Locky is a virus that once started will encrypt all personal files stored on a computer drives and attached network drives. It uses very strong hybrid encryption with 2048-bit key. When Locky encrypts a file, it will change a file extension to the .Locky. Once the virus finished enciphering of all files, it will display a screen that says:
!! IMPORTANT INFORMATION !!!!
All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
hxxps://en.wikipedia.org/wiki/RSA_(cryptosystem)
hxxps://en.wikipedia.org/wiki/Advanced_Encryption_StandardDecrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
To receive your private key follow one of the links:
1. hxxp://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2. hxxp://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
3. hxxp://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
4. hxxp://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxIf all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: hxxps://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
4. Follow the instructions on the site.
!!! Your personal identification ID: xxxxxxxxxxxxxxxxxxxx !!!
Locky offers to make a payment $400 to get a key to decrypt files. Important to know, currently not possible to decrypt the files encrypted by the locky virus without the the private key and decrypt program.
If you choose to pay the ransom, there is no 100% guarantee that you can get back your files! If you do not want to pay for a decryption key, then you have a chance to restore your files. Use the step-by-step guide below to remove the virus itself and try to restore your files.
How does a computer get infected with Locky virus
Locky virus is distributed through the use of spam emails. Below is an email that is infected with Locky virus.
Once this attachment has been opened, this virus will be started automatically as you do not even notice that. Locky will start the encryption process. When this process is done, it will display the usual ransom instructions like above on how to decrypt your files.
Step-by-step instructions on How to remove Locky virus and restore encrypted files
The following instructions is a full step-by-step guide, which will help you to remove Locky malicious software and try to restore all encrypted files. Important to understand that we cannot guarantee that you will be able to recover all encrypted documents, photos and other files. Please do the instructions step by step. If you need a help or have any questions, then ask for our assistance here or type a comment below.
1. Remove Locky virus with MalwareBytes Anti-malware.
2. Restore Locky virus encrypted files with ShadowExplorer.
3. Restore Locky virus encrypted files with PhotoRec.
1. Remove Locky virus with MalwareBytes Anti-malware.
Download MalwareBytes Anti-malware (MBAM) from the link below.
MalwareBytes Anti-malware download link
Once downloaded, close all programs and windows on your computer. Open a directory in which you saved it. Double-click on the icon that named mbam-setup like below.
When the installation begins, you will see the Setup – Wizard that will help you install MalwareBytes Anti-malware on your computer.
Once installation is complete, you will see window similar to the one below.
Now click on the Scan Now button to start scanning your computer. This procedure can take some time, so please be patient.
When the scan is finished, make sure all entries have “checkmark” and click Remove Selected button. MalwareBytes Anti-malware will start to remove ransoware related files, folders, registry keys. Once disinfection is completed, you may be prompted to Restart.
2. Restore Locky virus encrypted files with ShadowExplorer.
Download ShadowExplorer from the following link.
Open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown below.
Double click ShadowExplorerPortable to run it. You will see the following screen.
In top left corner, select a Drive and a latest restore point as shown on the example below (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export. An example below.
3. Restore Locky virus encrypted files with PhotoRec.
Download PhotoRec from the link below.
Open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown below.
Double click on qphotorec_win to run PhotoRec for Windows. It will open a screen like below.
Select a drive to recover from as shown below.
You will see a list of available partitions. Select a partition that holds the lost and encrypted files. An example below.
Click on File Formats button and select file types to recover. You can to enable or disable the recovery of certain file types. When this is done, click OK button.
Next, click Browse button to select where recovered files should be written, then click Search.
Count of recovered files is updated in real time. All recovered files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is completed, click on Quit button. Next, open the directory where recovery files are stored. You will see a contents like below.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
The End.
If you need help with the instructions, then ask for help here.
