Remove Locky Ransomware Virus And Recover Files (All Versions)

Locky is one of the most popular and most dangerous ransomware viruses. It has been operating since the beginning of 2016 and has received many updates. Each time it comes back with a new file extension it appends to the encrypted files, the newest one being .osiris. Previous versions changed file extensions to .aesir, .locky, .odin, .shit, .thor, .zepto or .zzzzz.

While the file extensions may differ, the ransom notes created by the virus always say “All of your files are encrypted with RSA-2048 and AES-128 ciphers” and lead to the same .onion website called “Locky Decryptor™“. Locky asks for a BitCoin payment in order to download a key and decryptor as they are needed to recover the files.

We strongly discourage you from paying the ransom and financing the cyber criminals. There is no guarantee that you will receive the decryption key and there is no way to retrieve your money once they are sent via BitCoin network. Instead you should follow our removal instructions and completely remove the threat from your system. We have also prepared several file recovery methods after you finish eliminating the virus.

We recommend choosing the automatic removal tool as it will completely remove the ransomware as well as secure your PC from any future threats. We also have a manual guide, however, it might not be as effective since Locky is a very complicated and dangerous virus. Also, if this option is chosen you will still need to secure your computer afterwards.

Remember to move on to recovering files only if you have successfully removed the virus first.


Recommended Method: Download Ransomware Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is Locky ransomware virus?

As mentioned previously, this ransomware has many versions and each of them has a distinctive file extension which is appended to the encrypted files. However, all versions require a “Locky Decryptor” to recover the files, therefore they all can be classified under the same family.

Another similarity is that file names are changed to contain a victim ID. Therefore, you can simply copy any file name, paste it into the Locky Decryptor website and it will detect you automatically. An example of such file name: E46C4521-V80Y-9C71-3S4L-4R17X03P6DZ2.osiris.

Here is a short summary of all currently known Locky versions (newest at the top):

  • .osiris – appeared in December 2016.
    Ransom notes are called DesktopOSIRIS.htm, DesktopOSIRIS.bmp, OSIRIS-1234.htm.
    Can infect whole networks. Can be distributed via CRM systems. Capable of deleting file shadow copies. Has an updated virtual machine detection system.
  • .zzzzz – appeared in December 2016.
    Ransom notes are called INSTRUCTION.html, _1-INSTRUCTION.html and -INSTRUCTION.bmp.
    One of distribution channels is through fake customer support reply emails. Other qualities are very similar to Osiris version.
  • .aesir – appeared in November 2016.
    Ransom notes are called INSTRUCTION.html, _1-INSTRUCTION.html and -INSTRUCTION.bmp.
    Targets 456 file types (previously targeted 400). Has a different path which is resolved once the distribution server is contacted.
  • .thor – appeared in October 2016, shortly after .shit extension.
    Ransom notes are called _WHAT_is.bmp, _WHAT_is.html and _123_WHAT_is.html.
    No major changes except for the file extension and different email spam campaigns to distribute it (in many cases uses VBS files to launch the infection).
  • .shit – appeared in October 2016.
    Ransom notes are called _WHAT_is.bmp, _WHAT_is.html and _12_WHAT_is.html.
    Started targeting France first.
  • .odin – appeared in September 2016.
    Ransom notes are called _1_HOWDO_text.html, _HOWDO_text.bmp and _HOWDO_text.html.
  • .zepto – appeared in June 2016.
    Ransom notes are called _HELP_instructions.html and _HELP_instructions.bmp.
    Started supporting offline encryption in case the virus failed to contact its servers. The demanded ransom amount increased greatly.
  • .locky – appeared in February 2016.
    Ransom notes are called _Locky_recover_instructions.bmp and _Locky_recover_instructions.txt.
    The original version of Locky virus.  Cannot encrypt files if the computer is offline.

While Locky distribution unexpectedly almost stopped at the beginning of 2017, there have been reports that it is regaining traction and is starting to infect machines again. The pause was mainly because Necurs botnet, which used to distribute the malware, went dormant for a while due to unknown reasons.

The main distribution method for this malware is email spam. The virus creators send out millions of letters containing infected advertisements which look like invoices, data sheets or other important messages. Once the users try to open them they either ask for additional permissions first or download the virus in the background immediately. As soon as Locky enters the system it starts encrypting your files and makes them impossible to open.

After the ransomware finishes the encryption process it changes your desktop background to a ransom note (typically with gray background and pink letters) as well places many html files with payment and decryption instructions. The payment website can only be accessed using TOR browser since it uses anonymous .onion address. Here is a typical Locky ransomware note which is similar across all versions:

$|$+$**
|+__.-
!!! IMPORTANT INFORMATION !!!
All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about RSA and AES can be found here:
hxxp://en.wikipedia.org/wiki/RSA (cryptosystem)
hxxp://en.wikipedia.org/wiki/Advanced Encryption Standard
Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
To receive your private key follow one of the links:
If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: http://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialisation.
3. Type in the address bar:
http://g46mbrrzpfszonuk.onion/Z45E2139R40H9N32
4. Follow the instructions on the site.
!!! Your personal identification ID: Z45E2139R40H9N32 !!!
_$+=$.$-*$$$
+*-++|| *==_*-a-
__+$|+++-$-.+

If you visit the payment website without including your ID at the end of the address you will be required to input it in the identification field. Otherwise the link will take you directly to a personal page with short 5-step instructions on how to make a BitCoin payment and receive the decrypter. It is promised to be provided as soon as you make a payment and refresh the page. The ransom amount can differ for each user but the current versions asks for 3 BTC which is more than $3000.

Despite the promises to provide you with decryption key and software we strongly discourage you from paying the ransom. There is no guarantee that the criminals will provide you with required tools and that they will work correctly. Also, they might place additional backdoors and cause more damage in the future or take control of your entire system and monitor your activity. The only way to protect yourself from further problems is to completely remove the malware from your computer.

We recommend using the automatic tool listed above as it is the most reliable way to completely eliminate virus files. It will also protect your PC from malware in the future. We have also prepared a manual removal guide for more experienced Windows users but it does not guarantee that your system will be protected afterwards. Therefore, you will still need a good antivirus suite afterwards to secure your computer.

After you finish removing the threat you can move on to recovering your files. Unfortunately, currently there is no decrypter developed for Locky ransomware files. However, we have prepared several alternative ways which you could use in an attempt to restore the lost data.

Screenshots of Locky ransomware (all versions):

    


 Manual Removal Instructions:

NB: Bookmark this page in order to access it after you restart your computer while working on the removal process! You can also print it out or open on another device.

Editing important Windows files and settings can be risky. We recommend using the automatic removal tool for an easier removal process and in order to avoid any damage to your Windows operating system, since Locky is a complicated and dangerous ransomware.

Do not skip any steps as otherwise the threat might come back again and cause more damage.

Step 1:

Restart your Windows in Safe Mode.

When your computer is infected by a virus some of its features may be locked or compromised. You need to bypass this by rebooting your computer using Safe Mode. This will allow you to remove the virus.

Since Safe Mode only has the most basic features do not be scared that your Windows look completely different!

Click here to show how to reboot Windows 98, XP, Vista or Windows 7 in Safe Mode

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard until you get the following screen:
  3. Use arrow keys to highlight Safe Mode With Networking and press Enter.
  4. Wait for the Windows to launch.

 

Click here to show how to reboot Windows 8, 8.1 or Windows 10 in Safe Mode

F8 method (1/4):

Restarting and constantly hitting F8 might not work for this version of Windows since the booting is much faster and does not always react to the key presses. Try this method first and then proceed to other methods if this does not help.

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard.
    If it does not work try repeating the same procedure but this time holding Shift key and clicking F8.
  3. Follow instructions from Step 5 below:

Shift+Restart method (2/4):

  1. Click the Power icon at the login screen or in the settings charm.
  2. Hold Shift key on your keyboard and click Restart with your mouse while holding:
  3. Click Troubleshoot:

  4. Click Advanced options:
  5. Click Startup Settings:
  6. Click Restart:
  7. Now press F5 key on your keyboard to enable Safe Mode With Networking:

System configuration method (3/4):

  1. Press and hold Windows () key and click R key.
  2. Enter msconfig.exe and click OK:
  3. When System Configuration opens go to the Boot tab:
  4. Check the box “Safe Boot” in Boot options and click OK.
  5. When prompted, click Restart.
  6. Windows will now start in Safe Mode.

System Recovery method (4/4):

If everything above fails you can try inserting System Recovery CD or DVD (works only with Windows 8) or System Recovery USB Memory Stick (works with Windows 8 and 8.1). You will be able to choose Troubleshoot option. The steps are then identical as in Shift + Restart method starting from #3.

Step 2:

Find any processes that might be associated with the Locky virus and terminate them.

Press CTRL + SHIFT + ESC at the same time to launch Windows Task Manager. You can also launch it by right-clicking on Windows toolbar/startbar and clicking Start Task Manager.

Go to Processes tab.

All currently running processes will be listed.

 

Right-click on each of the suspicious processes you find in the list and choose Open File Location.

Start by scanning these commonly infected processes:

svchost.exe
rundll32.exe

Go to virustotal.com and upload the opened file for a scan.

If the scan shows that the file is dangerous, right-click on the process and choose End Process, then delete that file in the location you have just opened.

Repeat this until you have checked all suspicious processes.

Step 3:

Check your hosts file for any suspicious IPs.

Press and hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

notepad %windir%/system32/Drivers/etc/hosts

Click OK.

Your hosts.ini file will open in Notepad. Delete any IPs that are not marked with an “#” in front of them except the “127.0.0.1 localhost” entry. Here is an example:

Step 4:

Remove suspicious programs from your startup config so they would not launch as soon as you boot your computer.

Hold Windows () key and click R key.

Enter the following in the field:

msconfig.exe

Click OK.

Go to the Startup tab and uncheck all suspicious entries.

The infected or fake startup items usually have “Unknown” listed as Manufacturer. However, sometimes they might pretend to be legitimate programs.

Check process location by hovering your mouse over the “Command” column. Navigate to the location and scan the file using virustotal.com if it looks suspicious but you are not sure.

Click OK when you are finished unselecting all potentially dangerous processes.

Step 5:

Clean up Windows temporary files as there are usually several Locky ransomware files placed here.

You can safely remove all temporary files without posing any risk to your computer.

Hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

All temporary files will be listed in the directory.

Select all temporary files by simultaneously pressing CTRL + A and delete them permanently by pressing SHIFT + DELETE.

Step 6:

Check for any recent changes in all the other important system files.

Locky usually makes changes to important system files in order to stay undetected.

Hold Windows () key and click R key.

Enter the following in the field:

%AppData%

Click OK.

Do not delete anything here! Search for any recent changes (by “Date Modified”) in the files first. Only if you see that a file has just been changed scan it with virustotal.com. Remove only files marked as dangerous. Otherwise you might remove critical system files and Windows might stop working.

The virus might copy its files to this directory so you might find randomly named .exe, .dll, .bat or other recently placed files.

Repeat this step with the following three directories while being very careful:

%LocalAppData%
%ProgramData%
%WinDir%

Remember that these directories contain many important system files! Be very careful!

Step 7:

Clean up your registry entries.

Hold Windows () key and click R key.

Enter the following in the field:

regedit.exe

Click OK.

All Windows registry entries will open.

Most of them are critical for correct system operation and deleting important entries might result in Windows failing to load. Make sure you are very careful while deleting and editing the entries!

Use the folder tree on the left to navigate to the following directory:

HKEY_CURRENT_USER\Software\

If you find any registry entries that could be associated with Locky (usually named after the version, for example, Osiris), delete them by right-clicking on it and choosing Delete.

Then search for the ransomware entriesby pressing CTRL + F and entering the name in the search field. For example:

osiris

Click Find Next.

Repeat search and delete all registry entries associated with the virus.

Then repeat the search with the following text:

.onion

 Decrypting The Files:

Start recovering your files only if you have finished all removal steps! Otherwise you might cause more damage and make it harder to recover them in the future!

We recommend making a backup of the encrypted files on a separate external media in case you are not able to recover the files using our methods.

Check for Locky ransomware file decrypter here: List of currently available decrypters. Currently none of the versions of this ransomware are known to be decryptable but some might be added in the future so check the list before continuing.

We have a list of extensive file recovery methods available here. The instructions below are just a short version of the simplest methods.

Step 1:

Start by enabling recovery since the virus might have turned it off.

Hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

cmd

Click OK.

A comand prompt will open.

Copy the following:

bcdedit.exe /set {default} recoveryenabled yes

Right-click on the command prompt (black window) and select Paste.

Press Enter

Step 2:

Restore the old system settings using System Restore. The virus has changed them so you need to revert to the old ones first.

Sometimes the virus is able to remove your system restore points so this step might be unsuccessful.

Press and hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

A System Restore wizard will open.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the attack happened.

If there are no restore points you will see “No restore points have been created…” error.

Step 3:

Restore earlier file versions.

Download Shadow Explorer.

When you run the program you will see the list of all shadow copies created.

Select the drive and date that you want to restore from.

Right-click on a folder name and select Export. The folder will be restored.

Read more here about how to restore files from shadow copies.

The virus also tries to delete shadow copies so this step this might be unsuccessful as well. In such case, proceed to Step 4.

Step 4:

Read more on how to restore files (including backups) on our file recovery guide. This guide includes instructions how to restore the files from a backup or shadow copies as well as how to use a professional file recovery program (which has a very high success rate) if everything else fails.

Alternatively you could make a backup with all encrypted files, store it externally and wait for a Locky decrypter to be created. New free decrypters for various ransomware appear every week but we cannot estimate the waiting time and if it is going to be created at all.

After removing the virus

When you have finished removing the Locky ransomware you should protect your computer by installing a good antivirus suite. This will prevent any further infections and fix the current vulnerabilities that have been used by the ransomware to infiltrate your system.


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *