Thursday, March 3, 2016

Files Encrypted by Locky Ransomware – How to Remove Locky Virus from Windows Computer?

My computer is infected by a locky virus. It has encrypted my files with .locky extension. And I got a screen of message like these:

All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:

Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server....”

How do I get rid of the file extension and bring my computer back to normal.

Brief Introduction of Locky Ransomware

Locky is a new ransomware that has recently been released (most probably) by the Dridex gang. It is usually delivered via malicious e-mail attachment in a phishing campaign. And the email attachment usually arrives as a Word document, but could also be an Excel document, that appears to be an invoice. Besides, the locky infection – namely Ransom:Win32/Locky.A – can be also downloaded by the malicious Trojan downloaders like TrojanDownloader:O97M/Bartallex, TrojanDownloader:BAT/Locky.A, TrojanDownloader:JS/Locky.A.

Once inside, the Locky ransomware can not only encrypt files locally, but also traverse folders and directories shared over a network and attempts to scramble data on those. As you can see, the encrypted files are usually renamed as <random ID>.locky. Among all these files, you will get a _Locky_recover_instructions.txt file which will tell you how to decrypt files – paying the ransom. However, you are not suggested to do that. Please note that once your files are encrypted, the only guaranteed way to restore them is from backup. Besides, you should remove the locky ransomware and the other associated threats from in your computer as soon as possible in case they might damage your computer system further.

How to Remove Locky Ransomware from Windows Computer Effectively?

Here are some useful methods to remove Locky Ransomware. Please refer to them to get rid of all the problems.

Method 1: Manually Remove Locky Ransomware from PC
Method 2: Automatically Remove Locky Ransomware with SpyHunter

Method 1: Manually Remove Locky Ransomware with Step by Step Instruction

Step 1. Restart your computer in Safe mode.

Keep tabbing F8 key before the Windows start-up logo appears until you get to Advanced Options, select Safe Mode, and hit ENTER.

Step 2. End up the trojan processes in Windows Task Manager.

Press Ctrl+Shift+Esc or Ctrl+Alt+Delete to open Windows Task Manager, find malicious processes and click End process.

(The virus may run its dropped copy renamed to svchost.exe)

Step 3. Navigate to Registry Editor and clean up all Locky Ransomware registry entries.

Press Win+ R key at and same time to open Run Commend Box. Open Registry Editor by typing “regedit” in Runbox and clicking OK.

Look through the registry entries and find out all listed harmful items. Right click on them and terminate the related entries (samples).

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "<random>" = "%AppData%\<random>.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "<random>" = "%AppData%\<random>.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation"=1
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%AppData%\<random>.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe "Debugger"="svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe

Step 4. Show hidden folders and files.

Windows XP

Start button > Control Panel > Appearance and Personalization > Folder Options > Show Hidden Files or Folders

Remove the checkmark from Hide extensions for known file types. And remove the checkmark from Hide protected operating system files (Recommended).

Windows 7 / Vista

Libraries > Folder Options > Tools > Show Hidden Files or Folders

Remove the checkmark from Hide extensions for known file types and Hide protected operating system files (Recommended)

Windows 8 /8.1

Windows Explorer > View > Hidden Items

Delete Locky Ransomware associated files (samples).

%UserProfile%\Application Data\Microsoft\[random].exe
%System Root%\Samples
%User Profile%\Local Settings\Temp
C:\Program Files\<random>
C:\ProgramData\[random numbers]\

Method 2: Automatically Remove Locky Ransomware with SpyHunter

SpyHunter is an adaptive real-time spyware detection and removal tool. It  can help you remove Locky Ransomware and all the threats in your PC. It will never bundle with any programs and can get along with existing security programs without any conflicts. Please feel relieved about usage.

Click the download button below to get SpyHunter

After finishing downloading, click Run to install SpyHunter step by step.

After finishing installing, SpyHunter will scan and diagnose your entire system automatically.

After detecting all the threats in your system, you can click on “Fix Threats” to remove them.

Method 3:  Fix Files and Speed up Your PCwith  RegCure Pro

You can download and install RegCure Pro to speed up and optimize your PC. It is packed with the tools you need to boost your PC's speed and performance.
  • Clean away Windows registry errors
  • Eject active viruses, spyware and other malware
  • Stop unneeded processes 
  • Delete startup items
  • Delete privacy files

Click the icon to download RegCure Pro.

Click "Yes" to run the profile.

After installation, you can scan your computer for errors by making a system scan.

After scanning, choose the items you want to clean and fix.

Warm Reminder:

SpyHunter is a powerful anti-malware for inexperience computer user. It can help you remove all the detected threats automatically. So all you need to do is install it for immediate and ongoing protection.

No comments:

Post a Comment