Locky ransomware removal instruction. How to decript .Locky files

Locky is the ransomware that had infected tens of thousands of computers around the world in the past few months. The main method of penetration is the macros in e-mail attachment. Once the user opens the attachment, the virus is downloaded, installed, and begins to encrypt files. Encryption is susceptible to almost all file extensions, which can be found on the computer of the average user. After encryption, the virus modifies the file names to arbitrary unique combination of numbers and letters with the extension .locky (recently there appeared a new type of Locky virus that uses the extension .zepto). The names are changed so that the user could not identify the files. The encryption is performed using asymmetric encryption algorithms RSA-2048, and AES-1024. To decrypt the files you need a secret key, which is stored in a database owned by hackers. In fact, this key is the subject of the transaction. The amount of ransom is 0,5 BTC (about $ 300 at current exchange rates).


Locky encryptor

How Locky Virus works

When the encryption process is finished, the virus makes itself seen. It creates a special instruction files in each folder containing the encrypted data. This file is called "_HELP_instructions", and it is a message, which describes what happened to the data, contains links to the information about the used encryption algorithms, and describes the actions that are necessary for the user to decrypt his files. Among other things, it states that the user needs to download the Tor browser to purchase Bitcoin, pass the link to the hacker’s site, and there make a payment, to get the decryption program. Locky is considered one of the most dangerous ransomware because it removes the shadow copies, leaving no chance to the user to restore files, except for the payment of a ransom. The only method which can help to avoid the ransomware effects is the correctly and timely made backup, stored on the external hard drive (which wasn’t connected to the PC in time of infection).


Locky encryptor


The Internet is filled with ransomware, which differ from Locky only with text messages, the sum of ransom and certain patterns of behavior. For example, Cerber and Chainsaw viruses threaten users to remove the files, if the user does not pay the ransom within the specified period, or double the amount of ransom. Also, the differences may be in the number of extensions, subject to encryption and encryption algorithms used. Most viruses use algorithms RSA and AES, as they are the most powerful of all available. However, their goals are always the same: enter the system, encrypt files and demand a ransom. If you are faced with ransomware, the decryptor for which has not yet been released, you should accept the loss of files. We say so because you have no guarantees for data recovery even if you pay the ransom. Hackers do not want to make you their regular customer, and they do not care about your data, and your judgment. The only thing they care about is money - and as soon as they receive them, they will immediately cease to be interested in you. Every time the user pays the ransom, hoping to recover his data, he only asserts the hackers at the thought that their actions bring great income, and they should continue. Therefore, we recommend that you save the encrypted data up until the hackers database is compromised, and the reliable decryption tool will be created. You can cause harm to hackers in only way: do not fall for their bait. Hackers use such ways of infection, as a malicious application to e-mail, fake software updates, fake anti-viruses and Trojan viruses. Be careful on the Internet, and promptly update your anti-virus. The best way to cope with ransomware - is not to let it to penetrate your PC.

Locky Virus removal

All experts in the field of IT security agree on one thing: pay only after you try all possible ways to get rid of the virus, and only if the encrypted information is really worth more than the amount that you are required to pay. The only 100% efficient method to get rid of Locky Virus and to restore the files at the same time is to backup your system. But anyway, you have to remove the virus before you backup the system, to ensure, that your PC won't be at risk. This can be done in two easy ways: manual and automatic. Manual removal requires certain skills and experience, and if you are a practiced user, you will deal with it quickly. And if it is too difficult for you, there is an automatic way. You will only have to download an anti-viral software, that will remove Locky Virus from your PC. The tool, which we advise is called Spyhunter, and it will perfectly cope with Locky Virus, and other malware, that you can pick up in the Web. Download SpyHunter and remove Locky virus in automatic mode. Click here to download Spyhunter and remove virus automatically.

Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode

Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok

Step 3. Remove Locky files

Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%

Step 4. Clean registry

  • Click Start
  • Type Regedit.exe and press Enter
  • Press Ctrl+F and search for "Locky"
  • Delete items found
  • On my computer there were next registry keys:
    • HKU\S...1000\Software\Locky
    • HKU\S-...1000\Software\Locky\id
    • HKU\S-...1000\Software\Locky\pubkey
    • HKU\S-1000\Software\Locky\paytext
    • HKU\S-...1000\Software\Locky\completed

How to decrypt your files

Unfortunately, there is only one way now - to restore your system to previous checkpoint. But firstly, be sure to remove the malicious files! For this follow the next tutorial.

Update: try to use Recuva and ShadowExplorer programs, they can help to restore the files.

  • Click Start
  • Click Control Panel

Decrypt files. Step 1


  • Click System and Security

Decrypt files. Step 2


  • Select Backup and Restore

Decrypt files. Step 3


  • Select Restore files from backup
  • Select checkpoint to restore


Video instruction





Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 4.75 [4 Votes]


0 #2 julios 2018-03-01 02:49
muy bueno
0 #1 George 2017-03-29 12:04
But why not just install an Anti-Malware like MalwareFox and be done with it? It should make things much easier.

Add comment

Security code



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience