Recently, an alert has been issued by the government regarding a new malware named Locky ransomware that locks computers and demands ransom to unlock them. So if you’re one of the users who is unfortunate enough to get infected by this ransomware, then read on.
What is Locky ransomware?
Locky ransomware is a dreadful data-encrypting and computer-locking parasite that has managed to proliferate and infected thousands of computers since its first appearance way back in the beginning of 2016 and now it has made a comeback. This ransomware has different variants such as the Locky, Osiris, Aesir, Bart and Zepto ransomware which all poses serious threats to the computer system since apart from corrupting files on the affected computer, it can also corrupt the files on unmapped network shares.
How does Locky ransomware execute its attack?
Once it has successfully infiltrated the computer system, this Trojan pest uses an embedded encryption key and then scans all the directories in the computer for certain file types and then encrypt them using both the RSA 2048 and AES 128 encryption algorithms that securely detains your files as hostages in exchange for a ransom. It appends the .locky file extension to all the compromised files making it harder for you to decrypt them. After that, it releases a ransom note in a text file named _Locky_recover_instructions.txt and saves it in every directory that has encrypted files. Here’s the full context of the ransom note:
!!! IMPORTANT INFORMATION !!!!
All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
To receive your private key follow one of the links:
If all of this addresses are not available, follow these steps:
- Download and install Tor Browser: hxxps://www.torproject.org/download/download-easy.html
- After a successful installation, run the browser and wait for initialization.
- Type in the address bar: 6dtxxxxm4crv6rr6.onion/07Bxxx75DC64
- Follow the instructions on the site.
!!! Your personal identification ID: 07Bxxx75DC646805 !!!
After dropping the ransom notes, it changes the desktop background with a _Locky_recover_instructions.bmp that also displays the ransom message stated above. The .onion links that you can see on both the .bmp and .txt files will lead you to the Locky’s payment website which offers the Locky Decrypter for 0.5 to 1.0 Bitcoins that is approximately 300-600 USD. And if you think that you can just decrypt your files using their Shadow Volume copies, well that’s where you’re mistaken. Locky ransomware uses the function (vssadmin.exe Delete Shadows /All /Quiet) to delete the Shadow Volume copies of your files, making it almost impossible for you to recover them without having to use a decryption tool. Your only saving grace would be any data backup – that is, if you even created any. On top of that, as of now, malware researchers still cannot crack Locky’s source code to defeat this ransomware by creating a decryptor. And if you think paying the ransom is your only way to recover your files, well that’s exactly debatable for these crooks can’t be trusted and there is no guarantee that they’ll give you the decryptor once payment is made. So the best thing to do is to use backup copies of your files or to wait until a decryptor is made.
How does Locky ransomware distribute its malicious payload?
This malicious threat spreads using the good old spam email campaigns wherein it attaches a Microsoft Word document containing the following message:
Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice.
Let us know if you have any questions.
We greatly appreciate your business!
[Randomly generated name of the sender]”
This particular email is named as an invoice J-[8 random numbers].doc. Once you open it, the malware starts its attack immediately but it will depend if you’ve enabled the Macros function in your Microsoft Word. If you’ve enabled this function, then the malware will have its way to your computer and your files. If you haven’t enable this function, the document will display a distorted text and will ask you to enable Macros to view the document saying, “Enable macro is the data encoding is incorrect.” A piece of advice, do not follow that command and delete the email right away.
To get rid of Locky ransomware and its malicious components, carefully follow each step below.
Step 1: Reboot your computer into Safe Mode with Command Prompt by pressing F8 a couple of times until the Advanced Options menu appears.
Step 2: Navigate to Safe Mode with Command Prompt using the arrow keys on your keyboard. After selecting Safe Mode with Command Prompt, hit Enter.
Step 3: After loading the Command Prompt type cd restore and hit Enter.
Step 4: After cd restore, type in rstrui.exe and hit Enter.
Step 5: A new window will appear, and then click Next.
Step 6: Select any of the Restore Points on the list and click Next. This will restore your computer to its previous state before being infected with the Locky Ransomware.
Step 7: A dialog box will appear, and then click Next.
Step 8: After the system restore process; download SpyRemover Pro to remove any remaining files or residues of the Locky ransomware.
Follow the continued advanced steps below to ensure the removal of the Locky ransomware:
Perform a full system scan using SpyRemover Pro.
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the Safe Mode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading SpyRemover Pro. Installation will start automatically once download is done.
- After all the infections are identified, click REMOVE ALL.
- Register SpyRemover Pro to protect your computer from future threats.