About Locky virus
The Locky virus is a crypter virus that is very popular right now on the web. This crypter is very interesting because of the way, it gets inside of your computer. The spreaders are using a simple .doc file, that looks like some reports, resume or something else very common. But to view it completely, this document will offer you to enable macros in your Microsoft Word. When you do that, this document will start a download of a malicious [random].exe file, which is a Locky virus. This file will be located in %Temp%\[random].exe folder (%temp% is a “C:\Users\*your user name*\AppData\Local\Temp” folder).
Once the download is complete, this exe file will be executed and the encryption of files will start. Here is the list of file formats that WILL BE encrypted:
.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11 (Security copy), .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, wallet.dat
But interesting thing about it, is that this virus will ingore files with this format if their path contains next folders:
tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, Windows
This exeption is constructed to keep your Operating system safe, otherwise you won”t see the message! And the message will be next:
Unfortunately, this is not fake encryption, if you see this message, then your data is gone… Unless you pay for the decryptor tool that will be offered by these extortionists, which we are not advise you to do!
How to remove Locky virus crypter?
The only thing that you can do with Ransomware Locky virus is to backup your computer from any restore point you have. And even this won`t be easy, Locky virus will lock itself in your computer and you will have to load in Safe Mode with Networking to be able to remove it. We have created a removal guide here, to help you remove Locky virus from your system, but it won”t restore your data (most likely, depends on a restore point).
UPDATE: Check out this link for free decryption tools
Removal guide for Ransomware Locky virus:
Step 1. Load your computer in Safe Mode with Networking
To do that you need to start the reboot process of your computer. When reboot will start you may see list of the hardware of your PC or logo of your BIOS(or both), at that moment you need to do next:
- If you using Windows XP, Vista or 7 you must gently and repeatedly tap on F8 Key, until you see the Advanced Boot Options on your screen.
- If you are using Windows 8/8.1, press the Windows key + C, and then click Settings. Click Power, hold down Shift on your keyboard and click Restart, then click on Troubleshoot and selectAdvanced options. In the Advanced Options screen, select Startup Settings, then click onRestart.
When you in Advanced Boot Options screen you need to choose Safe Mode with Networking option and your windows will start in this mode.
Step 2. Removing the process and files of your system
Sometimes this virus may not be listed as installed application in your system. In this case, you need to kill the Locky virus malicious process manually, find and remove all files that are connected to the Locky virus virus.
- Right click on Taskbar and press “Task Manager”.
- Locate the “locky.exe” or any other [random].exe process that look suspicious and press “End Process”
- After that, launch your search in the system folders with “Locky virus” parameter.
- Once windows locate this file, delete it and clear the recycle bin.
Step 3. Execute a restore point
NOTE: This step will only help you if restore function were enabled before the Locky virus infection. Otherwise, you will need to recover your system from a boot drive or reinstall Windows.
To restore your system to a particular point you need to do next:
For Windows 7:
- Open the Control Panel by clicking Start, and then clicking Control Panel.
- Click System and Security, and then click System.
- Under the Control Panel Home menu, click System protection.
- Click System Restore.
- Recommended Restore is the default choice, which will restore the most recent point.
- Click Next, and then click Finish to confirm your restore point.
- To start the restore process, click Yes.
- Once the system restore is complete, your computer will restart.
For Windows 8\8.1:
- Swipe in from the right edge of the screen, tap Settings, and then tap Change PC settings.
- Tap or click Update and recovery, and then tap or click Recovery.
- Under Refresh your PC without affecting your files, tap or click Get started.
- Follow the instructions on the screen (preaty much like Windows 7).
Step 4. Use an anti-virus program to protect yourself in the future against Locky virus.
The installation process is quite simple, you can choose the language you prefer most, before the process itself. After, you can choose the exact path where anti-virus will be installed. Press “Next” button to proceed and follow the instruction.
After the installation, you need to enable a Real-Time protection. This function will stop Locky virus executable file. To enable this moduel, go to the “Protection” tab and press “Start” button to the right of the label.
How to prevent the Locky virus infection:
Removing the malware from your PC is a good thing. But it doesn’t mean that you will be protected from the repeated infection. The best way to deal with this malware is to not get infected in the first place. If you want to prevent the infection follow the simple tip below:
- Do not download any suspicious email that contain .doc files!
- If you did, do not open it!
- Do not install free applications from unreliable websites!
- If you did download this kind of program, select custom installation and remove any tick in the checkbox that seems questionable.
- Use an anti-virus software on your PC.
- Scan your Computer at least once a week.
You must remember, that using anti-virus software is very important, this is the only way to be sure about your safety!
GridinSoft Anti-Ransomware beta:
Not so long ago GridinSoft have release their tool for protection against ransomware and cryptors. GridinSoft Anti-Ransomware is still in free beta phase so they will be glad for all feedbacks they can get. Help them to make this product better and try to use this program to protect your computer from future ransomware infections!
- Download GridinSoft Anti-Ransomware.
- Follow the installation instruction.
- Open the program and enable the protection.
We hope this guide helped you with your problem. If you are looking for a way to restore your encrypted data, you will have to pay to extortionists. If you have any questions about Locky virus crypter or you have some thoughts about viruses, that you’d liked to share, please, leave a comment below. We will be happy to assist you.