The researchers have not yet identified the criminals masterminding the .locky files scam.
Another version of ransoming trojan has surfaced. It promptly developed to the main troublemaker of the day. The ransomware is known to chiefly compromise the machines located in Germany. Meanwhile, the propagation goes beyond any country and poses a challenge to overall global security.
The researchers have not yet identified the criminals masterminding the scam. Nevertheless, it is obvious that the virus deploys the most advanced black hacking techniques. The attack scrambles nearly all files on target PC. The filenames get modified into a meaningless sequence appended with .locky. The latter is treated by affected operating system as a file marker, but there is no software to match it. In fact, any software cannot render the files properly, as long as they remain encrypted. The extension is an extra factor but does not really matter.
As one’s files get affected by the rogue, it proceeds with its communication stage. To make sure the user is aware of what is going on and what the attackers want, the ransomware creates a file named.
A random folder containing items hit by the virus, their names extended with .locky
_Locky_recover_instructions.txt. The item is available in a number of copies as it is dropped in each folder that contains encrypted data. The file also serves as a desktop wallpaper so that the victims reads its message any time the desktop appears on the monitor.
The message basically explains the background of the hack and instructs on the expected follow-up actions. It says that all the files have been encrypted, appropriate algorithms mentioned. To encode data, the infection implements RSA-2048 and AES-128 ciphers. The notification further states the recovery is only available upon receiving the private key and decrypt solution, both only to be derived from the concealed server of the crooks.
That is to say, the trojan applies an asymmetric type of encryption to render the files unreadable for any software. A symmetric method encrypts denomination of the files producing a random sequence of digits.
Contents of the _Locky_recover_instructions.txt file
The user facing the attack is unable to open any important items, be that a document, a picture, a video etc. As the file name has been encrypted, the unhappy victims cannot even tell one encrypted item from another.
As the users are desperate to restore access to their files here comes a ransom note that offers a seemingly reliable remedy. The name of the tool is Locky Decryptor. To get one, a victim is prompted to visit a specific Tor gateway as instructed by _Locky_recover_instructions.txt. The Tor channel leads to a page that would urge the visitor to pay 0.5 BTC. The page will provide the address for bitcoin transaction.
The black hats make use of Onion Route routine, cryptocurrency set as a payment method, as well as a number of other tricks to conceal their identity and avoid being detained by the authorities. It is to be admitted, the crooks behind the encryption attack in their overwhelming majority remain undetected and unchecked with plenty of incentives to come up with new strains of ransomware.
Locky Decrypter (.locky files) instructing victims to buy and send 0.5 BTC
.locky ransomware seduces its victims with smartly designed spam campaign. The prevailing infection vector deploys a spamming of the message titled “ATTN: Invoice J-68522931”, where the digital code is a variable. The declared sender is General Mills, which has actually nothing to do with the letter. As the letter includes a Microsoft Word document attached, a victim is supposed to open it. The opening launches the ransomware installation. So far, the .locky propagation does not make use of more complex methods such as Exploit kits.
Purchasing the decryption as advised by the criminals behind Locky Decrypter is not an option. The malware droppers would do their best to scare their victims to pay. Most of their threats greatly exaggerate the actual danger. Meanwhile, there are ways to restore access to the data affected. The virus does not block the Volume Shadow Copy Service. That, in particular, underpins the workflows below aimed at recovering encrypted files.
Automated cleanup to remove *.locky file extension trojan
The technique successfully overcomes malicious software, including any ransoming threats. It deploys a reputable security suite that offers not a single chance for malicious components to avoid detection and extermination. The software is incredibly user-friendly and operates on a single-click basic.
It is good to note the removal of .locky ransomware does not recover the data affected. However, the virus is subject to compulsory extermination or else is going to introduce related infections into the machine.
1. Click the button to download the stub installer and go through several setup dialogs. Once the tool is up and running, click Start Computer Scan
2. Wail until the cleaner checks the PC for .locky files malicious code. As soon as the scan is completed, the report will list all malware objects spotted in the system. Make sure the entries for detected infections are checked, and select the Fix Threats feature. This will result in malware removal and system remediation, so you should now be good to go.
Restore the encrypted *.locky files
.locky encryption is a sophisticated data modification. There is no simple and single solution to cover all the cases. Transferring the ransom as demanded by the crooks is not the way either.Kindly apply the methods outlined below as they have been carefully developed to provide a recovery help for the most severe cases of encrypting assaults.
Data recovery with automatic software
Good news is that the virus actually deals with copies of the files. The originals have been deleted. The removed data still can be restored by virtue of such tools as Data Recovery Pro.
Shadow Volume Copies
As Windows creates backups at given periods of time, a victim is advised to address relevant restore points. Unfortunately, the method cannot apply unless the System Restore had been enabled prior to the invasion. Please also note the recovery returns files as saved before the time associated with the restore point addressed.
- Previous Versions dialog to target individual files
One can open Properties for any file. The menu has a tab called Previous Versions. It indicates versions of a file that have been backed up.
To make use of the feature, right-click an affected file and choose Properties in the drop-down list. Proceed with clicking the above-mentioned tab. You can opt between the Copy or Restore procedures, the former enabling to copy the item into the location specified by the user.
Backups and removing remaining traces of the .locky file extension virus
Prevention is the best cure. If you stick to making regular reserve copies of your data and store those outside your operating system, the impacts by the ransomware are very limited. However, prior to copying the data from backups into the system hit by .locky virus, make sure the removal of .locky virus has completed.
Your manual removal attempts may kill the ransomware in general. In most of the cases, some remnants manage to survive and are still capable of causing a significant damage. Please apply a reliable anti-malware scanner to detect and remove, if applicable, any remaining infections.