'.locky File Extension' Ransomware

'.locky File Extension' Ransomware Description

Ransomware Infections have become increasingly common in the last few years. Only in the first two months of 2016, computer users have come across hundreds of new ransomware infections and variants of previous ransomware threats. One of the most prevalent threats in this period is TeslaCrypt 3.0, a new version of a ransomware Trojan first released in early 2015. The '.locky File Extension' Ransomware is one of the many variants of this threat. This new version of TeslaCrypt closes a loophole that allowed computer users to help computer users recover their files previously. Variants of this threat have been released, each changing the victims' files' extensions to a different string. In the case of the '.locky File Extension' Ransomware Trojan, this is a TeslaCrypt 3.0 variant that changes encrypted files' extensions to LOCKY.

How the '.locky File Extension' Ransomware may Infect a Computer

The '.locky File Extension' Ransomware infection process is not difficult to understand. In fact, most encryption ransomware tends to follow the same approach when infecting a computer. First, the '.locky File Extension' Ransomware will be delivered using common threat delivery methods, in most cases a corrupted email attachment contained in a phishing email message. When the victim opens the harmful email attachment, the '.locky File Extension' Ransomware is installed on the victim's computer. The '.locky File Extension' Ransomware will perform a scan of the victim's computer, looking for files to encrypt using its AES encryption algorithm. The .locky File Extension' Ransomware Trojan will infect files with the following extensions:

.7z; .rar; .m4a; .wma; .avi; .wmv; .csv; .d3dbsp; .sc2save; .sie; .sum; .ibank; .t13; .t12; .qdf; .gdb; .tax; .pkpass; .bc6; .bc7; .bkp; .qic; .bkf; .sidn; .sidd; .mddata; .itl; .itdb; .icxs; .hvpl; .hplg; .hkdb; .mdbackup; .syncdb; .gho; .cas; .svg; .map; .wmo; .itm; .sb; .fos; .mcgame; .vdf; .ztmp; .sis; .sid; .ncf; .menu; .layout; .dmp; .blob; .esm; .001; .vtf; .dazip; .fpk; .mlx; .kf; .iwd; .vpk; .tor; .psk; .rim; .w3x; .fsh; .ntl; .arch00; .lvl; .snx; .cfr; .ff; .vpp_pc; .lrf; .m2; .mcmeta; .vfs0; .mpqge; .kdb; .db0; .DayZProfile; .rofl; .hkx; .bar; .upk; .das; .iwi; .litemod; .asset; .forge; .ltx; .bsa; .apk; .re4; .sav; .lbf; .slm; .bik; .epk; .rgss3a; .pak; .big; .unity3d; .wotreplay; .xxx; .desc; .py; .m3u; .flv; .js; .css; .rb; .png; .jpeg; .txt; .p7c; .p7b; .p12; .pfx; .pem; .crt; .cer; .der; .x3f; .srw; .pef; .ptx; .r3d; .rw2; .rwl; .raw; .raf; .orf; .nrw; .mrwref; .mef; .erf; .kdc; .dcr; .cr2; .crw; .bay; .sr2; .srf; .arw; .3fr; .dng; .jpeg; .jpg; .cdr; .indd; .ai; .eps; .pdf; .pdd; .psd; .dbfv; .mdf; .wb2; .rtf; .wpd; .dxg; .xf; .dwg; .pst; .accdb; .mdb; .pptm; .pptx; .ppt; .xlk; .xlsb; .xlsm; .xlsx; .xls; .wps; .docm; .docx; .doc; .odb; .odc; .odm; .odp; .ods; .odt

After the '.locky File Extension' Ransomware has infected the victim's files, the '.locky File Extension' Ransomware will change the affected files' extensions to LOCKY to indicate which files have been encrypted. The '.locky File Extension' Ransomware will also delete Shadow Volume copies of encrypted files as well as System Restore points, making it impossible for computer users to use alternate methods to recover their files. Sadly, it is currently not possible to decrypt the files encrypted by the '.locky File Extension' Ransomware without the encryption key, which is stored on the Command and Control server rather than in the '.locky File Extension' Ransomware infection itself.

The '.locky File Extension' Ransomware alerts the victim of the infection using text or image files dropped on the victim's computer. These messages will demand payment of a ransom worthing several hundred dollars through BitCoin or other anonymous methods. The following is an example of a ransom message commonly associated with the '.locky File Extension' Ransomware:

Your personal files are encrypted!
Your files have been safely encrypted on this PC: photos, videos, documents, etc. Click "Show Encrypted Files" button to view a complete list on encrypted files, and you can personally verify this.
Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.

Technical Information

File System Details

'.locky File Extension' Ransomware creates the following file(s):
# File Name Size MD5 Detection Count
1 c:\windows\temp\bdcore_tmp\1920\tmp00000088\tmp00124509 436,224 2fbffc7434688a221968eabce01cf406 27
2 %APPDATA%Nwiz.dll 57,344 47071fa53f96afad764ab149b2d2fea6 21
3 c:\users\user\desktop\5606e9dc4ab113749953687adac6ddb7b19c864f6431bdcf0c5b0e2a98cca39e 620,544 9dcdfbb3e8e4020e4cf2fc77e86daa76 2
4 %SYSTEMDRIVE%\Users\user\Desktop\sssssssssssssssssssssssssssssssssssssssssssss\f689391b0527fbf40d425e1ffb1fafd5c84fa68af790e8cc4093bcc81708c11b\f689391b0527fbf40d425e1ffb1fafd5c84fa68af790e8cc4093bcc81708c11b 620,544 544bc1c6ecd95d89d96b5e75c3121fea 1
5 c:\users\user\desktop\a lockk.exe 372,742 bfff16a0cca57b278591052a9059c0a1 1
6 problem.437332391.js 4,052 34b1de7abb0fca894b13780fc65899eb 0
7 MRI6219316107.js 6,248 e66009d3c69f364568d5f0d5dd6ec2d0 0
8 file.exe 39,424 b0ca8c5881c1d27684c23db7a88d11e1 0
9 dirname 282,626 bdff9c8ae6506768df834d19dfa028f9 0
More files

Registry Details

'.locky File Extension' Ransomware creates the following registry entry or registry entries:
File name without path
Regexp file mask

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.


  • tracey:

    i want to try and save all the documents which locky has effected

  • Andras Sandor:

    What happens if I do pay the ransom?

  • Sue Bickle:

    How can I open my locked files

  • ian:

    If you have the correct settings on your computer you can check previous versions and recover to an earlier state.

  • ian:

    If you have the correct settings on your computer you can check previous versions and recover to an earlier state.

  • Saki xfx:

    hope there is someone who kindly made the app .locky decrypter 🙂

  • steve:

    Hello, how to decrypt locked files

  • Marco:

    good morning
    We contact you because we have contracted the virus locky in one of our workstations, and for your company can provide us with a tool to unlock our infected files? possibly you show us you know the costs?
    and an emergency situation and strongly look forward to hearing your chances of recovery confirmation.
    I thank you and I apologize for my bad English.


  • Pierre ORHAN:

    MDB files (access) are also modified by Locky

  • Eduardo:

    Hello, how to decrypt locked files with .locky extension virus. Need help please

  • cem:

    Hi there can you advise how to recover locky infected files pls?

  • Joe:

    Use Recuva and scan affected drives for relevant file types before considering other methods.

  • cem:

    hi there I wish to convert files encrypted by locky back to original format. Pls assist. It doesn't allow me to reset to an earlier date before the infection date..

  • Ajay Bhat:

    Locky file extension Removal Instructions
    Remove Locky file extension malware Manually
    Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
    Locate the process %Temp%\[svchost].exe

    Before you kill the process, type the name on a text document for later reference.
    Navigate to your %UserpProfile%\Desktop\ folder and delete the following files
    Open your Windows Registry Editor and navigate and delete the following registry keys
    HKCU\Software\Locky\completed 1
    HKCU\Control Panel\Desktop\Wallpaper “%UserProfile%\Desktop\_Locky_recover_instructions.bmp”
    Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you may wish to run a professional scanner to identify the files.
    It is always a good idea to use a reputable anti-malware program after manual removal, to prevent this from happening again.
    This article was published in Removal and was tagged Ransomware. Bookmark the permalink for later reference by pressing CTRL+D on your keyboard.

  • Joel:

    Going to pay ransom but didn't even give me an amount there is just an error message. Went via tor still just say send bitcoin to the weird bitcoin address but the amount they want is "not found". So there is no hope of ever getting my files back.

  • king lee:

    thanks Mr. Ajay Bhat for such wonderful instructions.

  • stacy:

    I have come across the same problem, opened an email with a bill and it must have hecked into my computer and now any drive i went into throughout that day has been infected included shared network files. System restore does not work, previous version has nothing available. If anyone could help me restore my documents this would be a great help

  • Henry Banda:


    please help me to solve this problem of locky file, i am one of the victim of this i dont no what can i do.
    help me in any process which you know can help to install back the original format of my documents and be able to open them.
    am ready to buy your software

    i will be waiting for your answers

  • Marc Lipshitz:


    The first reason is simple, even after paying few people receive a decrypt key- you are out of pocket and your data is still encrypted!

    The second reason is just common sense: Your system has been compromised and you are going to type in your financial details to go and buy bitcoins... If you have been compromised, there is always the fact there may be a secondary key logger or other bit of malware running that now allows them to get your financial details

    The third reason is simple: by paying the ransom you give the perpetrators what they want, encouraging further infections and ensuring you will have to deal with this again in the future as well as enabling them to go after other people...

    Rather just follow the common sense rules of ensuring you back up regularly and have uptodate anti-virus and anti-malware running- and allowing full scans on a regular basis.

  • Jeff:

    Can I get my documents back or are they gone forever?

  • Boshra:

    all office files locked by locky, please help.

  • manpreet:

    Dear Please help me in getting out of this fussy condition of .locky extension, I need data back on every condition , kindly help

  • F*ckin Tired:

    Ive been attacked by locky 5 times in my company (I handle 200++ computer alone as IT staff)
    I've done some registry search for locky and deleted it in safe mode...
    Formatting 1 computer..
    try to use shadow copies (but failed)
    try to use malwarebytes (but locky keeps coming from email)
    Antivirus is ON (Avast) - but it seems the users of the computer still clicked the attachments
    i dunno intentionally or not..
    Firewall and webmail server is working, what the heck are they doing?

    but the FILES is not coming back...
    and latest locky virus May 20th 2016...
    it's not just encrypt your file...
    it's delete your files entirely and leave a notes like "Help Instruction" on browser.exe
    and attacking file sharing quitely


  • Waqas Latif:

    Hi All,

    i have recovered my files through data recovery software burt its file format is .locky . Can anybody please tell me how i can get back my files with original file formats line office files and how i can get rid from locky file format????

  • kimmy:

    any one can help me to recover my file documents please help to fix the .locky file extension thanks

  • Emm Vee:

    Thanks to Mr. Ajay Bhat for the useful information provided but guess this is just the icing, the cake would be if the encrypted files could be recovered delivering a hard slap to these digital thugs.

  • Chris:

    I was infected with this ransomware and after many attempts at following long and complicated processes to try and decrypt my lost files,which didn't work, I stumbled across Shadow Explorer.
    This was a simple program to download and I was able to recover almost all mi files, with the exception of files I had done within about the past week. The important files I had on my computer have all been recovered. Of course, I got rid of the infection first using spyhunter. o, rather than a total loss of all files, I only lost a few that were done recently.
    This needs to be offered as a way of recovering your files, so that others can at least get back the majority of them and not have to pay these extortionists the money they are demanding.

  • Mia:

    I have the locky with the .thor extention and all our files and programs are infrected and decrypted.... HELP!!!!!

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

HTML is not allowed.