Threat Database Ransomware '.locky File Extension' Ransomware

'.locky File Extension' Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 366
First Seen: February 16, 2016
Last Seen: October 27, 2021
OS(es) Affected: Windows

Ransomware Infections have become increasingly common in the last few years. Only in the first two months of 2016, computer users have come across hundreds of new ransomware infections and variants of previous ransomware threats. One of the most prevalent threats in this period is TeslaCrypt 3.0, a new version of a ransomware Trojan first released in early 2015. The '.locky File Extension' Ransomware is one of the many variants of this threat. This new version of TeslaCrypt closes a loophole that allowed computer users to help computer users recover their files previously. Variants of this threat have been released, each changing the victims' files' extensions to a different string. In the case of the '.locky File Extension' Ransomware Trojan, this is a TeslaCrypt 3.0 variant that changes encrypted files' extensions to LOCKY.

How the '.locky File Extension' Ransomware may Infect a Computer

The '.locky File Extension' Ransomware infection process is not difficult to understand. In fact, most encryption ransomware tends to follow the same approach when infecting a computer. First, the '.locky File Extension' Ransomware will be delivered using common threat delivery methods, in most cases a corrupted email attachment contained in a phishing email message. When the victim opens the harmful email attachment, the '.locky File Extension' Ransomware is installed on the victim's computer. The '.locky File Extension' Ransomware will perform a scan of the victim's computer, looking for files to encrypt using its AES encryption algorithm. The .locky File Extension' Ransomware Trojan will infect files with the following extensions:

.7z; .rar; .m4a; .wma; .avi; .wmv; .csv; .d3dbsp; .sc2save; .sie; .sum; .ibank; .t13; .t12; .qdf; .gdb; .tax; .pkpass; .bc6; .bc7; .bkp; .qic; .bkf; .sidn; .sidd; .mddata; .itl; .itdb; .icxs; .hvpl; .hplg; .hkdb; .mdbackup; .syncdb; .gho; .cas; .svg; .map; .wmo; .itm; .sb; .fos; .mcgame; .vdf; .ztmp; .sis; .sid; .ncf; .menu; .layout; .dmp; .blob; .esm; .001; .vtf; .dazip; .fpk; .mlx; .kf; .iwd; .vpk; .tor; .psk; .rim; .w3x; .fsh; .ntl; .arch00; .lvl; .snx; .cfr; .ff; .vpp_pc; .lrf; .m2; .mcmeta; .vfs0; .mpqge; .kdb; .db0; .DayZProfile; .rofl; .hkx; .bar; .upk; .das; .iwi; .litemod; .asset; .forge; .ltx; .bsa; .apk; .re4; .sav; .lbf; .slm; .bik; .epk; .rgss3a; .pak; .big; .unity3d; .wotreplay; .xxx; .desc; .py; .m3u; .flv; .js; .css; .rb; .png; .jpeg; .txt; .p7c; .p7b; .p12; .pfx; .pem; .crt; .cer; .der; .x3f; .srw; .pef; .ptx; .r3d; .rw2; .rwl; .raw; .raf; .orf; .nrw; .mrwref; .mef; .erf; .kdc; .dcr; .cr2; .crw; .bay; .sr2; .srf; .arw; .3fr; .dng; .jpeg; .jpg; .cdr; .indd; .ai; .eps; .pdf; .pdd; .psd; .dbfv; .mdf; .wb2; .rtf; .wpd; .dxg; .xf; .dwg; .pst; .accdb; .mdb; .pptm; .pptx; .ppt; .xlk; .xlsb; .xlsm; .xlsx; .xls; .wps; .docm; .docx; .doc; .odb; .odc; .odm; .odp; .ods; .odt

After the '.locky File Extension' Ransomware has infected the victim's files, the '.locky File Extension' Ransomware will change the affected files' extensions to LOCKY to indicate which files have been encrypted. The '.locky File Extension' Ransomware will also delete Shadow Volume copies of encrypted files as well as System Restore points, making it impossible for computer users to use alternate methods to recover their files. Sadly, it is currently not possible to decrypt the files encrypted by the '.locky File Extension' Ransomware without the encryption key, which is stored on the Command and Control server rather than in the '.locky File Extension' Ransomware infection itself.

The '.locky File Extension' Ransomware alerts the victim of the infection using text or image files dropped on the victim's computer. These messages will demand payment of a ransom worthing several hundred dollars through BitCoin or other anonymous methods. The following is an example of a ransom message commonly associated with the '.locky File Extension' Ransomware:

Your personal files are encrypted!
Your files have been safely encrypted on this PC: photos, videos, documents, etc. Click "Show Encrypted Files" button to view a complete list on encrypted files, and you can personally verify this.
Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.

SpyHunter Detects & Remove '.locky File Extension' Ransomware

File System Details

'.locky File Extension' Ransomware may create the following file(s):
# File Name MD5 Detections
1. Nwiz.dll 877dcbdf9b0a4a0872aadb13496d60b8 100
2. tmp00124509 2fbffc7434688a221968eabce01cf406 27
3. Nwiz.dll 47071fa53f96afad764ab149b2d2fea6 21
4. file.exe 0ca0d0acc30a746227bc4b5054569d7f 3
5. file.exe 85875718160f86a6b2a50befab250f43 2
6. 5606e9dc4ab113749953687adac6ddb7b19c864f6431bdcf0c5b0e2a98cca39e 9dcdfbb3e8e4020e4cf2fc77e86daa76 2
7. file.exe 7c31e5040c3d22f0d5fd89b4ff9c10db 1
8. f689391b0527fbf40d425e1ffb1fafd5c84fa68af790e8cc4093bcc81708c11b 544bc1c6ecd95d89d96b5e75c3121fea 1
9. file.exe b2753d4292bb12272d8e5cb00242bc5a 1
10. a lockk.exe bfff16a0cca57b278591052a9059c0a1 1
11. problem.437332391.js 34b1de7abb0fca894b13780fc65899eb 0
12. MRI6219316107.js e66009d3c69f364568d5f0d5dd6ec2d0 0
13. file.exe b0ca8c5881c1d27684c23db7a88d11e1 0
14. file.exe c5ad81d8d986c92f90d0462bc06ac9c6 0
15. file.exe ebf1f8951ec79f2e6bf40e6981c7dbfc 0
16. file.exe c325dcf4c6c1e2b62a7c5b1245985083 0
17. file.exe 8581787782f6647b506cfe5eac136477 0
18. file.exe d2863c69b8e8deac65d27875a2d0edc9 0
19. name bdff9c8ae6506768df834d19dfa028f9 0
20. file.exe b61684edf1843503106cf5b900813eaf 0
21. file.exe bf432becfc993d0bec4fabeff48b1292 0
22. file.exe 0d0823d9a5d000b80e27090754f59ee5 0
23. file.exe 20f2ca720cb4dcca9195113f258ca4ef 0
24. file.exe 899ba682505dcbbecaa42f5bbd7ea639 0

Registry Details

'.locky File Extension' Ransomware may create the following registry entry or registry entries:
File name without path
_Locky_recover_instructions.bmp
E65DPaiQc7R.hta
Regexp file mask
%Temp%\MicroImageDir\_HOWDO_text.bmp
%USERPROFILE%\DesktopOSIRIS.bmp

28 Comments

i want to try and save all the documents which locky has effected

What happens if I do pay the ransom?

How can I open my locked files
(locky)

If you have the correct settings on your computer you can check previous versions and recover to an earlier state.

If you have the correct settings on your computer you can check previous versions and recover to an earlier state.

hope there is someone who kindly made the app .locky decrypter 🙂

Hello, how to decrypt locked files

good morning
We contact you because we have contracted the virus locky in one of our workstations, and for your company can provide us with a tool to unlock our infected files? possibly you show us you know the costs?
and an emergency situation and strongly look forward to hearing your chances of recovery confirmation.
I thank you and I apologize for my bad English.

Marco.

MDB files (access) are also modified by Locky

Hello, how to decrypt locked files with .locky extension virus. Need help please

Hi there can you advise how to recover locky infected files pls?

Use Recuva and scan affected drives for relevant file types before considering other methods.

hi there I wish to convert files encrypted by locky back to original format. Pls assist. It doesn't allow me to reset to an earlier date before the infection date..

Locky file extension Removal Instructions
Remove Locky file extension malware Manually
Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
Locate the process %Temp%\[svchost].exe

Before you kill the process, type the name on a text document for later reference.
stop-teslacrypt-process
Navigate to your %UserpProfile%\Desktop\ folder and delete the following files
%UserpProfile%\Desktop\_Locky_recover_instructions.bmp
%UserpProfile%\Desktop\_Locky_recover_instructions.txt
%Temp%\[random].exe
alpha-crypt
Open your Windows Registry Editor and navigate and delete the following registry keys
HKCU\Software\Locky
HKCU\Software\Locky\id
HKCU\Software\Locky\pubkey
HKCU\Software\Locky\paytext
HKCU\Software\Locky\completed 1
HKCU\Control Panel\Desktop\Wallpaper “%UserProfile%\Desktop\_Locky_recover_instructions.bmp”
Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you may wish to run a professional scanner to identify the files.
It is always a good idea to use a reputable anti-malware program after manual removal, to prevent this from happening again.
This article was published in Removal and was tagged Ransomware. Bookmark the permalink for later reference by pressing CTRL+D on your keyboard.

Going to pay ransom but didn't even give me an amount there is just an error message. Went via tor still just say send bitcoin to the weird bitcoin address but the amount they want is "not found". So there is no hope of ever getting my files back.

thanks Mr. Ajay Bhat for such wonderful instructions.

I have come across the same problem, opened an email with a bill and it must have hecked into my computer and now any drive i went into throughout that day has been infected included shared network files. System restore does not work, previous version has nothing available. If anyone could help me restore my documents this would be a great help

Hello

please help me to solve this problem of locky file, i am one of the victim of this i dont no what can i do.
help me in any process which you know can help to install back the original format of my documents and be able to open them.
am ready to buy your software

i will be waiting for your answers

DO NOT PAY THE RANSOM!

The first reason is simple, even after paying few people receive a decrypt key- you are out of pocket and your data is still encrypted!

The second reason is just common sense: Your system has been compromised and you are going to type in your financial details to go and buy bitcoins... If you have been compromised, there is always the fact there may be a secondary key logger or other bit of malware running that now allows them to get your financial details

The third reason is simple: by paying the ransom you give the perpetrators what they want, encouraging further infections and ensuring you will have to deal with this again in the future as well as enabling them to go after other people...

Rather just follow the common sense rules of ensuring you back up regularly and have uptodate anti-virus and anti-malware running- and allowing full scans on a regular basis.

Can I get my documents back or are they gone forever?

all office files locked by locky, please help.

Dear Please help me in getting out of this fussy condition of .locky extension, I need data back on every condition , kindly help

Ive been attacked by locky 5 times in my company (I handle 200++ computer alone as IT staff)
I've done some registry search for locky and deleted it in safe mode...
Formatting 1 computer..
try to use shadow copies (but failed)
try to use malwarebytes (but locky keeps coming from email)
Antivirus is ON (Avast) - but it seems the users of the computer still clicked the attachments
i dunno intentionally or not..
Firewall and webmail server is working, what the heck are they doing?

but the FILES is not coming back...
and latest locky virus May 20th 2016...
it's not just encrypt your file...
it's delete your files entirely and leave a notes like "Help Instruction" on browser.exe
and attacking file sharing quitely

F*CK YOU SNEAKY BASTARD RANSOM!!
I WISH YOUR MAKERS WAS NEVER BORN

Hi All,

i have recovered my files through data recovery software burt its file format is .locky . Can anybody please tell me how i can get back my files with original file formats line office files and how i can get rid from locky file format????

any one can help me to recover my file documents please help to fix the .locky file extension thanks

Thanks to Mr. Ajay Bhat for the useful information provided but guess this is just the icing, the cake would be if the encrypted files could be recovered delivering a hard slap to these digital thugs.

I was infected with this ransomware and after many attempts at following long and complicated processes to try and decrypt my lost files,which didn't work, I stumbled across Shadow Explorer.
This was a simple program to download and I was able to recover almost all mi files, with the exception of files I had done within about the past week. The important files I had on my computer have all been recovered. Of course, I got rid of the infection first using spyhunter. o, rather than a total loss of all files, I only lost a few that were done recently.
This needs to be offered as a way of recovering your files, so that others can at least get back the majority of them and not have to pay these extortionists the money they are demanding.

I have the locky with the .thor extention and all our files and programs are infrected and decrypted.... HELP!!!!!

Trending

Most Viewed

Loading...