Locky Virus

This page aims to help you remove Locky Virus Ransomware. These Locky Ransomware removal instructions work for all versions of Windows. We were recently asked in our reader’s comments about how to restore “locky datei” and we feel we should help users understand how to do it. To restore “locky datei” you will likely have to revert back to a previous date before the ransomware infected your PC. But, it may be very hard to do so, as the virus will undoubtedly try to hinder your process and may even succeed. This ransomware uses a different encryption method from most of its other peers – the AES-128 military grade encryption. Locky has undoubtedly achieved an all star status with the ranks of Zeus Virus Detected. The Aes-128 encryption is a step up for the creators of crime software, as it has previously not been exploited in such a way. Considering that the targets of this scam are predominantly German citizens, it is likely you will have your hands quite full. The _Locky_recover_instructions.txt ransom note is practically identical to a lot of others out there, so this is a general shoutout: DO NOT PAY UP!

.locky virus removal

locky virus removal

There are several reasons for this, the most notable of which are:

  1. If you pay, you will have to login with accounts that may already be exposed. If they are not already stolen however, you basically risk showing them to people who are already monitoring you via a Trojan.
  2. By paying up you may or may not recover your files – but every time someone pays the ransom, the criminals grow stronger. They develop their software even more and people like you suffer
  3. There is really no reason for them not to give you your files back – but at the same time, there is always the chance you will pay but the files are not released and you will continue to search for a “locky datei” solution.

If your files have already been encrypted by Locky Virus, then you are in some serious trouble. Don’t panic though – we’ll try our best to help you with this article. What you are facing is a very dangerous virus of the ransomware type. These viruses have gained a lot of notoriety, because they encrypt your files and make them unusable, but the process is not reversed if you delete the virus. This gives the hackers a lot of leverage that they will undoubtedly use to blackmail you for a ransom, if they haven’t already. You will need to learn some more basic info on ransomware viruses before you can deal with fichier locky effectively, so please keep reading. This will also shed a light how to perform a “locky datei” recovery and how to avoid getting a locky recover instructions ransom note.

Locky Virus – first stage

When your computer was first infected with the ransomware it began encrypting your files. Depending on the size of your HDD and how much data you had the process could have taken a couple of hours or even days. The virus remains out of sight during this, but you may have spotted signs of its presence – your PC performing poorly than usual, programs taking ages to load (weknow.ac). Encryption is a memory and CPU intensive process and takes a toll on your system resources – in the future if your computer is working poorly open the task managed and look at what’s eating the resources. Ransomware viruses usually try to pose as windows programs and services, so if you see two of those with the same name and one of them is taking a lot of CPU power you’ll have your culprit – immediately shut down the process and delete all associated files or better yet pull the plug on your PC and find an expert.

The locky virus ransom note.

The locky virus ransom note.

Locky Virus – reveal

If your files have already been encrypted, then you have probably already seen the ransomnote generated by the virus. It probably has some kind of timer to put pressure on you and it demands the payment to be made in BitCoins. The criminals are now hoping that the surprise shock will put you to the edge and you’ll pay them the ransom. Well… that’s really not a good idea, for a couple of reasons.

  1. Paying money to cyber criminals only encourages them to get better at their craft and extort even more people.
  2. You are not guaranteed in any way that your files will be decrypted successfully if you make the payment.
  3. There is absolutely no reason to pay until you’ve tried all the free methods first.

The methods we’ve provided at our guide do not provide guaranteed recovery of all files, but they are an excellent start. Paying the ransom should only ever be considered if all other options are exhausted and the documents encrypted are worth much more than the ransom money.

There is a good chance you have a Trojan horse in your computer

While it is certainly possible that you unknowingly installed Locky Virus on your own computer chances are that a Trojan horse actually did it. Trojan horse viruses are the preferred method of spreading ransomware – they are very subtle and not all anti-malware programs can detect them and they can remain on an infected computer for a really long time. Trojan horse viruses that deliver ransomware are also known as “droppers” and you should make sure that you don’t have one of these installed on your computer from adware or browser hijacker like my quick converter. It can always download new ransomware if left alone. Unfortunately, such a search is next to impossible to perform manually – you’ll have to trust an anti-virus or an-anti malware program with it. If you don’t have one or if the one you have failed you with the ransomware feel free to check out our recommendation by clicking on one of the banners on this page.

SUMMARY:

Name .Locky
Type Ransomware
Detection Tool

Remove Locky Virus

You are dealing with a ransomware infection that can restore itself unless you remove its core files. We are sending you to another page with a removal guide that gets regularly updated. It covers in-depth instructions on how to:
1. Locate and scan malicious processes in your task manager.
2. Identify in your Control panel any programs installed with the malware, and how to remove them. Search Marquis is a high-profile hijacker that gets installed with a lot of malware.
3. How to decrypt and recover your encrypted files (if it is currently possible).
You can find the removal guide here.


About the author

blank

Violet George

Violet is an active writer with a passion for all things cyber security. She enjoys helping victims of computer virus infections remove them and successfully deal with the aftermath of the attacks. But most importantly, Violet makes it her priority to spend time educating people on privacy issues and maintaining the safety of their computers. It is her firm belief that by spreading this information, she can empower web users to effectively protect their personal data and their devices from hackers and cybercriminals.

91 Comments

  • There are any people who have proof that this worked?
    We also had not only the encrypting virus, they also had a password stealer in it. :/

    • Hello Shirui,

      Ransomware is often spread by different people who work as “affiliates”. That’s why we recommend everyone to scan their computers for more viruses, because you never know what else you might have been infected with.

  • Tried the above and it can’t seem to fix an infected PC. Had Malwarebytes on it but am unable to upgrade or anything to even resolve this.

    • Hi Eddie,

      What do you mean by fix? Removing Locky is not that difficult, but your files will not be restored if you do it. If you have other problems it is likely due to a different virus that was installed alongside the ransomware.

      Can you tell me what other symptoms you are experiencing?

      • Okay, I did manged to remove Locky. But the files are stuck as such. Does that mean there is no way to recover the files? Cause it covers every single document within the PC.

      • Hi, it seems my previous comment was not approved. So there is no other way to restore the files affected by Locky even after removing it?

        Thank you.

        • Hi Eddie,

          I am sorry for deleting them, I was under the impression you had it under control. Unfortunately there is nothing else you can do at this point – if system restore and Shadow Clone weren’t able to help. Did you try these already?

  • Hi Peter,

    We are very glad you were able to recover your files – Locky can be really nasty to get rid of. We’ll take your Recuva input and add it to our guide.

    • Hi,

      I also would like to know that how do we remove locky virus & recover the infected files. It spread as one of the user has accessed the word file which was attached in the email & it has cracked down our shared driver & all files of shared drives is encrypted. as mentioned above I have downloaded RECUVA – need to know & understand further process.

      I will be glad to receive your guidance & help to recover back encrypted files. You can send me the details on my email or you can share the process/steps for recovery.

      Awaiting your revert

      Regards,

      Malav Joshi

      [email protected]

      • Hi Malav,

        There is nothing overly complicated when using Recuva. You just start it, let it do a deep scan and then try to recover any file it finds. Do this first yourself and ask me if you have any problems.

  • Hello,

    To circumvent that restriction you need to go to the program you are using to edit the hosts file.

    Press the Windows button, write Wordpad/Notepad and right click on the program -> open as administrator.

    Now when the program starts click open, navigate to the Hosts file in C:WindowsSystem32driversetc and open it, You should now be able to edit it.

    This should help. Let me know how it goes.

  • Hi Adam

    Yes, if you have set up a backup you can restore your files with the first method.

    If you havn’t set up a backup Recuva (2nd method) might be able to help you.

    Let me know if you got any problems.

    • Hi Neil.

      Yes, that should be sufficient. Hopefully you have a backup restore point to do it – not many people actually have it.

      Please let me know how it goes.

  • Hi,
    My pc also got Locky virus and above image 2 (Important Information !!!!) is on my desktop background. Many files on my pc are effected. Please help.

  • Hi Raj

    Try to the things listed in the removal guide first. Then let me know if you still have problems.

  • Anyway, do not trhow away encrypted files, but store them in a safe place. The lack of an immediate solution does not imply that cannot be discovered in the next months.

    • Hi Fred,

      You are pretty much correct, although new ransomware encryption algorithms are pretty hard to beat.

  • Hello, I was infected with the Locky virus on Feb 24. I have completed the steps above and got to the point to do a System Restore. Only to find out the System Restore was turned off!! This is not something that I would turn off myself. How could this have been turned off if I didn’t physically turn it off?? Has anyone had luck with recovering their files when using the Recuva program?
    I am worried if I keep trying new things to recover the files that I am doing more damage and will diminish my chances of ever recovering the files.

    • Hi Wendy,

      Unfortunately windows has started turning off this feature by default. It is believed it reduces SSD life (if you have one).

      There are several programs like Recuva and they all operate on the same principle. If Recuva doesn’t work chances are similar programs won’t work as well.

      Let me know if you have any luck.

  • Hi Sarah,

    Well congratulations, you’ve been very lucky if you managed to recover everything.

  • Hi, my system is also infected with locky virus. After that I formatted the C drive. Is it okay if i still follows the mention steps? or some changes are required?

    • Hi Shweta.

      Do you have other unformatted drives that were targeted by the virus? You don’t have to worry about C any more.

  • Hi again,

    .cerber is not Locky, but they work in the same way basically. Formatting is a radical decision as it deletes everything, but it also fixes everything, so its OK.

    If you have other unformatted drives worry about them. The virus can also hide in any USB drives that were connected to the PC, so format those as well.

      • Hi again,

        Are files on those drives infected as well? If they are try using Recuva (details in the removal guide) to recover them.

        • Hi,
          Thanks for the support.
          Yes, all files in D,E,F drives are infected. I tried Recuva, but coudnt recover the data. Presently there is no virus in the system only concern is that all my data is lost. Also I am not able to recover using : system restore point as i formatted the C drive.

          • Hi,

            If you’ve formatted the drive nothing can be done. This is also the reason why Recuva can’t restore anything. SOrry 🙁

        • hi
          i tried again to restore previous version by using shadow explorer and am still not able to recover data.

          • Hi,

            Check my other reply. If you formatted the Drive nothing will help you.

  • Hi again,

    Sorry for the delay, you can try using the Recuva/Shadow explorer program to recover your data. Check out at the bottom of the removal guide.

  • hi i was infected with this rather nasty trojan yesterday, all our files where encrypted luckily we managed to remove sensitive data as soon as we saw the encryption taking place. tried all the methods at the top still virus is detected in system, also tried to manually remove it through windows and restored system, but no luck, currently working on recovering the files by using recuva. fingers crossed.

  • Hi Rhiannon,

    Don’t be hesitant to delete anything related to Locky. If it prevents you from deleting it make sure you loaded your PC in safe mode (step 1).

  • Hi James, unfortunately sometimes paying is the only solution, especially when it comes to a lot of valuable data. Warn your clients to purchase an anti-virus and/or backup their files. An yearly fee of backup service costs less than the ransom they just paid and it will also protect against HDD failure and other misfortunes.

  • Hi John,

    Windows XP is considered outdated for a reason – the shadow clone files (used to recover these files) were implemented in Vista and all subsequent windows versions. Unfortunately there isn’t anything you can do for your files except paying the money they ask for.

  • Hi Vinny, you shouldn’t be seeing locky files in Recuva – those files are encrypted too. It appears that the virus has gone smarter and it overwriting its own files in order to make the original files disappear completely. Unfortunately there isn’t anything more we can do to help at this point.

  • I used SHADOWEXPLORER on a Windows 10 device and recovered 99% of the files locked by LOCKY. Great tool!

  • yes,I have other ips:

    127.0.0.1 3dns.adobe.com 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com activate.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.wip.adobe.com

    127.0.0.1 activate.wip1.adobe.com activate.wip2.adobe.com activate.wip3.adobe.com activate.wip4.adobe.com adobe-dns.adobe.com adobe-dns-1.adobe.com adobe-dns-2.adobe.com adobe-dns-3.adobe.com adobe-dns-4.adobe.com

    127.0.0.1 adobeereg.com practivate.adobe practivate.adobe.com practivate.adobe.newoa practivate.adobe.ntp practivate.adobe.ipp ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com

    127.0.0.1 ereg.wip2.adobe.com ereg.wip3.adobe.com ereg.wip4.adobe.com hl2rcv.adobe.com wip.adobe.com wip1.adobe.com wip2.adobe.com wip3.adobe.com wip4.adobe.com

    127.0.0.1 http://www.adobeereg.com wwis-dubc1-vip60.adobe.com http://www.wip.adobe.com http://www.wip1.adobe.com

    127.0.0.1 http://www.wip2.adobe.com http://www.wip3.adobe.com http://www.wip4.adobe.com wwis-dubc1-vip60.adobe.com crl.verisign.net CRL.VERISIGN.NET ood.opsource.net

    this.. Please help

    • Hi tanya,

      These are legitimate IPs created by some of your Adobe software products such as adobe readers. You don’t need to delete those.

  • Hello,

    The ransomware shouldn’t be able to do anything you to your drive physically. Perhaps it was another problem that caused this. Hope everything is OK for you. When you get the replacement it would be a good idea to install some security software – ransomware can infect even very careful people when they are distracted.

  • Hi there, is largely depends on what set of permissions is assigned to the normal account. A restrictive set may block the installation of the ransomware in the first place, but it may also interfere with the working process of the people in the office. I don’t know the nature of your work, so I can’t give better advice.

  • Hi Malav, currently there doesn’t exist any program that can directly decrypt the files from this virus.

  • Hi Kelly, unfortunately I don’t think you can change the time point, but you can get more accurate information if you ask the people that created Shadow Explorer. Glad you could get rid of the virus.

  • Hello, you can also try the Shadow Explorer program, sometimes it work’s when Recuva won’t.

    Unfortunately you don’t have many options on this one – that’s what makes the virus so dangerous.

  • Hi Henrik,

    No, this address is part of your LAN network. I have no idea what’s linked to it, but it’s not a foreign hacker.

  • Hi Suzy, first try recovering the files using Recuva/Shadow Explorer.

    After you manage to recover everything the best solution remains to just format the whole HDD and reinstall windows. The anti-virus should have dealt with the ransomware, but one can never be too careful…

  • Hi Beth, there is not a clear cut guide for this. Anything with unknown manufacturer that also uses a lot of CPU/RAM.

    If the virus already revealed itself its probably too late anyway.

    • We’re going to do a system restore to save what we can but o thought we had to remove the virus as well or would the restore do that?

      • Hi Beth, using the backup system restore point will also remove the virus, provided the restore point was created before the infection occurred.

  • Hi Jaypee, unfortunately not much can be done. Sometimes the virus purposefully rewrites the files multiple times so they become unrecoverable.

    • Hi Sir, are we going to use Recuva even if we haven’t reformatted the computer yet?

      thanks in advance sir.

      • Hi Jake, Recuve won’t do anything if you format first. Save what files you can, then do the format.

  • Hi there, .xlsx is the normal format for excel. Either the files are corrupted or there is a problem with your Excel and you need to re-install it.

      • It’s possible, files can become corrupted over time, especially if a lot of other files were overwritten on otp.

  • Hi Beatrice, if you are writing from the infected computer press Ctrl+Alt+Del and sort the processes by CPU/RAM consumption. Anything that uses a lot of these and looks like a windows process (Svc.host or similar) or like a random process is probably the virus!

    Files that have their original formatting are not affected. Quickly copy everything you need (that is not encrypted) on the portable drive. Download SpyHunter from our site and scan for Locky. If you find and remove it – all is good. If you don’t I recommend that you format the PC and reinstall windows. If the virus lies dormant and inactive Spyhunter probably won’t be able to find it and you’ll be sitting on a landmine waiting to explode.

  • Hi
    The locky virus has also bugged my conputer i’m not that stiupid to open a suspicious email somebody else did
    Now he knew that i dont have any image or backup point, no backup at all.
    M using Windows 8.1
    I just want to recover my files
    It has very precious documents.
    Can i do that after removing the virus?
    Or can i still do that with softwares like recuva?
    I tried recuva but it still recovers the locky files even after checking the deep scan.
    Need help? Really….

    • Hi Kanav, yeah that’s unfortunate, especially if someone else used your computer.
      You can also try the Shadow Explorer program, but I doubt it will be effective. Seems like Locky has overwriten your files in order to make them unrecoverable.

  • No, unfortunately it is not possible 🙁 Just recover the files you can. The decryption process doesn’t work like how you think it does. Think of it as a cipher – the rules of what is what have to be understood in order to break it. Scientists are working on decrypting locky, but how will that take? No one can tell you.
    I suggest, you get rid of the virus if it remains on your PC, recover however many files you can, then wipe your Windows and start anew. And don’t buy the locky decryptor – we’ve had many reports that it simply doesn’t work. The criminals just try to scam you again.

  • Unfortunately there is little advice I can give you :(. Believe me, if there was a better way, I’d instantly update the post with it. Recover the files you can, swallow the loss, wipe your Windows copy clean, and move on. You may want to check out some good anti-malware programs and choose one.
    DO NOT PAY THE RANSOM. Not only will this help the crooks create a stronger version, but there are many accounts by users that their files were not returned, especially by locky.

  • Hi Astrit, I will actually recommend that you do a system format. There is a good chance you have a Trojan Horse lurking on your PC if Locky was already installed.

    With that said you can open the command prompt and do the following commands:
    C:
    cd
    del /s /q /f *.locky

    BE WARNED! This is risky, since this command will delete all files that end with .locky on your C: drive!

  • Hi eric, some people are able to restore files using the shadow clone copies. That’s a workaround. It is true that you cannot decrypt files encrypted by Locky.

  • Hi Ivan,

    No ETA on a decrypter, one will likely never be discovered. If shadow copy didn’t survive you are out of luck.

  • Hi Eric,

    If Spyhunter found locky then it’s OK, as the virus process has been terminated. If you are still seeing the instructions you can go to the regedit and delete the registry lines responsible. Hit Win+R, type regedit. Use the search to find anything with the word locky in it, delete all files and strings that come up as a result.

  • My stepmother hit the virus around March 14 2016, so it hitting a lot of computers now.. she did not get prompted for the ransom yet. but looks like all her word docs and excel docs have been replaced with the locky file extension. Advised her to shut down and stop using the computer as of today when I found this out reviewing her computer for why files was disappearing. No idea yet if I can recover her files but will try some of the recommendations. but regardless, I have to get the virus itself removed. She gets emails from many friends that like to pass around pictures and jokes.. seems one of them was the virus.
    So everyone please be careful.
    Richard

  • hello, I´m having the same problem with the LOCKY ransomware. I was able to get the public key by regedit. Is there some way I can use this key to decrypt the files?

    • Hi Carlos,

      The public key will unfortunately do you no good. You need the private key, which is what the ransom is for. Try restoring the original deleted files as per our guide if you don’t want to pay any money to locky crooks.

  • Hello Carlos,

    Unfortunately there is no information that could help you decrypt .locky files. The only way we know of, we have provided for you. We are sorry it didn’t work out for you.

  • Hello Ahmed,

    Please try to follow our guide. Maybe it would help you, we certainly hope so.

Leave a Comment