Extension ".lock" Ransomware - How to remove

If your personal files suddenly can’t be opened and if they now have the extension “.lock” at the ends of their names, then ransomware must have attacked your computer. Ransomware viruses encrypt files – and encrypted files usually can’t be opened or read because they’re locked by ransomware.

“Lock” is a made-up file extension used by some ransomware viruses, such as Dharma. It’s a label that’s used by ransomware viruses to mark encrypted files.

For example, the names of files attacked by ransomware might look like this: “picture.jpg.lock” or “picture.jpg.[id].[email].lock”.

About “.lock” ransomware:

Threat type	Ransomware.
Causes of the infection	Infected pirated files, remote desktop breaches, infected email attachments.
Effects of “.lock” ransomware	Files that are marked with the “.lock” extension can’t be opened or read, some websites and programs don’t work right.
How to remove “.lock” ransomware	Make backups of the “.lock” files, remove all malware with antivirus programs (Spyhunter, others), secure your computer against spyware and malware.

About “.lock” ransomware

It breaks files by encrypting them

There are many different ransomware infections out there. They infect a computer, run through the local files, and encrypt them. They change the names of the encrypted files, often by appending a label such as “.lock”.

For instance, a ransomware virus might take a file that was named “picture.jpg”, encrypt it (which scrambles the internal data of the file, essentially corrupting it), and change the name of the file by adding “.lock” to the end (“picture.jpg.lock”).

Encryption is very useful. It’s used to protect information from being spied on. In the case of “.lock” ransomware, encryption is misused to hide your files from you by encrypting them.

The goal of ransomware viruses is to make money. This is why, if your device is infected with one of these malicious programs, you can find a ransom note on your desktop or in your folders. The ransom not either tells you the address to send money to or a way to contact scammers. They tell you to pay up if you want to fix the “.lock” files. Indeed, only the criminals behind “.lock” ransomware have the keys needed to reverse file encryption and give you your data back.

Ransomware viruses behind the “.lock” extension

Different ransomware viruses use different file extensions as their labels. There are a few that use the “.lock” extension.

The most popular is Dharma. This ransomware has hundreds of variants, including a recent one that uses the “.lock” extension. A ransomware researcher recently discovered this variant: Twitter.com.

LockCrypt is an older ransomware infection that also used “.lock” as the marker extension. Some versions of Apocalypse ransomware also used the “locked” file extension.

There are lots of ransomware viruses that use a version of “.lock” to label encrypted files: Corona-lock, LockLock, LockBit, Locky, and many others.

In addition, some ransomware infections, like CryptON, use an executable called Lock.exe to encrypt files.

Most likely, if “.lock” ransomware attacked your computer, it was Dharma. Dharma is a ubiquitous ransomware virus that is characterized by file names that include an id number and an email address, like so: “picture.jpg.id-[id].[email].lock”. Below are a couple of illustrations of its ransom notes.

How “.lock” ransomware infects computers

There are a few ways that “.lock” ransomware can infect a computer:

• Malicious email attachments. These could be Office documents with malicious macros or executables disguised as images or other files.
• Infected installers. Pirated files or cracks, usually. They might be infected with spyware, adware, ransomware, and other malicious programs.
• Remote desktop breaches. If you allow remote access to your computer and if this access is discoverable online, cybercriminals might try to break in and infect your computer with malware.

In addition, “.lock” ransomware might come with other malicious programs, such as spyware and adware. As a result, your information might get stolen and your browser might start showing obnoxious adware pop-ups.

How to deal with “.lock” ransomware

Can you get your files back?

To fix the files encrypted by the “.lock” ransomware, you need to reverse their encryption. But Dharma ransomware has no free decryptor. Most ransomware viruses don’t.

Some online scammers might tell you that they can decrypt your files. Be careful – some of them are scammers. There are some antivirus companies and ransomware researchers who do release real decryptors, though it’s rare. You can also check Nomoreransom.org to see if there’s a decryptor available.

You can use data recovery programs – they restore some of your deleted files and they might bring back some of your data. Also, look into repairing corrupted files – some ransomware viruses only partially encrypt files, which means that with enough hard work, you can restore some content.

However, the best defense against “.lock” and other ransomware is to have backups. If you had a backup of your files, then a ransomware attack is no worse than a waste of time.

How to remove “.lock”

The simplest way to get rid of Dharma and other “.lock” ransomware is to get a good antivirus program, like Spyhunter, and to scan your computer. As “.lock” ransomware might have come with other malicious programs, it’s good to check for all of them.

After that, it’s advisable to reset your passwords. That way, if any of your login credentials were stolen, you can protect your accounts from being broken into. Once your computer is clean, you can start restoring your files from a backup.

Automatic Malware removal tools

How to recover Extension ".lock" Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Extension "Lock" Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Extension ".lock" Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Extension "Lock" Ransomware. You can check other tools here.  

Step 3. Restore Extension ".lock" Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Extension "Lock" Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Extension ".lock" Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.