What is L0cked ransomware? And how does it proliferate?
L0cked ransomware is a newly discovered file-encrypting virus set to encrypt files in an infected machine. This new ransomware threat is based on the open-source platform, HiddenTear. According to researchers, this crypto-malware was found spreading on the web at the end of March 2018 as a Trojan horse named “winlogon.exe” which is dispersed in spam emails. This isn’t so surprising since most ransomware developers utilize this kind of distribution technique in spreading their malicious payloads. These malware-laden emails are often disguised to look like they were sent by well-known companies to trick users into downloading the infected attachment in the email.
How does L0cked ransomware execute its attack?
Once winlogon.exe is executed in the targeted computer, it will download and install L0cked ransomware and connect to its remote Command and Control server. After it connects to its remote server, L0cked ransomware will download and create additional malicious files into the system to help the ransomware execute its attack. It also creates and modifies the Windows Registry so it can run on every system boot. It then begins the encryption process where it targets popular file types like images, videos, audio files, documents and more. L0cked ransomware uses a combination of encryption algorithms namely AES and RSA in locking the targeted files. Once the encryption is completed, it will change the desktop background and deliver its ransom note in a program window that contains the following message:
“What Happened to My Computer?
Your important files are encrypted.
Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files but do not waste your time. Nobody can recover your files without our decryption service.
Can I Recover My Files?
Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.
You can decrypt some of your files for free. Try now by clicking.
But if you want to decrypt all your files, you need to pay.
You only have 3 days to submit the payment. After that, the price will be doubled.
Also, if you don’t pay in 7 days, you won’t be able to recover your files forever.
We will have free events for users who are so poor that they couldn’t pay in 6 months.
How Do I Pay?
Payment is accepted in Bitcoin only. For more information, click.
Please check the current price of Bitcoin and buy some bitcoins. For more information, click.
And send the correct amount to the address specified in this window.
After your payment, click. Best time to check: 9:00am – 11:00am GMT from Monday to Friday.
Once the payment is checked, you can start decrypting your files immediately.
Contact
If you need our assistance, send a message by clicking.
We strongly recommend you do not remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. If your anti-virus gets updated and removes this software automatically, it will not be able to recover your files even if you pay!ýýýý
Bitcoin Address 1LXhpinYWzF73hUyDvxApkChq2QfZhm6GA”
Refer to the removal instructions laid out below to terminate L0cked ransomware and its malicious components.
Step 1: The first thing you need to do is to eliminate the process of L0cked ransomware by opening the Task Manager – simply tap the Ctrl + Shift + Esc keys on your keyboard.
Step 2: After that, click the Processes tab and look for the malicious process named winlogon.exe and keep an eye on other suspicious process and them all.
Step 3: Now that the malicious process is eliminated, close the Task Manager.
Step 4: Next, tap Win + R, type in appwiz.cpl and click OK or tap Enter to open Control Panel’s list of installed programs.
Step 5: Under the list of installed programs, look for L0cked ransomware or anything similar and then uninstall it.
Step 6: Then close Control Panel and tap Win + E keys to launch File Explorer.
Step 7: Navigate to the following locations below and look for L0cked ransomware’s malicious components such as winlogon.exe and decryptor.exe.bin.exe.bin as well as other suspicious files it has created and downloaded into the system and then delete all of them.
- %TEMP%
- %WINDIR%\System32\Tasks
- %APPDATA%\Microsoft\Windows\Templates\
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step 8: Close the File Explorer.
Before you go on any further, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name], this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 9: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 10: Navigate to the following paths:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization
- HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
- HKEY_CURRENT_USER\Control Panel\Desktop
Step 12: Delete the registry keys and sub-keys created by L0cked ransomware.
Step12. Close the Registry Editor and empty the Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if L0cked ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
Once you’ve covered the first few steps given above, all that’s left for you to do is ensure the removal of L0cked ransomware by using a reliable program named [product-name].
Perform a full system scan using [product-code]. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
- After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
- Once the installation process is completed, run [product-code] to perform a full system scan.
- After the scan is completed click the “Fix, Clean & Optimize Now”button.