Locky virus - How to remove?
Locky virus is one more dangerous ransomware that locks personal files of computer users and asks them to pay a ransom, if they want to retrieve their files. Locky Ransomware changes the names of the encrypted files to a unique 16-character combination of letters and digits and adds the .locky file extension. According to the program, to unlock the files, you need the decryption code, which you can get, if you pay the ransom. The program uses RSA-2048 (thus, it is sometimes named as RSA-2048 virus) and AES-1024 algorithms to encrypt files.
Even though there might be several ways of distributing this infection, the most popular one is via infected e-mails. First of all, you will receive an e-mail to your inbox, attached a Word document. If you open the document, all you can see is just a random gibberish and an advice to “Enable macro if the data encoding is incorrect”. Hackers want you to enable macros so the code that is in the .doc document could run and infect your computer. It will automatically save the virus on your PC. Once this has been done, the saved file will serve as a downloader to get the needed pieces for the successful completion of the infection. Eventually, your files will be encrypted by the .locky extension ransomware.
If your files have been locked by Locky Ransomware, your desktop wallpaper will be replaced with a message that says you must pay .5 BTC to get the decryption code. The program also creates a text file with the same message. Beware that Locky malware deletes the shadow volume copies of all the files, which makes it even more complicated to restore your files.
If you have a backup of encrypted files, you have a solution to this problem. You can simply restore your files from this backup. If you do not, unfortunately, you may lose what Locky virus has locked. There are no guarantees that after making a payment you will get a code that works. If you pay, you may just give away some money to the cyber criminals.
Do not open attachments from unknown senders or you can get infected with Locky Ransomware. I recommend backuping important files using some cloud service.
There are, in fact, 2 versions of the ransomware using .locky extension: the regular Locky virus and AutoLocky. The files encrypted by the latter ransomware can be decrypted using Emsisoft’s AutoLocky Decryptor. If your files have been encrypted by the regular Locky, your best choice is to recover the files from backups or to try to restore deleted files using Data Recovery software like Data Recovery PRO.
Note: There is a copycat version of Locky Virus that is using much simpler encryption scheme. Its corrupted files might be recovered by Emsisoft’s AutoLocky Decryptor. You can always give it a try, if your files have .locky extension and other recovery methods have failed.
Update of October of 2016: Locky virus might have been a scary and widely-distributed infection, but now victims can get infected with it only accidentally as this variant is no longer actively spread. New ransomware released replace this older variant and are just as scary as this one.
Update of November the 17th, 2016: Locky ransomware has recently been distributed via fake Flash Player updates.
Update of the 21st of November, 2016: Locky cryptomalware is now using .aesir extension to mark the encrypted files.
Update of the 5th of December, 2016. Now the files encrypted by Locky crypto-locker are appended the .osiris extension. The extension is related with the spam e-mail attachments, which are Excel files and contain macro, which should be enabled. The files are named as Invoice_INV[random-numbers].xls. The ransom notes, left by this new variant are named as DesktopOSIRIS.bmp and DesktopOSIRIS.htm.
Update of the 20th of January, 2017. After being silent for some time, Locky virus returns to the playground. Its distributer, Netcurs bot net, has been noticed to initiate spam campaigns. They are not gigantic, but are indeed active. Hackers elected .zip and .rar files to be appended to the malicious spam letters as attachments. Security researchers are guessing that this might be a beginning of a bigger spam campaign.
Update of the 23rd of January, 2017. Even though security researchers noticed some activity from Locky virus, the number of its attacks has significantly reduced.
Update of the 3rd of March, 2017. An new version of Locky virus has been detected and it is digitally signed for the sake of reducing the possibility of various anti-malware threats detecting the malware in a device. This sample also uses .osiris extension.
How to recover Locky virus encrypted files and remove the virus
Using System Restore to restore PC to previous state
1. Reboot your computer to Safe Mode with Command Prompt
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2. Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before locky virus has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
3. Complete removal of Rsa-2048 virus
4. Restore .locky extension ransomware affected files using Shadow Volume Copies
If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Locky malware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.
Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.
a) Native Windows Previous Versions
Right-click on an encrypted file and select Properties>Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer
It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
5. Use Data Recovery programs to recover Locky virus encrypted files
There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download Data Recovery Pro (commercial)
- Install and scan for recently deleted files.
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.