the desktop. It is trying to force the user of the infected personal computer, do not hesitate to pay a ransom, in an attempt to recover their photos, documents and music.
How to decrypt .locked files
Currently there is no available method to decrypt .locked files, but you have a chance to recover encrypted files for free. The ransomware repeatedly tells the victim that uses RSA-2048 key (AES 256-bit encryption method). What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a way because of the big length of the key. Therefore, unfortunately, the only payment to the developers of the Locked ransomware entire amount requested – the only way to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the authors of the Locked virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware.
How to remove Locked ransomware virus
The following instructions will help you to get rid of Locked virus and other malware. Before doing it, you need to know that starting to get rid of the ransomware virus, you may block the ability to decrypt photos, documents and music by paying creators of the ransomware infection requested ransom. Zemana Anti-malware, Kaspersky virus removal tool and Malwarebytes Anti-malware can detect different types of active ransomwares and easily delete it from your system, but they can not recover encrypted files.
Remove Locked ransomware with Zemana Anti-malware
We advise using the Zemana Anti-malware that are completely clean your personal computer of the ransomware infection. The utility is an advanced malicious software removal program developed by (c) Zemana lab. It is able to help you get rid of potentially unwanted applications, viruss, ad-supported software, malicious software, toolbars, ransomware and other security threats from your PC for free.
- Please download Zemana anti malware on your Windows Desktop by clicking on the link below.
Author: Zemana Ltd
Category: Security tools
Update: March 3, 2018
- At the download page, click on the Download button. Your web browser will show the “Save as” prompt. Please save it onto your Windows desktop.
- Once the downloading process is finished, please close all programs and open windows on your system. Next, start a file named Zemana.AntiMalware.Setup.
- This will launch the “Setup wizard” of Zemana anti-malware onto your personal computer. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the antimalware will launch and display the main window.
- Further, click the “Scan” button to perform a system scan with this tool for the Locked ransomware virus and other trojans and malicious software. This procedure can take some time, so please be patient. During the scan it will detect all threats exist on your system.
- Once the system scan is finished, it’ll show a scan report.
- In order to remove all items, simply press the “Next” button to begin cleaning your computer. Once the task is finished, you may be prompted to restart the PC system.
- Close the Zemana Anti-Malware and continue with the next step.
Run Malwarebytes to delete Locked ransomware virus
We advise using the Malwarebytes Free that are completely clean your personal computer of the ransomware virus. The free utility is an advanced malware removal application developed by (c) Malwarebytes lab. This application uses the world’s most popular anti malware technology. It is able to help you get rid of ransomware viruss, potentially unwanted applications, malicious software, ad supported software, toolbars, ransomware and other security threats from your personal computer for free.
Download Malwarebytes Free by clicking on the following link and save it to your Desktop.
Category: Security tools
Update: March 20, 2018
When downloading is finished, close all windows on your PC. Further, open the file named mb3-setup. If the “User Account Control” dialog box pops up as displayed in the following example, press the “Yes” button.
It will show the “Setup wizard” which will allow you install Malwarebytes on the PC system. Follow the prompts and do not make any changes to default settings.
Once installation is complete successfully, click Finish button. Then Malwarebytes will automatically start and you can see its main window as shown on the screen below.
Next, press the “Scan Now” button . This will start scanning the whole system to find out Locked ransomware . A system scan can take anywhere from 5 to 30 minutes, depending on your machine. While the program is scanning, you can see how many objects it has identified as threat.
When this utility has complete scanning, a list of all items found is produced. Review the scan results and then click “Quarantine Selected” button.
The Malwarebytes will start removing Locked ransomware and other security threats. Once disinfection is complete, you can be prompted to reboot your computer. We advise you look at the following video, which completely explains the procedure of using the Malwarebytes to remove virus, ad-supported software and other malware.
Scan and clean your personal computer of Locked virus with KVRT
KVRT is a free removal utility that can be downloaded and use to delete viruss, adware, malicious software, potentially unwanted programs, toolbars and other threats from your system. You can run this utility to detect threats even if you have an antivirus or any other security program.
Download Kaspersky virus removal tool (KVRT) by clicking on the link below. Save it on your MS Windows desktop.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once downloading is complete, double-click on the KVRT icon. Once initialization process is finished, you’ll see the KVRT screen as on the image below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button to start scanning your system for the Locked ransomware virus and other malicious software. This process can take some time, so please be patient. While the utility is checking, you may see count of objects it has identified either as being malicious software.
When it has complete scanning, it’ll show a screen which contains a list of malware that has been detected as displayed on the image below.
In order to delete all threats, simply press on Continue to start a cleaning procedure.
How to restore .locked files
In some cases, you can restore files encrypted by Locked ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted documents, photos and music.
Use ShadowExplorer to restore .locked files
In some cases, you have a chance to recover your files which were encrypted by the Locked ransomware virus. This is possible due to the use of the utility named ShadowExplorer. It is a free application that made to obtain ‘shadow copies’ of files.
Download ShadowExplorer by clicking on the link below and save it directly to your Windows Desktop. This utility is available for Windows Vista, Windows 7, Windows 8 and Windows 10.
Category: Security tools
Update: February 27, 2018
After the download is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and choose Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed in the following example.
Launch ShadowExplorerPortable. You will see the a window as shown in the following example.
From the first drop down list you can select a drive that contains encrypted files, from the second drop down list you can choose the date that you wish to recover from. 1 – drive, 2 – restore point, like below.
Righ-click entire folder or any one encrypted file and select Export, as displayed in the following example.
It will open a prompt that asking whether you would like to restore a file or the contents of the folder to.
Use PhotoRec to restore .locked files
Before a file is encrypted, the Locked ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your documents, photos and music using file restore applications such as PhotoRec.
Download PhotoRec by clicking on the following link and save it directly to your Windows Desktop.
Category: Security tools
Update: March 1, 2018
When downloading is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed on the image below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll show a screen as shown below.
Choose a drive to recover as displayed on the screen below.
You will see a list of available partitions. Choose a partition that holds encrypted photos, documents and music as shown in the figure below.
Click File Formats button and select file types to recover. You can to enable or disable the recovery of certain file types. When this is finished, press OK button.
Next, click Browse button to choose where recovered documents, photos and music should be written, then click Search.
Count of restored files is updated in real time. All recovered personal files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is finished, click on Quit button. Next, open the directory where recovered documents, photos and music are stored. You will see a contents like below.
All restored files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to prevent your system from becoming infected by Locked ransomware virus?
Most antivirus software already have built-in protection system against the ransomware infection. Therefore, if your machine does not have an antivirus application, make sure you install it. As an extra protection, run the CryptoPrevent.
Run CryptoPrevent to protect your PC system from Locked virus
Download CryptoPrevent on your Microsoft Windows Desktop by clicking on the following link.
Run it and follow the setup wizard. Once the installation is complete, you’ll be shown a window where you can choose a level of protection, as shown on the image below.
Now click the Apply button to activate the protection.
How does your system get infected with Locked ransomware infection
The Locked virus is distributed through the use of spam emails. Below is an email that is infected with a virus like Locked ransomware infection.
Once this attachment has been opened, this ransomware virus will be launched automatically as you do not even notice that. The Locked ransomware infection will start the encryption process. When this process is done, it will show the usual ransom demanding message like above on readme.txt.
To sum up
Once you have done the step by step instructions outlined above, your system should be clean from Locked ransomware virus and other malware. Your PC system will no longer encrypt your files. Unfortunately, if the instructions does not help you, then you have caught a new variant of ransomware virus, and then the best way – ask for help.
- Download HijackThis by clicking on the link below and save it to your Desktop.
Category: Security tools
Update: November 7, 2015
- Double-click on the HijackThis icon. Next press “Do a system scan only” button.
- When the system scan is finished, the scan button will read “Save log”, click it. Save this log to your desktop.
- Create a Myantispyware account here. Once you’ve registered, check your e-mail for a confirmation link, and confirm your account. After that, login.
- Copy and paste the contents of the HijackThis log into your post. If you are posting for the first time, please start a new thread by using the “New Topic” button in the Spyware Removal forum. When posting your HJT log, try to give us some details about your problems, so we can try to help you more accurately.
- Wait for one of our trained “Security Team” or Site Administrator to provide you with knowledgeable assistance tailored to your problem with the Locked ransomware virus.