@LOCKED Ransomware

The @LOCKED Ransomware is a variant of Unlock92, a known family of ransomware Trojans. Several variants in this ransomware family have been observed in 2018. The @LOCKED Ransomware, like most modern ransomware Trojans, is commonly delivered to victims through corrupted spam email appendage. The victims will be presented with spam email message with an appended text document, which encompasses corrupted macro scripts that were programmed to download and install the @LOCKED Ransomware onto the victim's computer. Once the @LOCKED Ransomware has been installed, it will take the victim's files hostage and demand a ransom payment for restoring access to the infected data.

Symptoms of a @LOCKED Ransomware Attack

The @LOCKED Ransomware is installed in the AppData directory and uses the AES encryption to make the victim's data inaccessible. The @LOCKED Ransomware targets the user-generated data in its attack, which may include a wide variety of images, texts, media files, and numerous other file types. The file types that threats like the @LOCKED Ransomware target in these attacks include:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

When the @LOCKED Ransomware attacks a computer, it will connect with its Command and Control servers to send data about the infected computer. The @LOCKED Ransomware encrypts the files using a method that makes it easy to recognize them because the @LOCKED Ransomware marks them with the addition of the file extension '.@LOCKED' to the file's name. The @LOCKED Ransomware delivers a ransom note in a text file that includes the following message, written both in Russian and English:

'Your files have been encrypted.
If you want to restore files, send one more file us to the e-mail: unk921@protonmail.com
Only in case you do not receive a response from the first email address
withit 24 hours, please use use TOR browser from www.torproject[.]com and see current
e-mail in hxxp://n3r2kuzhw2hx6j5[.]onion (hxxps://n3r2kuzhw2h7x6j5.tor2web[.]io/ - from any other browser w/o using a TOR)
Using another tools could corrupt your files, in case of using third party
software we dont give guarantees that full recovery is possible so use it on
your own risk.'

Dealing with the @LOCKED Ransomware Infection

Computer users are advised against contacting the criminals responsible for the @LOCKED Ransomware attack. Instead, steps should be taken to protect their data preemptively. The best protection is to have file backups. Threats like the @LOCKED Ransomware can be intercepted by updated security applications (although these will generally not be able to restore files that have been encrypted in an attack) before the victim's data is compromised.

SpyHunter Detects & Remove @LOCKED Ransomware