A strain of ransomware called CryptoWall 4.0 surfaced in 2015 which has extorted more than $325 million from its victims. No sooner had the year of 2015 pasted than a new strain of ransomware hit computers around the world, which definitely caused a new round of panic. The name of this ransomware is “Locky”. In the following, we will introduce this ransomware in details.
This ransomware spread very quickly since it first appeared on February 16, 2016. UK-based security researcher Kevin Beaumont reported that this ransomware can create around 4,000 new infection per hour, or approximately 100,000 new infections per day. Like other types of ransomware, Locky ransomware is mainly spread via spam emails. According to Symantec, millions of spam emails spread this new strain of ransomware on the day it first surfaced. Most of these spam emails have a subject line that reads “ATTN: Invoice J-[random numbers]” and a Word document attachment that has the same name with the subject. Here is a screenshot of the spam email:
When victims open the attachment, they will be presented a document containing scrambled content and a prompt to enable macro in order to unscramble it. See the screenshot below.
Note: A macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
Once the macro is enabled, it will start downloading an executable file named ladybi.exe from a remote server. This execuable file is actually the Locky ransomware which is stored in the folder of %Temp% and then executed by the macro quickly. Then, this ransomware will create its startup entries in the Registry to achieve an automatic running together with the Windows. Usually, the startup entries will be created in these two folders:
Afterwards, it starts to scan all local drives and unmapped network shares for data files to encrypt. It uses the AES encryption algorithm and only encrypts files with the following extensions:
.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11 (Security copy), .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, wallet.dat
The ransomware will rename the encrypted file to this format [unique_id][identifier].locky – a gibberish sequence of 32 numbers and characters followed by the .locky extension. Thus, it is impossible for victims to identify the original files. The following screenshot shows how the encrypted files look like:
Locky ransomware will also remove any Volume Snapshot Service (VSS) files, also known as Shadow Copies, which victims may have made on their machines. By doing so, it can hinder victims from restoring their files via Shadow Copies. It achieves this by executing the following command:
vssadmin.exe Delete Shadows /All /Quiet
Besides, the ransomware will change the desktop wallpaper to a warning message, and create a file named _Locky_recover_instructions.txt, which tells victims that their files are encrypted and they need to get the private key and decrypt program to decrypt their files. Note that the ransomware is capable of serving ransomware notes in different languages, since it will attack not only computers located in english-speaking countries, but also those in the non-english speaking countries. Here an example of the ransom note:
As victims follow one of the links provided in the ransom note, they will go to a Tor site that shows how to decrypt and return control to all their encrypted files. As what you can see in the screenshot below, cyber hackers behind the Locky ransomware demand victims to buy a piece of software called Locky decrypter, which costs 0.5 Bitcoin (equivalent to $207.63), to decrypt their files. To make sure that evey victim know how to make the payment, the cyber hackers also give details on how to purchase the BitCoins. Once victims send 0.5 Bitcoin to the assigned Bitcoin address, they can refresh the page and download decoder to decrypt their files.
How to Remove Locky Ransomware and Restore the Encrypted Files?
Dodi Glenn, vice president of cybersecurity at PC Pitstop says, “Services like VirusTotal.com allow the hackers to upload newly created malware to see what any of the 54 different antivirus vendors say about the file. They will continue to tweak the file until no vendor detects it”. Smart as the cyber hackers, they will constantly change portions of the code to remain undetected. So, it is nearly impossible for victims to remove the ransomware, since traditional antivirus programs can’t detect and clean up this threat thoroughly. But this doesn’ mean that there is no hope of getting the encrypted files back. If you are one amongs the victims, you can try following the guide given below:
1. Remove Locky Ransomware.
Step 1: Boot the infected computer into Safe Mode.
For Windows 7:
Turn on or restart your PC.
When you see something on the computer but just before the Windows 7 splash screen shown as below appears, keep pressing the F8 key.
Then the Advanced Boot Options menu will appear. Highlight Safe Mode and press the Enter key on your keyboard.
For Windows 8:
Press Win + R keys at the same time, type “shutdown /r/o” into the box and then press click OK.
The Windows 8 machine will start to reboot and go into the Choose an option screen. Then, click the Troubleshoot option.
Click Advanced option.
Click Startup Settings.
Click the Restart button.
The computer will restart itself. Then, the Startup Settings screen will appear. Press F4 key to select the Enable Safe Mode option.
Step 2: Download and install SpyHunter on the infected computer.
Once the computer is booted into the safe mode, vicitims need to install a powerful malware removal tool to scan the computer system to detect and remove the malicious files of the ransomware. Here we recommend using SpyHunter.
What is SpyHunter?
SpyHunter is a powerful, real-time anti-malware program designed by Enigma Software Group. It offers real time protection and it creates a shield that deters all threats and attacks. In case when this program can’t automatically remove a perticular malware threat, users can use the Spyware HelpDesk feature to get help from SpyHunter’s support team who will connect to the infected computers and manually fix the malware issues.
Use a healthy computer to download SpyHunter-installer.exe.
Copy the downloaded file to the infected computer. Then, double-click the downloaded file.
When a dialog box pops up as below, click the run button.
Select the language and click OK button.
Click CONTINUE to proceed, and keep following the setup wizards to install SpyHunter.
Accept the licence agreement and click the INSTALL button.
Now you can see that SpyHunter is being installed on your PC. Please wait for a while.
Once SpyHunter is successfully installed, click the EXIT button.
Then, SpyHunter will automatically run and the main screen looks like below. Click the Scan Computer Now button to do a full system scan.
SpyHunter now will start scanning the whole system for any existing threats.
When the system scan finishes, the scan result will be shown in a list. To remove all detected threats, just click on the Fix Threats button.
If SpyHunter cannot be installed on the infected computer for some reason, try performing a System Restore.
2. Restore the Encrypted Files
Once Lock ransomware has been removed, you can try restore the encrypted files with the methods below:
Method 1: Backups
If you have a backup of the important files, you can try restoring them with ease. Learn how to restore files from a backup.
Method 2: Use Data Recovery Software
Another method to restore your files is to use data recovery software. Here is a list of recommended data recovery software for you:
- Stellar Phoenix Photo Recovery
- Data Recovery Pro by Pareto Logic
- Stellar Phoenix Windows Data Recovery
- Stellar Phoenix Data Recovery Technicians License(Pro version with more features)
Method 3: Use Shadow Volume Copies
This method works only when the ransomware doesn’t delete any Shadow Volume Copies on your PC. Theoretically, Lock ransomware will delete all Shadow Volume Copies, but you still can have a try. See how to easily restore your deleted or modified files using Shadow Copies.
It should be pointed out that we cannot guarantee the guide above will definitely help you out of the trouble. After all, this Locky ransomware is designed by more experienced cyber hackers and it is more harder to be removed. If the guide above doesn’t work, you may have to pay the ransom, by doing which you should be able to get your files back.
Last, here are some tips for you:
1. You should back up your personal files, such as pictures, music, and documents regularly. You can set up automatic backups or manually back up your files at any time. In case when these files are damaged, deleted or encypted by malware, you can restore them easily.
Check these two articles:
2. You should disable all except digitally signed Office macros from running. If cyber hackers send emails with a malicious Word document, the macro won’t run. More information is here.
3. You should use spam filters and avoid opening spam email attachments. Besides, you can try using Symantec Email Security.cloud to block email-borne threats.
4. You should safeguard your computer with a powerful anti-malware program, such as SpyHunter. This can decrease the risk of getting malware infection. You can immediately download Spyhunter on your PC right now!
The following video offers a complete guide for Locky Ransomware removal. You’d better watch it in full-screen mode!