‘.locky File Extension’ Ransomware

‘.locky File Extension’ Ransomware Description

Ransomware Infections have become increasingly common in the last few years. Only in the first two months of 2016, computer users have come across hundreds of new ransomware infections and variants of previous ransomware threats. One of the most prevalent threats in this period is TeslaCrypt 3.0, a new version of a ransomware Trojan first released in early 2015. The '.locky File Extension' Ransomware is one of the many variants of this threat. This new version of TeslaCrypt closes a loophole that allowed computer users to help computer users recover their files previously. Variants of this threat have been released, each changing the victims' files' extensions to a different string. In the case of the '.locky File Extension' Ransomware Trojan, this is a TeslaCrypt 3.0 variant that changes encrypted files' extensions to LOCKY.

How the '.locky File Extension' Ransomware may Infect a Computer

The '.locky File Extension' Ransomware infection process is not difficult to understand. In fact, most encryption ransomware tends to follow the same approach when infecting a computer. First, the '.locky File Extension' Ransomware will be delivered using common threat delivery methods, in most cases a corrupted email attachment contained in a phishing email message. When the victim opens the harmful email attachment, the '.locky File Extension' Ransomware is installed on the victim's computer. The '.locky File Extension' Ransomware will perform a scan of the victim's computer, looking for files to encrypt using its AES encryption algorithm. The .locky File Extension' Ransomware Trojan will infect files with the following extensions:

.7z; .rar; .m4a; .wma; .avi; .wmv; .csv; .d3dbsp; .sc2save; .sie; .sum; .ibank; .t13; .t12; .qdf; .gdb; .tax; .pkpass; .bc6; .bc7; .bkp; .qic; .bkf; .sidn; .sidd; .mddata; .itl; .itdb; .icxs; .hvpl; .hplg; .hkdb; .mdbackup; .syncdb; .gho; .cas; .svg; .map; .wmo; .itm; .sb; .fos; .mcgame; .vdf; .ztmp; .sis; .sid; .ncf; .menu; .layout; .dmp; .blob; .esm; .001; .vtf; .dazip; .fpk; .mlx; .kf; .iwd; .vpk; .tor; .psk; .rim; .w3x; .fsh; .ntl; .arch00; .lvl; .snx; .cfr; .ff; .vpp_pc; .lrf; .m2; .mcmeta; .vfs0; .mpqge; .kdb; .db0; .DayZProfile; .rofl; .hkx; .bar; .upk; .das; .iwi; .litemod; .asset; .forge; .ltx; .bsa; .apk; .re4; .sav; .lbf; .slm; .bik; .epk; .rgss3a; .pak; .big; .unity3d; .wotreplay; .xxx; .desc; .py; .m3u; .flv; .js; .css; .rb; .png; .jpeg; .txt; .p7c; .p7b; .p12; .pfx; .pem; .crt; .cer; .der; .x3f; .srw; .pef; .ptx; .r3d; .rw2; .rwl; .raw; .raf; .orf; .nrw; .mrwref; .mef; .erf; .kdc; .dcr; .cr2; .crw; .bay; .sr2; .srf; .arw; .3fr; .dng; .jpeg; .jpg; .cdr; .indd; .ai; .eps; .pdf; .pdd; .psd; .dbfv; .mdf; .wb2; .rtf; .wpd; .dxg; .xf; .dwg; .pst; .accdb; .mdb; .pptm; .pptx; .ppt; .xlk; .xlsb; .xlsm; .xlsx; .xls; .wps; .docm; .docx; .doc; .odb; .odc; .odm; .odp; .ods; .odt

After the '.locky File Extension' Ransomware has infected the victim's files, the '.locky File Extension' Ransomware will change the affected files' extensions to LOCKY to indicate which files have been encrypted. The '.locky File Extension' Ransomware will also delete Shadow Volume copies of encrypted files as well as System Restore points, making it impossible for computer users to use alternate methods to recover their files. Sadly, it is currently not possible to decrypt the files encrypted by the '.locky File Extension' Ransomware without the encryption key, which is stored on the Command and Control server rather than in the '.locky File Extension' Ransomware infection itself.

The '.locky File Extension' Ransomware alerts the victim of the infection using text or image files dropped on the victim's computer. These messages will demand payment of a ransom worthing several hundred dollars through BitCoin or other anonymous methods. The following is an example of a ransom message commonly associated with the '.locky File Extension' Ransomware:

Your personal files are encrypted!
Your files have been safely encrypted on this PC: photos, videos, documents, etc. Click "Show Encrypted Files" button to view a complete list on encrypted files, and you can personally verify this.
Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.

Infected with ‘.locky File Extension’ Ransomware? Scan Your PC for Free

Download SpyHunter’s Spyware Scanner
to Detect ‘.locky File Extension’ Ransomware
* SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?


Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.

If you still can't install SpyHunter? View other possible causes of installation issues.

Technical Information

Infection Statistics


Our MalwareTracker shows malware activity across the world. Explore real-time data of ‘.locky File Extension’ Ransomware outbreaks and other threats from global to local level.

File System Details

‘.locky File Extension’ Ransomware creates the following file(s):
# File Name Size MD5 Detection Count
1 MRI6219316107.js 6,248 e66009d3c69f364568d5f0d5dd6ec2d0 93
2 problem.437332391.js 4,052 34b1de7abb0fca894b13780fc65899eb 92
3 %USERPROFILE%\DesktopOSIRIS.bmp 71
4 file.exe 39,424 b0ca8c5881c1d27684c23db7a88d11e1 33
5 %Temp%\MicroImageDir\_HOWDO_text.bmp 26
6 %APPDATA%\Nwiz.dll 57,344 47071fa53f96afad764ab149b2d2fea6 21
7 _Locky_recover_instructions.bmp.lnk 2

Site Disclaimer

23 Comments

  • Mia:

    I have the locky with the .thor extention and all our files and programs are infrected and decrypted…. HELP!!!!!

  • Chris:

    I was infected with this ransomware and after many attempts at following long and complicated processes to try and decrypt my lost files,which didn’t work, I stumbled across Shadow Explorer.
    This was a simple program to download and I was able to recover almost all mi files, with the exception of files I had done within about the past week. The important files I had on my computer have all been recovered. Of course, I got rid of the infection first using spyhunter. o, rather than a total loss of all files, I only lost a few that were done recently.
    This needs to be offered as a way of recovering your files, so that others can at least get back the majority of them and not have to pay these extortionists the money they are demanding.

  • Emm Vee:

    Thanks to Mr. Ajay Bhat for the useful information provided but guess this is just the icing, the cake would be if the encrypted files could be recovered delivering a hard slap to these digital thugs.

  • kimmy:

    any one can help me to recover my file documents please help to fix the .locky file extension thanks

  • Waqas Latif:

    Hi All,

    i have recovered my files through data recovery software burt its file format is .locky . Can anybody please tell me how i can get back my files with original file formats line office files and how i can get rid from locky file format????

  • F*ckin Tired:

    Ive been attacked by locky 5 times in my company (I handle 200++ computer alone as IT staff)
    I’ve done some registry search for locky and deleted it in safe mode…
    Formatting 1 computer..
    try to use shadow copies (but failed)
    try to use malwarebytes (but locky keeps coming from email)
    Antivirus is ON (Avast) – but it seems the users of the computer still clicked the attachments
    i dunno intentionally or not..
    Firewall and webmail server is working, what the heck are they doing?

    but the FILES is not coming back…
    and latest locky virus May 20th 2016…
    it’s not just encrypt your file…
    it’s delete your files entirely and leave a notes like "Help Instruction" on browser.exe
    and attacking file sharing quitely

    F*CK YOU SNEAKY BASTARD RANSOM!!
    I WISH YOUR MAKERS WAS NEVER BORN

  • manpreet:

    Dear Please help me in getting out of this fussy condition of .locky extension, I need data back on every condition , kindly help

  • Boshra:

    all office files locked by locky, please help.

  • Jeff:

    Can I get my documents back or are they gone forever?

  • stacy:

    I have come across the same problem, opened an email with a bill and it must have hecked into my computer and now any drive i went into throughout that day has been infected included shared network files. System restore does not work, previous version has nothing available. If anyone could help me restore my documents this would be a great help

  • king lee:

    thanks Mr. Ajay Bhat for such wonderful instructions.

  • Joel:

    Going to pay ransom but didn’t even give me an amount there is just an error message. Went via tor still just say send bitcoin to the weird bitcoin address but the amount they want is "not found". So there is no hope of ever getting my files back.

  • Ajay Bhat:

    Locky file extension Removal Instructions
    Remove Locky file extension malware Manually
    Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
    Locate the process %Temp%\[svchost].exe

    Before you kill the process, type the name on a text document for later reference.
    stop-teslacrypt-process
    Navigate to your %UserpProfile%\Desktop\ folder and delete the following files
    %UserpProfile%\Desktop\_Locky_recover_instructions.bmp
    %UserpProfile%\Desktop\_Locky_recover_instructions.txt
    %Temp%\[random].exe
    alpha-crypt
    Open your Windows Registry Editor and navigate and delete the following registry keys
    HKCU\Software\Locky
    HKCU\Software\Locky\id
    HKCU\Software\Locky\pubkey
    HKCU\Software\Locky\paytext
    HKCU\Software\Locky\completed 1
    HKCU\Control Panel\Desktop\Wallpaper “%UserProfile%\Desktop\_Locky_recover_instructions.bmp”
    Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you may wish to run a professional scanner to identify the files.
    It is always a good idea to use a reputable anti-malware program after manual removal, to prevent this from happening again.
    This article was published in Removal and was tagged Ransomware. Bookmark the permalink for later reference by pressing CTRL+D on your keyboard.

  • cem:

    hi there I wish to convert files encrypted by locky back to original format. Pls assist. It doesn’t allow me to reset to an earlier date before the infection date..

  • Joe:

    Use Recuva and scan affected drives for relevant file types before considering other methods.

  • cem:

    Hi there can you advise how to recover locky infected files pls?

  • Eduardo:

    Hello, how to decrypt locked files with .locky extension virus. Need help please

  • Pierre ORHAN:

    MDB files (access) are also modified by Locky

  • steve:

    Hello, how to decrypt locked files

  • ian:

    If you have the correct settings on your computer you can check previous versions and recover to an earlier state.

  • Sue Bickle:

    How can I open my locked files
    (locky)

  • Andras Sandor:

    What happens if I do pay the ransom?

  • tracey:

    i want to try and save all the documents which locky has effected

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as is:
What is 15 + 5 ?