Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Sunday, May 24, 2015

How to Remove Locker Virus and Restore Encrypted Files

Tell your friends:
Locker is a file-encrypting ransom virus (ransomware) that encrypts your files using RSA-2048 encryption algorithm so they are not accessible and repairable without the unique encryption key. I've seen a few different versions of this ransomware so far: Locker v5.52, Locker v3.30, Locker v4.55, Locker v4.81 and Locker v2.60. Basically, it's the same ransomware only with different version numbers. I bet there are even more versions out there but I'm not quite sure why cyber criminals decided to do this. Anyway, no matter which version you have installed on your computer, it's the same ransomware. It does encrypt your files, it's not a joke. If you don't have backups you might be in trouble. This vicious malware is most definitely something that you would be well advised to finding out more about so that you are better able to protect yourself from an attack. It is also extremely useful to know why you shouldn't give in to ransomware's demands and what to do if you have been infected.

Locker virus payment page:

It demands to pay 0.1 BTC and gives information on how to buy Bitcoins. There's also a payment address which is unique for every victim.

What does Locker ransomware do?

You have probably already guessed that the clue to unlocking the way ransomware works is in its name. Locker has been created to kidnap your files or data, freeze them and make them inaccessible or unusable. After doing this the program will send you an updated version of the old fashioned ransom note, demanding that you pay 0.1 BTC (about $25) for your files to be released or unlocked. Once you've paid (which, by the way, you shouldn't – more of that in a minute) you will be sent a code that allows you to unlock your encrypted files. But when we say 'you will be sent' don't take that at face value as many cyber criminals using Locker ransomware will not bother to send you anything, simply taking your money and disappearing, never to be heard of again. And don't think you'll be able to negotiate with them either – these types of people don't tend to have a customer care helpline.

And that's not all...

So that they can ensure you will be more likely to pay, victims of Locker will turn the fear factor up to eleven. You're already wondering if you're ever going to see your files and the data they contain again, but to pile even more stress upon you, many of these so called ransom notes will either tell you that they have been sent by a law enforcement agency, such as the FBI or CIA, or tell you that the unlock code will become invalid and your files destroyed if you don't pay by a certain date. In this case, cyber criminals give you 3 days to pay the ransom. The Locker ransom program says:

All your personal files on this computer are locked and encrypted by Locker [ver]. The encrypting has been done by professional software and your files such as: photos, videos, and cryptocurrency wallets are not damaged but just not readable for now. You can find the complete list with all your encrypted files in the files tab.

The encrypted files can only be unlocked by a unique 2048-bit RSA private key that is safely stored on our server till [date]. If the key is not obtained before that moment it will be destroyed and you will not be able to open your files ever again.

Obtaining your private unique key is easy and can be done clicking on the payment tab and pay a small amount of 0.1 BTC to the wallet address that was created for you. If the payment is confirmed the decryption key will be sent to your computer and the Locker software will automatically start the decrypting process. We have absolutely not interest in keeping your files encrypted forever.

You can still safely use your computer, no new files will be encrypted and no malware will be installed. When the files are encrypted Locker [ver] will automatically uninstall itself.

It's very similar to BitCryptor ransomware. It shows time remaining, lists all the encrypted files and gives you a personal Bitcoint wallet address.

What do I do? Pay the fine and make the problem go away?

It's not a good idea but if you really really care about the files, pay the ransom, although no guarantee that you'll get the files back. Besides, by paying you'll be perpetuating cyber crime. Instead, follow the removal guide below on how to salvage your data and clean your computer ASAP. There are a few tools that can help you to restore at least some of your files without paying a ransom. Even though, there's no guarantee that these tools will help you, there's also no reason not to try them out. Who knows, maybe you will be the lucky one. Good luck and be safe online!

Written by Michael Kaur,

IMPORTANT! Before running anti-malware software and trying to restore your files COPY the encrypted files, your Bitcoin wallet address (see under Payment tab) and %PROGRAMDATA%\rkcl, %PROGRAMDATA%\tor, %PROGRAMDATA%\steg or %PROGRAMDATA%\Digger folder (with files) to external hard drive, CD/DVD or a USB flash key. You should have these in case you decide to pay the ransom or someone creates a decryption tool.

The ransomware is also known to disable certain system features like system restore, delete shadow copies, and prevent the uninstalling of software. This makes it incredibly difficult to remove it or roll back to solve the issue.

Step 1: Removing Locker and related malware:

Before restoring your files from shadow copies, make sure Locker virus is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

IMPORTANT! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again. Also, try to disable bclock.exe using Process Explorer.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

Step 2: Restoring files encrypted by Locker virus:

Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Use Locker Unlocker decryption tool. This tool is designed to decrypt files encrypted by the Locker ransom virus.

Method 4: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.

3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.

Hopefully, this will help you to restore all encrypted files or at least some of them.


Anonymous said...

what should i do if i deleted the program without copying it and the key? i tried to recover the virus with a few programs, but it didn't work. i lost some really important files... do i need to get the virus again?

Anonymous said...

Holy hell, I woke up today to find this puppy nesting on my desktop. I'm just glad I only lost 1 important word document out of all the encrypted files, could've been worse. Honestly, a fresh Windows install is looking like the best option! On a side note though, watch out for any 3vasion jailbreaking software, I think that's where I picked it up.

Anonymous said...

The file recovery part was really useful. Thank you :)

Admin said...

@what should i do if i deleted the program without copying it and the key?

If the recovery part didn't help then I think the only thing you can do now, is copy the encrypted files and wait for a decryption tool.

Fuldark Poulsen said...

Can i know where did i possibly get this shit?! Cuz i know i didnt download nor install anything on my pc that day. It just suddeny pop up on my screen out of nowhere.. its annoying! Urgh thank u! :)

Admin said...

@Fuldark Poulsen, this is probably exploit kit spread when visiting an infected website or opening a malicious PDF file or some other document online is enough to infect your computer. You don't need to install or download anything.

Anonymous said...

I woke up to this on my computer this morning. Thankfully, I have all my files backed up. I am going to do a full reinstall as this is the second attack I've had lately. (The last one was a browser hijacker. It is unrelated to this.)

Anonymous said...

When I woke up this morning it was waiting on my desktop, this time its v.4.61 and also asking for 0.1BTC - not willing to pay any amount of cash to this mofos...

imma put my hopes on a decription tool

Anonymous said...

I've actually been away from my pc for 1.5 days, with no problems while leaving. Just to come back, wiggle my mouse to exit my screensaver, and see this locker virus on my screen. So I haven't even opened anything or clicked on something. There wasn't any activity on the pc apart from it being turned on and logged in.

Marcel Todosia said...

I have this problem...but I don't want to pay nothing...NOTHING....I only can wait to pass the time(72 hours) and after this all become normally ?? Repeat,I don't want to pay anything/nothing...Please reply fast... :(

Agnel Nieves said...

There's no other way that i can recover my files?? i haven't done a backup in like forever....And i was working on a really important project... Lost all of it.... I really need those files back. There's some way i can decrypt them myself?

Anonymous said...

@Agnel Nieves, there is no way to recover files. I even hired a company to do it and they're still working on try to get my files back. They said its probably not likely. They saved them, just in case there is a way in the future. How long ago did you do a backup?

tudor demeter said...

Hey guys... This s**t appeared on ma laptop yesterday. I saw it would crypt just photos and League of Legends, what it's not that important for me. But I still want to keep that files on my PC :P... I want some answers today, please :
1. Are the softs that were showed us up safe and good?
2. Is there any chance to save my photos, copying them on an USB stick or on an extern hard disk?
3.How Admin said "this is probably exploit kit spread when visiting an infected website or opening a malicious PDF file or some other document online is enough to infect your computer", i visited to take a film and the page showed me that the page that i visited it's not safe, and after 2 days this s**t appeared. Could be cause of that?
P.S. TY very much guys and sry for ma english, i'm from Romania. :))) Hope to answer me

Admin said...

@tudor demeter:

1. Yes, all the programs listed on this page are safe to use.

2. If your files are already encrypted then it won't change a thing. Of course, you can copy them to a USB stick and wait for a decryption tool to be made. But in general, creating backups is a good idea.

3. Yes, especially when you say that you got a warning about it. Definitely could have been a source of infection.

Anonymous said...

after the time is finished they raise the payment 1 bitcoin. never going to pay it.

Admin said...

Updated the removal guide with the Locker Unlocker decryption tool which is designed to decrypt files encrypted by the Locker ransomware.

Dan Carter said...

Awesome. Thank you so very much. Using the bruteforce option i was able to retrieve the bitcoin address and decrypt all my files. Though i wouldn't have paid the ransom it was impossible for me to do so. I can't purchase bitcoins and have never done so in my life. Struggling in life at the moment after divorce and everything i really can't afford much atm. I really cannot thank you enough for the locker unlocker decryption tool. Thank you so very much. It's very much appreciated. THANK YOU :)

Kifah Ismail said...

hi Admin and Dan carter,
can can you please explain to me how to unlock my file with the brutefroce option you are talking about?
please tell me what to do step by step.
thank you alot

Admin said...

@Kifah Ismail, I'm pretty sure Dan used the decryption tool listed in Step 2, Method 3. Read the recovery part carefully and you will find a link to download the decryption tool.