Locky ransomware: virus removal and decryption advice


The victims of ransom Trojans incur a great deal of damage because the thing at stake is their personal data. The indicators of compromise when it comes to ransomware are rather straightforward. These malicious programs don’t conceal the impact that they impair to users, displaying step-by-step tutorials on file recovery through paying up. Some strains also tweak filenames and concatenate odd extensions to them. The sample dubbed Locky follows a classical model of deploying the attack. It changes the desktop wallpaper to an image named _Locky_recover_instructions.bmp, which holds the essentials of recovering from the breach. Furthermore, it drops the TXT edition of the ransom note to every folder whose contents include encrypted files. This one is titled _Locky_recover_instructions.txt.

Jumbled contents of an arbitrary folder after the attack

The names of files affected by Locky are scrambled so that the victim cannot identify which ones match a certain data item. The ransomware replaces each one with a hexadecimal string consisting of a unique ID and a bunch of random characters, with the .locky extension in the tail. For instance, an arbitrary affected file will look similar to E7608E1F15A921B2A7DA29B5ACF8D8AD.locky. With the whole ease of locating the skewed objects in place, opening them is impossible because the infection utilizes a strong, layered encryption technique. First, it employs AES (Advanced Encryption Standard) and generates a 128-bit key. On the next stage, Locky enciphers this key using RSA, where the 2048-bit private key features much more entropy.

his is what the _Locky_recover_instructions.bmp file looks like

The way this piece of ransomware attacks PCs gives the targeted users a fair degree of possibility to thwart the breach. The criminals in charge use a powerful botnet to send a bevy of spam emails. These messages are masqueraded as invoices or some important documents that the users are likely to be interested in opening. The attached rogue Microsoft Word files contain some weird symbols, with a remark saying that the person should enable macros to see the contents. Macros in MS Office documents are known to be easily exploitable for executing malicious code, which is why it’s highly recommended to abstain from activating them.

By following one of the Tor links listed in the ransom notes, victims will eventually hit the Locky Decrypter Page, which says that 0.5 Bitcoin must be paid for the decryption of valuable data. That’s more than 300 USD; moreover, there can be no unconditional confidence that the decrypter will become available after the fact. Experts urge Locky victims into trying their best to restore the locked information through alternate means. Some of the applicable techniques are listed below. Be advised that their efficiency depends on a number of factors, including the status of the System Restore feature at the time of the compromise.

Locky virus removal

As counterintuitive as it is, removal of this particular threat is not too complicated unlike the cleanup scenarios for screen lockers which represent another group of ransomware infections on the loose. The main challenge in regards to Locky is getting personal files back without having to do what the fraudsters want. Basically, this means you can get rid of the malady using efficient security software without much of a hindrance, but options for recovering the encrypted data are a matter of a separate discussion, which we will touch upon in this guide as well.

Let’s now outline a rather easy and perfectly effective way of ransomware removal from a contaminated computer. Please follow the directions below step by step:

  1. Download and install HitmanPro.Alert
  2. Supports: Windows XP, Vista, 7, 8, 8.1, 10
  3. Open the program, click on the Scan computer button and wait for the scan to be completed
  4. When HitmanPro.Alert comes up with the scan report, make sure the Delete option is selected next to the ransomware entry and other threats on the list, and get the infections eliminated by clicking on the Next button

Now you’ve got both some good and bad news. On the one hand, Locky is gone from your computer and won’t do any further damage. On the other, your files are still encrypted, since elimination of the malware proper does not undo its previous misdemeanors. In the next section of this guide we will highlight methods that may help you restore your data.

Restore encrypted files using Shadow Copies

As it has been mentioned above, despite successful removal of Locky the compromised files remain encrypted with the AES algorithm. While it does not appear possible to obtain the key for decryption in this case even with brute-forcing, you can try to restore previous versions of these files either using the native Windows functionality or the application called Shadow Explorer. Please note that this method is only applicable in case you have System Restore enabled on your PC, and the versions of the files that you can recover this way may not be the most recent. It’s definitely worth a try, though.

Getting your files back using Previous Versions functionality


Windows provides a feature where you can right-click on an arbitrary file, select Properties and choose the tab called Previous Versions. Having done that for a particular file, you will view all versions of it that were previously backed up and stored by the so-called Volume Shadow Copy Service (VSS). The tab also provides the history of these backups by date.
In order to restore the needed version of the file, click on the Copy button and then select the location to which this file is to be restored. In case you would like to replace the existing file with its restored version, click the Restore button instead. Conveniently enough, you can have whole folders restored the same way. 

Restoring encrypted data with Shadow Explorer utility


Besides the built-in Windows functionality highlighted above, you can use an application that will restore previous version of entire folders for you. It’s called ShadowExplorer. Once you download and launch this program, it will display all of your drives as well as a list of dates when Shadow Copies were generated. Simply pick the desired drive and date for restoration, as shown on the following screenshot:
Right-click on the directory you wish to restore and choose Export in the context menu. This will be followed by a request to indicate where you would like to restore the information to.

Use automatic recovery software

It might sound surprising, but Locky does not encrypt one’s actual files. It deletes them. What does get encrypted is the copies. This brings us to the point where a specific type of software can be used for dragging the original data out of memory, where it ended up after the erasure. Efficient recovery tools can work wonders in these ransomware scenarios.

Download and install Recuva by Piriform to give this restoration vector a shot. By running a computer scan with Recuva, you will get a list of all recoverable files and be able to reinstate them to their original location or another place of choice.

Bottom line

Locky poses a critical risk to one’s personal information therefore the focus security-wise should be made on prevention. In this context, some basic precautions can do the trick: refrain from opening email attachments from unknown senders and schedule regular antivirus software updates. Furthermore, performing data backups is a remarkable habit that will help evade the adverse aftermath of this attack.


Please enter your comment!
Please enter your name here