How to Remove Locky virus and restore .Locky files.

What is the Locky Ransomware virus?

Locky virus is a dangerous malware program that infects Windows based computers, encrypts user’s files with strong RSA-2048 encryption, changes the original filenames and adds the extension “.locky” to the end of each infected file. 

After infection, LOCKY Ransomawre, displays the following information message to the user: “All your files are encrypted with RSA-2048 and AES-128 ciphers.  Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.” In fact the message demands from the user to pay a ransom in Bit Coins, in order to get a decryption program and decrypt the LOCKY’s encrypted files. The payment process is performed using TOR Internet browser, so is difficult to identify and catch the criminals.

Locky virus can infect your computer as well all the connected and unmapped network drives, commonly after you have opened an e-mail, containing a Word attachment (usually named “Your Invoice.doc” or similar), which contains dangerous code (Macros). When you try to open the infected Word document,  Word advises you to enable Macros and from the moment you make it, the Locky virus runs on the background and starts to infect your files.

When the Locky infection process ends, you will realize that all your file names have changed and there is an extension .locky at the end of the name of each file.  During infection, LOCKY virus also drops a “_HELP_instructions” file to every infected folder, with the instructions to pay the ransom.

In this article you can find detailed instructions on how to remove the LOCKY Ransomware virus and to restore the encrypted files.

How to decrypt .LOCKY files?

Locky virus has two (2) know versions:

1. The first version of Locky virus completely changes the name of your files with a random filename (and adds the extension “.locky” to each infected file). In this version of LOCKY the decryption of your files is impossible (at this time) and the only way to get your files back are the following:

1. To copy your files back from a clean backup.
2. To restore the encrypted files by using Shadow copies, or even better with the Shadow Explorer utility, if you are too lucky and the virus doesn’t have deleted the Shadow Volume copies yet.
3. To use the Recuva recovery (undelete) utility and search for deleted files.

2. The second version of Locky virus, is know as AutoLocky. AutoLocky doesn’t renames the original files, but –only- adds the .locky  extension to each infected file. If you are infected with Autolocky, then you have the following options to get your files back:

1. To use the AutoLocky decrypter tool provided by Emsisoft, to decrypt .locky files.
2. To copy your files back from a clean backup.
3. To restore the encrypted files by using Shadow copies, or even better with the Shadow Explorer utility, if you are too lucky and the virus doesn’t have deleted the Shadow Volume copies yet.
4. To use the Recuva recovery (undelete) utility and search for deleted files.

How to remove the LOCKY Ransomware Virus?

Step 1. Start your computer in Safe Mode with Networking.

First of all you have to boot your computer into safe mode to prevent Locky virus from running. To do that:

• Windows 7, Vista & XP:
  • Restart your computer and hit the “F8” key while your computer is starting up (before the appearance of Windows Logo).
  • When “Advanced options” menu appears on your screen, navigate to “Safe Mode With Networking” option (using your keyboard arrow keys) option and hit Enter.

• Windows 10, & Windows 8, 8.1:
  • Press “Windows” + “R” keys to open the RUN window.
  • Type msconfig & press OK.

• Click the Boot tab.
• Select the Safe Boot & Network options & click OK.

• Restart your computer.

Step 2: Remove Locky infection with MalwareBytes Anti-Malware.

• Download and install Malwarebytes Anti-Malware Free. *

* Beware: at the last screen of installation, uncheck the box next to “Enable free Trial of Malwarebytes Anti-Malware PRO” in order to use the free version of this GREAT software.

• Run Malwarebytes Anti-Malware.
• Update the Database.
• Press the Scan Now button and then wait until the scan process is finished.

• When the scan is completed select all items found and then press Quarantine All.

• Restart your computer if needed and you ‘re done.

Step 3. Scan your system with Eset Online Scanner.

1. Run Eset Online Scanner. If you use a browser other than Internet Explorer click to download (& run) the Eset Smart Installer. (esetsmartinstaller_enu)

2.  Accept the license terms and click Start.

3. Wait from ESET Online Scanner to download required components and then:

a. Check the Enable detection of potentially unwanted applications.

b. Check all the options under “advanced settings”. (see screenshot below).

c. Press the Start button to scan and remove viruses and malware programs from your computer.

4. Be patient until the ESET online scanner removes all threats found.

Step 4. Remove .locky files.

After Malware removal perform a search on your computer for *.locky files and then delete all files found. Also search and delete all the “HELP_instructions” files.

That’s all folks! Did it work for you?

Please leave a comment in the comment section below or even better: like and share this blog post in the social networks to help spread the word about these really annoying crap Windows infections.

If this article was useful for you, please consider supporting us by making a donation. Even $1 can a make a huge difference for us.