A new crypto virus that appends the .lock extension has been spotted in the wild. It is a data locker ransomware virus that modifies the original code of target files and renders them inaccessible until a ransom fee is paid. Corrupted data receives new long and messy names with the malicious extension .lock in the end. Security researchers have received samples by hacked users so now they are investigating the malware code. They have named the ransomware LockCrypt and believe that it is possibly a decryptable one. As soon as a free decryption tool is released, we will update this article with the good news. Meanwhile, all victims are advised to consider the removal of .lock file virus from the infected host.
Manual Removal Guide
Recover .lock Files
Skip all steps and download anti-malware tool that will safely scan and clean your PC.
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
Main Features of .Lock File Virus
.Lock file virus belongs to ransomware type of malware. It blocks access to the victim’s data until a ransom is paid to hackers. The infection begins once the file locker.exe is running on the computer. It may be dropped in one of the following Windows folders:
%AppData%
%Roaming%
%Temp%
%Local%
%LocalRow%
%User’s Profile%
%Windows%
The .lock file virus is believed to follow a regular ransomware pattern that begins with system scan for all files that are set as targets in the malicious code. That files may be documents, videos, photos, databases, audio files, and archives. Upon encryption, with a strong algorithm, LockCrypt ransomware virus is designed to rename corrupted files with a long string of random characters and the extension .lock in the end. In a forum post, the security researcher Michael Gillespie explains that the LockCrypt ransomware virus follows the pattern
In addition .lock crypto virus has the functionality to touch Windows registry values as a way to establish its persistent presence on the infected host. By changing or adding new values in Run and RunOnce keys, the malware code sets an automatic load of all infection files. The following keys may be affected by .lock file virus:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Windows registry modifications also allow LockCrypt to display its ransom note when the encryption is done. The ransom message is dropped on the system under the name ReadMe.TxT and it reads the following:
All your files have beenencrypted!
All your files have been encrypted due to a security problemwith your PC. If you want to restore them, write us to the e-mail [email protected] or [email protected]
Write this ID in the title of your message
In case of no answer in 24 hours write us to theese e-mails: [email protected] or [email protected]
You have to pay for decryption in Bitcoins. The price dependson how fast you write to us. After payment we will send you thedecryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 3 files for freedecryption. The total size of files must be less than 10Mb (nonarchived), and files should not contain valuable information.
(databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. Youhave to register, click ‘Buy bitcoins’, and select the seller bypayment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginnersguide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software,it may cause permanent data loss.
Decryption of your files with the help of third parties maycause increased price (they add their fee to our) or you can becomea victim of a scam.{{IDENTIFIER}}
Your ID [redacted]
e removal guide below.
It is possible Shadow Explorer and File History methods to be ineffective because .lock file virus may be developed to start Command Prompt and perform the command vssadmin.exe delete shadows /all /Quiet. It removes all shadow volume copies of files created on the system thus prevents data recovery via the two methods stated above.
Related: .Imsorry File Virus Removal Guide
How the Distribution of LockCrypt Ransomware Virus Happens
Generally, cyber criminals choose to use email campaigns to attack individual and business computer users. For the purpose, they create crafted email templates that blackmail users to download and open an attached file or click a malicious link presented in the text. As they usually pose as legitimate institutions like banks, electricity providers, government, internet providers, etc. the file attachment may be presented to be an invoice, a bank statement, a bill, an offer or a tax obligation. When a link carries out the .lock file virus payload, its landing webpage may have injected malicious script that causes the unnoticed download of the file.
How to ensure an email attachment or a link is malware free before you open them. One way to do this is by uploading the suspicious objects to online virus scanning services like VirusTotal and ZipeZip. Another way is to scan suspicious files with up-to-date anti-malware tool installed on the computer before opening them.
Remove .Lock File Virus and Restore Data
WARNING! Manual removal of .lock file virus requires being familiar with system files and registries. Removing important data accidentally can lead to permanent system damage. If you don’t feel comfortable with manual instructions, download a powerful anti-malware tool that will scan your system for malware and clean it safely for you.
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
.Lock File Virus – Manual Removal Steps
Start the PC in Safe Mode with Network
This will isolate all files and objects created by the ransomware so they will be removed efficiently. The steps bellow are applicable to all Windows versions.
1. Hit the WIN Key + R
2. A Run window will appear. In it, write msconfig and then press Enter
3. A Configuration box shall appear. In it Choose the tab named Boot
4. Mark Safe Boot option and then go to Network under it to tick it too
5. Apply -> OK
Show Hidden Files
Some ransomware threats are designed to hide their malicious files in the Windows so all files stored on the system should be visible.
1. Open My Computer/This PC
2. Windows 7
-
– Click on Organize button
– Select Folder and search options
– Select the View tab
– Go under Hidden files and folders and mark Show hidden files and folders option
3. Windows 8/ 10
-
– Open View tab
– Mark Hidden items option
4. Click Apply and then OK button
Enter Windows Task Manager and Stop Malicious Processes
1. Hit the following key combination: CTRL+SHIFT+ESC
2. Get over to Processes
3. When you find suspicious process right click on it and select Open File Location
4. Go back to Task Manager and end the malicious process. Right click on it again and choose End Process
5. Next, you should go folder where the malicious file is located and delete it
Repair Windows Registry
1. Again type simultaneously the WIN Key + R key combination
2. In the box, write regedit and hit Enter
3. Type the CTRL+ F and then write the malicious name in the search type field to locate the malicious executable
4. In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys
Click for more information about Windows Registry and further repair help
Recover .lock Files
WARNING! All files and objects associated with .lock file virus should be removed from the infected PC before any data recovery attempts. Otherwise the virus may encrypt restored files. Furthermore, a backup of all encrypted files stored on external media is highly recommendable.
DOWNLOAD LockCrypt Removal ToolSpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
1. Use present backups
2. Use professional data recovery software
Stellar Phoenix Data Recovery – a specialist tool that can restore partitions, data, documents, photos, and 300 more file types lost during various types of incidents and corruption.
3. Using System Restore Point
-
– Hit WIN Key
– Select “Open System Restore” and follow the steps
4. Restore your personal files using File History
-
– Hit WIN Key
– Type restore your files in the search box
– Select Restore your files with File History
– Choose a folder or type the name of the file in the search bar
– Hit the “Restore” button