Locky Imposter Ransomware - How to remove

Locky Imposter Ransomware – nasty computer virus that originates from notorious Locky ransomware. And it’s not only because of the name – those viruses are also very similar technologically, they act the same way.

While it is obvious that Locky Imposter is trying to repeat the “success” and infections rates of Locky, it is not clear whether the same developers stand behind it or not. Actually, that’s not even that important to you, as a regular user. What’s much more important – how to avoid this infection. And if you had bad luck and Locky Imposter ransomware is already on your computer – how to deal with it and get back your personal files.

This post is dedicated to teaching you how to do both – protect your computer in order to not get infected and if it is already infected, what are the best methods to remove Locky Imposter. We will also provide you with the most important information about this virus and the ways it is distributed, so stay tuned.

How Locky Imposter Operates

An ordinary project of infecting a computer with Locky Imposter consists of these stages:

• Malicious files of the virus are distributed via Malicious emails;
• A user opens files attached to the email and downloads malicious to the system;
• Ransomware automatically starts operating and encrypts personal files stored on the hard drive;
• The user is informed about infection and asked to pay the ransom in order to receive decryptor.

So what happens next? There are 3 choices – you can ignore the virus, reinstall your operating system and lose all of your personal files, you can pay the ransom and hope that cybercriminals behind Locky Imposter will  stick to their promise and provide you decryptor, or you can look for alternatives and restore your files from a backup or try decrypting them using free software.

To get ahead of things, we would like to mention that it’s not worth to pay the ransom. Regardless of how much you will be asked to contribute, it’s not a good decision. Cyber criminals can simply scam you or they might even not have the technology to decrypt those files.

Instead of that, we would suggest to remove the virus from a system with anti-malware software and then use other methods that might successfully restore your files. Please note, that we can’t guarantee that you will be able to get your files back.

Encryption Process and Ransom Note

As you might already know, ransomware viruses employ various extensions that are added to the end of encrypted files. Once this is done, the file is already encrypted using strong cryptography (RSA or AES) and you can’t do much about it. In this particular case, Locky Imposter uses .locky extension, which is not that unique at all. Many viruses, such as StorageCrypter, Jhash or NoobCrypt also employ the same extension. That’s how we know that Locky Imposter uses the same background as original Locky virus.

This encryption process can be applied to most of your personal files – images, text documents, audio and video files can be successfully locked. That’s why we always suggest our readers to make back up copies regularly.

Immediately after that, you should notice a ransom note on your desktop. It is .txt file called “LOCKY-README”:

Please be adviced:
All your files, pictures document and data has been encrypted with Military Grade Encryption RSA AES-256.
Your information is not lost. But Encrypted.
In order for you to restore your files you have to purchase Decrypter.
Follow this steps to restore your files.
1* Download the Tor Browser. ( Just type in google “Download Tor” ).
2* Browse to URL : http://4wcgqlckaazugwzm.onion/index.php
3* Purchase the Decryptor to restore your files.
It is very simple. If you don’t believe that we can restore your files, then you can restore 1 file of image format for free.
Be aware the time is ticking. Price will be doubled every 96 hours so use it wisely.
Your unique ID : –
CAUTION:
Please do not try to modify or delete any encrypted file as it will be hard to restore it.
SUPPORT:
You can contact support to help decrypt your files for you.
Click on support at http://4wcgqlckaazugwzm.onion/index.php

——–BEGIN BIT KEY———
–
——–END BIT KEY———–
——————————
BEGIN FRENCH
——————————
S’il vous plaît soyez avisé:
Tous vos fichiers, images, documents et données ont été cryptés avec Military Grade Encryption RSA AES-256.
Vos informations ne sont pas perdues. Mais chiffré.
Afin de vous permettre de restaurer vos fichiers, vous devez acheter Decrypter.
Suivez ces étapes pour restaurer vos fichiers.
1 * Téléchargez le navigateur Tor. (Il suffit de taper google “Télécharger Tor”).
2 * Aller à l’URL: http://4wcgqlckaazugwzm.onion/index.php
3 * Achetez le Decryptor pour restaurer vos fichiers.
C’est très simple. Si vous ne croyez pas que nous pouvons restaurer vos fichiers, alors vous pouvez restaurer 1 fichier de format d’image gratuitement.
Soyez conscient que le temps est compté. Le prix sera doublé toutes les 96 heures, alors utilisez-le à bon escient.
Votre ID unique: –
MISE EN GARDE:
N’essayez pas de modifier ou de supprimer un fichier crypté, car il sera difficile de le restaurer.
SOUTIEN:
Vous pouvez contacter le support pour aider à déchiffrer vos fichiers pour vous.
Cliquez sur support à http://4wcgqlckaazugwzm.onion/index.php
——————————
END FRENCH
——————————
——————————
BEGIN ITALIAN
——————————
Si prega di essere avvisati:
Tutti i tuoi file, immagini, documenti e dati sono stati crittografati con Military Grade Encryption RSA AES-256.
Le tue informazioni non sono perse. Ma crittografato.
Per poter ripristinare i tuoi file devi acquistare Decrypter.
Seguire questa procedura per ripristinare i file.
1 * Scarica il Tor Browser. (Basta digitare su google “Download Tor”).
2 * Passa a URL: http://4wcgqlckaazugwzm.onion/index.php
3 * Acquista Decryptor per ripristinare i tuoi file.
È molto semplice Se non credi che possiamo ripristinare i tuoi file, puoi ripristinare 1 file di formato immagine gratuitamente.
Sii consapevole che il tempo stringe. Il prezzo sarà raddoppiato ogni 96 ore, quindi usalo saggiamente.
Il tuo ID univoco: –
ATTENZIONE:
Si prega di non provare a modificare o eliminare alcun file crittografato in quanto sarà difficile ripristinarlo.
SUPPORTO:
È possibile contattare l’assistenza per decrittografare i file per conto dell’utente.
Clicca sul supporto in http://4wcgqlckaazugwzm.onion/index.php
——————————
END ITALIAN
——————————
——————————
BEGIN KOREAN
——————————
조언을 받으십시오 :
모든 파일, 사진 문서 및 데이터는 군용 등급 암호화 RSA AES-256으로 암호화되어 있습니다.
귀하의 정보는 손실되지 않습니다. 그러나 암호화.
파일을 복원하려면 Decrypter를 구입해야합니다.
이 단계에 따라 파일을 복원하십시오.
1 * Tor 브라우저를 다운로드하십시오. (구글에 “Tor 다운로드”만 입력하면됩니다.)
2 * URL 찾아보기 : http://4wcgqlckaazugwzm.onion/index.php
3 * 파일을 복원하려면 Decryptor를 구입하십시오.
그것은 매우 간단합니다. 파일을 복원 할 수 있다고 생각지 않으면 이미지 형식의 파일 1 개를 무료로 복원 할 수 있습니다.
시간이 똑딱 거리고 있다는 것을 알아 두십시오. 가격은 96 시간마다 두 배가되므로 현명하게 사용하십시오.
고유 ID : –
주의:
암호화 된 파일을 수정하거나 삭제하지 마십시오. 복원하기가 어려울 수 있습니다.
지원하다:
지원 센터에 문의하여 파일의 암호를 해독하는 데 도움을받을 수 있습니다.
http://4wcgqlckaazugwzm.onion/index.php에서 지원을 클릭하십시오.
——————————
END KOREAN
——————————

Apparently, cyber criminals are targeting users from all over the world and put the work in to translate the ransom note into 4 different languages. Basically what it says is that you have to visit their website and purchase the decryptor by transferring some amount of Bitcoins to their account. You have a time limit to do that – 96 hours.

Do not get scared, this time limit is probably fake, they just want to force users to pay the ransom this way. Also, cyber criminals want you to make the payment in Bitcoins, because Cryptocurrencies are harder to track. It’s not clear how much you will be asked to pay, but yet again – you should not do that.

How to Remove Locky Imposter Ransomware and Decrypt Files

In order to solve this problem, you have to do two things – completely eliminate Locky Imposter Ransomware and decrypt your files.

First of all, get yourself a decent anti-malware tool, such as Spyhunter. Scan your computer with either one of them and the virus should be automatically detected and removed in minutes.

Then, if you have a backup copy of your hard drive that was stored on an external drive or cloud, use this guide to perform a system restore. If you don’t have a backup, try Trend Micro Ransomware File Decryptor to decrypt all of your personal files.

Automatic Malware removal tools

How to recover Locky Imposter Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Locky Imposter Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Locky Imposter Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Locky Imposter Ransomware. You can check other tools here.  

Step 3. Restore Locky Imposter Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Locky Imposter Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Locky Imposter Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.