Locky virus – Removal guide for Locky Ransomware

About Locky virus

The Locky virus is a crypter virus that is very popular right now on the web. This crypter is very interesting because of the way, it gets inside of your computer. The spreaders are using a simple .doc file, that looks like some reports, resume or something else very common. But to view it completely, this document will offer you to enable macros in your Microsoft Word. When you do that, this document will start a download of a malicious [random].exe file, which is a Locky virus. This file will be located in %Temp%\[random].exe folder (%temp% is a “C:\Users\*your user name*\AppData\Local\Temp” folder).


Locky virus crypter

Locky virus

Once the download is complete, this exe file will be executed and the encryption of files will start. Here is the list of file formats that WILL BE encrypted:

.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11 (Security copy), .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, wallet.dat 

But interesting thing about it, is that this virus will ingore files with this format if their path contains next folders:

tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, Windows

This exeption is constructed to keep your Operating system safe, otherwise you won”t see the message! And the message will be next:
Locky virus ransomware message
Unfortunately, this is not fake encryption, if you see this message, then your data is gone… Unless you pay for the decryptor tool that will be offered by these extortionists, which we are not advise you to do!

How to remove Locky virus crypter?

The only thing that you can do with Ransomware Locky virus is to backup your computer from any restore point you have. And even this won`t be easy, Locky virus will lock itself in your computer and you will have to load in Safe Mode with Networking to be able to remove it. We have created a removal guide here, to help you remove Locky virus from your system, but it won”t restore your data (most likely, depends on a restore point).

UPDATE: Check out this link for free decryption tools

Removal guide for Ransomware Locky virus:

Step 1. Load your computer in Safe Mode with Networking

To do that you need to start the reboot process of your computer. When reboot will start you may see list of the hardware of your PC or logo of your BIOS(or both), at that moment you need to do next:

  • If you using Windows XP, Vista or 7 you must gently and repeatedly tap on F8 Key, until you see the Advanced Boot Options on your screen.
  • If you are using Windows 8/8.1, press the Windows key + C, and then click Settings. Click Power, hold down Shift on your keyboard and click Restart, then click on Troubleshoot and selectAdvanced options. In the Advanced Options screen, select Startup Settings, then click onRestart.

When you in Advanced Boot Options screen you need to choose Safe Mode with Networking option and your windows will start in this mode.
AVC Plus removal tool

Step 2. Removing the process and files of your system

Sometimes this virus may not be listed as installed application in your system. In this case, you need to kill the Locky virus malicious process manually, find and remove all files that are connected to the Locky virus virus.

  • Right click on Taskbar and press “Task Manager”.
  • Locate the “locky.exe” or any other [random].exe process that look suspicious and press “End Process”
  • After that, launch your search in the system folders with “Locky virus” parameter.
  • Once windows locate this file, delete it and clear the recycle bin.

Step 3. Execute a restore point

NOTE: This step will only help you if restore function were enabled before the Locky virus infection. Otherwise, you will need to recover your system from a boot drive or reinstall Windows.

To restore your system to a particular point you need to do next:

For Windows 7:

  • Open the Control Panel by clicking Start, and then clicking Control Panel.
  • Click System and Security, and then click System.
  • Under the Control Panel Home menu, click System protection.
  • Click System Restore.
  • Recommended Restore is the default choice, which will restore the most recent point.
  • Click Next, and then click Finish to confirm your restore point.
  • To start the restore process, click Yes.
  • Once the system restore is complete, your computer will restart.

For Windows 8\8.1:

  • Swipe in from the right edge of the screen, tap Settings, and then tap Change PC settings.
  • Tap or click Update and recovery, and then tap or click Recovery.
  • Under Refresh your PC without affecting your files, tap or click Get started.
  • Follow the instructions on the screen (preaty much like Windows 7).

Step 4. Use an anti-virus program to protect yourself in the future against Locky virus.

Locky virus removal tool
The installation process is quite simple, you can choose the language you prefer most, before the process itself. After, you can choose the exact path where anti-virus will be installed. Press “Next” button to proceed and follow the instruction.
malware removal tool

After the installation, you need to enable a Real-Time protection. This function will stop Locky virus executable file. To enable this moduel, go to the “Protection” tab and press “Start” button to the right of the label.
malware removal tool

How to prevent the Locky virus infection:

Removing the malware from your PC is a good thing. But it doesn’t mean that you will be protected from the repeated infection. The best way to deal with this malware is to not get infected in the first place. If you want to prevent the infection follow the simple tip below:

  • Do not download any suspicious email that contain .doc files!
  • If you did, do not open it!
  • Do not install free applications from unreliable websites!
  • If you did download this kind of program, select custom installation and remove any tick in the checkbox that seems questionable.
  • Use an anti-virus software on your PC.
  • Scan your Computer at least once a week.

You must remember, that using anti-virus software is very important, this is the only way to be sure about your safety!

Locky virus removal tool

GridinSoft Anti-Ransomware beta:

Not so long ago GridinSoft have release their tool for protection against ransomware and cryptors. GridinSoft Anti-Ransomware is still in free beta phase so they will be glad for all feedbacks they can get. Help them to make this product better and try to use this program to protect your computer from future ransomware infections!

We hope this guide helped you with your problem. If you are looking for a way to restore your encrypted data, you will have to pay to extortionists. If you have any questions about Locky virus crypter or you have some thoughts about viruses, that you’d liked to share, please, leave a comment below. We will be happy to assist you.

3 Comments

  1. Good info.
    Just need Spellcheck:
    Step 3. Execute a restore point
    For Windows 7:
    •Recommended Restore is the default choice, which will restore the most “receant” point.

  2. Hello, recently I was infected with ” locky ” . All pictures , my documents were modified and encrypted. With the help of ” Recuva ” I managed to bring back the name back but can not decrypt . I got the virus from the mail , I was infected both PC and external HDD . PC formatted but I can not afford to lose documents on the hard disk. Do you have any solution ?
    Thank you very much.

    • Greetings, if you don’t have any backups of your data, then there is almost no chance, unfortunately. You can try to use a ransomware decryptor that has some key database for other cryptoviruses. But you must understand, the chance to decrypt Locky with this tool is very low. Otherwise, you will have to wait until there will be a specific decryptor tool. I will keep an eye on such program and if something pop-ups, I’ll inform you by your email.
      I’m sorry and I wish you a good luck.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.