The .locky ransom virus is a new breed that poses elevated risk due to sizeable stealth, large attack surface and sophisticated money extortion tactic.
The latest extortion contrivance called the Locky ransomware demonstrates that cybercriminals are obviously in pursuit of new operational mechanisms. Said infection is out-of-the-ordinary because its spreading mode differs from the analogs, and it covers a greater scope of victim data if the attack succeeds. The most prominent signs of this onslaught include the .locky extension added at the end of encrypted files, as well as the ransom walkthroughs titled _Locky_recover_instructions.txt. The latter documents show up in all folders the contents of which underwent the detrimental impact of the virus. The user’s personal files, in their turn, take a weird shape and look similar to this: 8361F0GE9589G5F7C9B07218D472R0F5.locky, where the first 16 characters and digits reflect the unique victim identifier, and the other half is file-specific.
Of course, the user can no longer open any of these files – not because they were renamed but due to AES encryption that the ransomware applied. Locky roams through the local drive volumes, external data peripherals such as USB memory sticks or an additional HDD, and network drives. The goal is to find the bits of information with the most widespread extensions. This way, the malware can hit below the belt as it subsequently encodes one’s personal files and disregards various objects that are auxiliary in the operating system.
After the encryption job has been finished, the Trojan replaces the admin’s wallpaper with an image that provides step-by-step recommendations regarding data redemption. Replicated in the above-mentioned _Locky_recover_instructions.txt document, these directions tell the victim to follow a Tor link for further advice. The linked-to online spot is in fact the Locky Decrypter Page, where the hijacked computer user can remit the ransom of 0.5 BTC, or about $200, and download the decoding software afterwards.
The .locky file ransomware is also non-standard in the context of circulation. Rather than use exploit kits, the miscreants are mass-spamming potential victims with rogue invoices. The Microsoft Word document that goes with these emails looks innocuous, but it has got a trick in it. When a user opens the file, the text is indiscernible. However, a little prompt says this problem can be rectified by enabling macros. Unfortunately, a lot of users fall for this hype, activate known-vulnerable macros manually and thus allow the attackers to run their code on the computer. If this happens, the cyber offensive is extremely difficult to handle, but not impossible. Read the following tips to find out how you can reinstate your data without paying a cent to the scammers.
Automated removal of .locky file virus
Owing to an up-to-date database of malware signatures and intelligent behavioral detection, the recommended software can quickly locate the infection, eradicate it and remediate all harmful changes. So go ahead and do the following:
1. Download and install the antimalware tool. Open the solution and have it check your PC for PUPs and other types of malicious software by clicking the Start Computer Scan button
2. Rest assured the scan report will list all items that may harm your operating system. Select the detected entries and click Fix Threats to get the troubleshooting completed.
Ways of non-ransom recovery of encrypted .locky files
Cracking the crypto used by this ransom trojan is more of a science fiction thing rather than an attainable prospect for the masses. This is why the troubleshooting in predicaments of this sort is a matter of two approaches: one is to pay the ransom, which isn’t an option for many victims; and the other is to apply instruments that take advantage of the ransomware’s possible weaknesses. If the latter is your pick, the advice below is a must-try.
Backups can make your day
Not only are you a lucky person in case you’ve been backing up your most important files, but you’re also a wise and prudent user. This isn’t necessarily a resource-heavy activity these days – in fact, some providers of online services are allocating a sufficient size of cloud storage space for free so that every customer can easily upload their critical data without paying a penny. Having removed Locky ransomware, therefore, all you have to do is download your stuff from the remote server or transfer it all from an external piece of hardware if that’s the case.
Restore previous versions of encrypted files
A positive upshot of using this technique depends on whether or not the ransomware has erased the Volume Shadow Copies of the files on your PC. This is a Windows feature that automatically makes and keeps the backups of data elements on the hard drive as long as System Restore is enabled. The cryptoware in question is programmed to switch off the Volume Shadow Copy Service (VSS), but it has reportedly failed to in some cases. Checking one’s options regarding this workaround is doable in two ways: through the Properties menu of each file or by means of the remarkable open-source tool called Shadow Explorer. We recommend the software-based way because it’s automated, hence faster and easier. Just install the app and use its intuitive controls to get previous versions of the encrypted objects reinstated.
Data recovery toolkit to the rescue
Some strains of ransomware are known to delete the original files after the encryption routine has been completed. As hostile as this activity appears, it can play into your hands. There are applications designed to revive the information that was obliterated because of malfunctioning hardware or due to accidental removal. The tool called Data Recovery Pro by ParetoLogic features this type of capability therefore it can be applied in ransom attack scenarios to at least get the most important files back. So download and install the program, run a scan and let it do its job.
Revise your security status
Post-factum assessment of the accuracy component in malware removal scenarios is a great habit that prevents the comeback of harmful code or replication of its unattended fractions. Make sure you are good to go by running an additional safety checkup.
- Nemesis decryptor: redeem encrypted files from Cry9/Nemesis ransomware
- “The requested resource is in use” virus popups in Windows
- AES-NI Ransomware removal: decrypt .aes_ni_0day files
- Eccentric “Rensenware” infection demands Touhou game score instead of Bitcoin
- Wcry ransomware: .wcry files decryptor and virus removal