Locky Virus


This page aims to help you remove Locky Virus Ransomware. These Locky Ransomware removal instructions work for all versions of Windows. We were recently asked in our reader’s comments about how to restore “locky datei” and we feel we should help users understand how to do it. To restore “locky datei” you will likely have to revert back to a previous date before the ransomware infected your PC. But, it may be very hard to do so, as the virus will undoubtedly try to hinder your process and may even succeed. This ransomware uses a different encryption method from most of its other peers – the AES-128 military grade encryption. Locky has undoubtedly achieved an all star status with the ranks of Zeus Virus Detected. The Aes-128 encryption is a step up for the creators of crime software, as it has previously not been exploited in such a way. Considering that the targets of this scam are predominantly German citizens, it is likely you will have your hands quite full. The _Locky_recover_instructions.txt ransom note is practically identical to a lot of others out there, so this is a general shoutout: DO NOT PAY UP!

Locky Virus

locky virus removal

There are several reasons for this, the most notable of which are:

  1. If you pay, you will have to login with accounts that may already be exposed. If they are not already stolen however, you basically risk showing them to people who are already monitoring you via a Trojan.
  2. By paying up you may or may not recover your files – but every time someone pays the ransom, the criminals grow stronger. They develop their software even more and people like you suffer
  3. There is really no reason for them not to give you your files back – but at the same time, there is always the chance you will pay but the files are not released and you will continue to search for a “locky datei” solution.

If your files have already been encrypted by Locky Virus, then you are in some serious trouble. Don’t panic though – we’ll try our best to help you with this article. What you are facing is a very dangerous virus of the ransomware type. These viruses have gained a lot of notoriety, because they encrypt your files and make them unusable, but the process is not reversed if you delete the virus. This gives the hackers a lot of leverage that they will undoubtedly use to blackmail you for a ransom, if they haven’t already. You will need to learn some more basic info on ransomware viruses before you can deal with fichier locky effectively, so please keep reading. This will also shed a light how to perform a “locky datei” recovery and how to avoid getting a locky recover instructions ransom note.

Locky Virus – first stage

When your computer was first infected with the ransomware it began encrypting your files. Depending on the size of your HDD and how much data you had the process could have taken a couple of hours or even days. The virus remains out of sight during this, but you may have spotted signs of its presence – your PC performing poorly than usual, programs taking ages to load (weknow.ac). Encryption is a memory and CPU intensive process and takes a toll on your system resources – in the future if your computer is working poorly open the task managed and look at what’s eating the resources. Ransomware viruses usually try to pose as windows programs and services, so if you see two of those with the same name and one of them is taking a lot of CPU power you’ll have your culprit – immediately shut down the process and delete all associated files or better yet pull the plug on your PC and find an expert.

Locky Virus

The locky virus ransom note.

Locky Virus – reveal

If your files have already been encrypted, then you have probably already seen the ransomnote generated by the virus. It probably has some kind of timer to put pressure on you and it demands the payment to be made in BitCoins. The criminals are now hoping that the surprise shock will put you to the edge and you’ll pay them the ransom. Well… that’s really not a good idea, for a couple of reasons.

  1. Paying money to cyber criminals only encourages them to get better at their craft and extort even more people.
  2. You are not guaranteed in any way that your files will be decrypted successfully if you make the payment.
  3. There is absolutely no reason to pay until you’ve tried all the free methods first.

The methods we’ve provided at our guide do not provide guaranteed recovery of all files, but they are an excellent start. Paying the ransom should only ever be considered if all other options are exhausted and the documents encrypted are worth much more than the ransom money.

There is a good chance you have a Trojan horse in your computer

While it is certainly possible that you unknowingly installed Locky Virus on your own computer chances are that a Trojan horse actually did it. Trojan horse viruses are the preferred method of spreading ransomware – they are very subtle and not all anti-malware programs can detect them and they can remain on an infected computer for a really long time. Trojan horse viruses that deliver ransomware are also known as “droppers” and you should make sure that you don’t have one of these installed on your computer from adware or browser hijacker like my quick converter. It can always download new ransomware if left alone. Unfortunately, such a search is next to impossible to perform manually – you’ll have to trust an anti-virus or an-anti malware program with it. If you don’t have one or if the one you have failed you with the ransomware feel free to check out our recommendation by clicking on one of the banners on this page.


Name .Locky
Type Ransomware
Danger Level High (Ransomware viruses are of the highest threat level there is)
Symptoms PC slowness followed by file encryption and ransom demand.
Distribution Method Trojan horse “droppers”, sometimes directly via email attachments and malicious websites.
Detection Tool

Locky Virus Ransomware Removal

Locky Virus

Some of the steps will likely require you to exit the page. Bookmark it for later reference.

Reboot in Safe Mode (use this guide if you don’t know how to do it).

Locky Virus


Press CTRL + SHIFT + ESC at the same time and go to the Processes Tab. Try to determine which processes are dangerous. 

Locky Virus

Right click on each of them and select Open File Location. Then scan the files with our free online virus scanner:

Locky Virus
Drag and Drop Files Here to Scan
Maximum file size: 128MB.

This scanner is free and will always remain free for our website's users. You can find its full-page version at: https://howtoremove.guide/online-virus-scanner/

Scan Results

Virus Scanner Result
Locky VirusClamAV
Locky VirusAVG AV
Locky VirusMaldet

After you open their folder, end the processes that are infected, then delete their folders. 

Note: If you are sure something is part of the infection – delete it, even if the scanner doesn’t flag it. No anti-virus program can detect all infections.

Locky Virus

Hold the Start Key and R –  copy + paste the following and click OK:

notepad %windir%/system32/Drivers/etc/hosts

A new file will open. If you are hacked, there will be a bunch of other IPs connected to you at the bottom. Look at the image below:

Locky Virus

If there are suspicious IPs below “Localhost” – write to us in the comments.

Type msconfig in the search field and hit enter. A window will pop-up:

Locky Virus

Go in Startup —> Uncheck entries that have “Unknown” as Manufacturer.

  • Please note that ransomware may even include a fake Manufacturer name to its process. Make sure you check out every process here is legitimate.

Locky Virus

Type Regedit in the windows search field and press EnterOnce inside, press CTRL and F together and type the virus’s Name. 

Search for the ransomware  in your registries and delete the entries. Be extremely careful –  you can damage your system if you delete entries not related to the ransomware.

Type each of the following in the Windows Search Field:

  1. %AppData%
  2. %LocalAppData%
  3. %ProgramData%
  4. %WinDir%
  5. %Temp%

Delete everything in Temp. The rest just check out for anything recently added. Remember to leave us a comment if you run into any trouble!

Locky Virus 

How to Decrypt Locky Ransomware files

We have a comprehensive (and daily updated) guide on how to decrypt your files. Check it out here.

If the guide didn’t help you, download the anti-virus program we recommended or ask us in the comments for guidance!


About the author


Nathan Bookshire


  • There are any people who have proof that this worked?
    We also had not only the encrypting virus, they also had a password stealer in it. :/

    • Hello Shirui,

      Ransomware is often spread by different people who work as “affiliates”. That’s why we recommend everyone to scan their computers for more viruses, because you never know what else you might have been infected with.

  • Tried the above and it can’t seem to fix an infected PC. Had Malwarebytes on it but am unable to upgrade or anything to even resolve this.

    • Hi Eddie,

      What do you mean by fix? Removing Locky is not that difficult, but your files will not be restored if you do it. If you have other problems it is likely due to a different virus that was installed alongside the ransomware.

      Can you tell me what other symptoms you are experiencing?

      • Okay, I did manged to remove Locky. But the files are stuck as such. Does that mean there is no way to recover the files? Cause it covers every single document within the PC.

      • Hi, it seems my previous comment was not approved. So there is no other way to restore the files affected by Locky even after removing it?

        Thank you.

        • Hi Eddie,

          I am sorry for deleting them, I was under the impression you had it under control. Unfortunately there is nothing else you can do at this point – if system restore and Shadow Clone weren’t able to help. Did you try these already?

  • Hi Peter,

    We are very glad you were able to recover your files – Locky can be really nasty to get rid of. We’ll take your Recuva input and add it to our guide.

    • Hi,

      I also would like to know that how do we remove locky virus & recover the infected files. It spread as one of the user has accessed the word file which was attached in the email & it has cracked down our shared driver & all files of shared drives is encrypted. as mentioned above I have downloaded RECUVA – need to know & understand further process.

      I will be glad to receive your guidance & help to recover back encrypted files. You can send me the details on my email or you can share the process/steps for recovery.

      Awaiting your revert


      Malav Joshi

      [email protected]

      • Hi Malav,

        There is nothing overly complicated when using Recuva. You just start it, let it do a deep scan and then try to recover any file it finds. Do this first yourself and ask me if you have any problems.

  • Hello,

    To circumvent that restriction you need to go to the program you are using to edit the hosts file.

    Press the Windows button, write Wordpad/Notepad and right click on the program -> open as administrator.

    Now when the program starts click open, navigate to the Hosts file in C:WindowsSystem32driversetc and open it, You should now be able to edit it.

    This should help. Let me know how it goes.

  • Hi Adam

    Yes, if you have set up a backup you can restore your files with the first method.

    If you havn’t set up a backup Recuva (2nd method) might be able to help you.

    Let me know if you got any problems.

    • Hi Neil.

      Yes, that should be sufficient. Hopefully you have a backup restore point to do it – not many people actually have it.

      Please let me know how it goes.

  • Hi,
    My pc also got Locky virus and above image 2 (Important Information !!!!) is on my desktop background. Many files on my pc are effected. Please help.

  • Anyway, do not trhow away encrypted files, but store them in a safe place. The lack of an immediate solution does not imply that cannot be discovered in the next months.

  • Hello, I was infected with the Locky virus on Feb 24. I have completed the steps above and got to the point to do a System Restore. Only to find out the System Restore was turned off!! This is not something that I would turn off myself. How could this have been turned off if I didn’t physically turn it off?? Has anyone had luck with recovering their files when using the Recuva program?
    I am worried if I keep trying new things to recover the files that I am doing more damage and will diminish my chances of ever recovering the files.

    • Hi Wendy,

      Unfortunately windows has started turning off this feature by default. It is believed it reduces SSD life (if you have one).

      There are several programs like Recuva and they all operate on the same principle. If Recuva doesn’t work chances are similar programs won’t work as well.

      Let me know if you have any luck.

  • Hi, my system is also infected with locky virus. After that I formatted the C drive. Is it okay if i still follows the mention steps? or some changes are required?

    • Hi Shweta.

      Do you have other unformatted drives that were targeted by the virus? You don’t have to worry about C any more.

  • Hi again,

    .cerber is not Locky, but they work in the same way basically. Formatting is a radical decision as it deletes everything, but it also fixes everything, so its OK.

    If you have other unformatted drives worry about them. The virus can also hide in any USB drives that were connected to the PC, so format those as well.

      • Hi again,

        Are files on those drives infected as well? If they are try using Recuva (details in the removal guide) to recover them.

        • Hi,
          Thanks for the support.
          Yes, all files in D,E,F drives are infected. I tried Recuva, but coudnt recover the data. Presently there is no virus in the system only concern is that all my data is lost. Also I am not able to recover using : system restore point as i formatted the C drive.

          • Hi,

            If you’ve formatted the drive nothing can be done. This is also the reason why Recuva can’t restore anything. SOrry 🙁

          • Hi,

            Check my other reply. If you formatted the Drive nothing will help you.

  • Hi again,

    Sorry for the delay, you can try using the Recuva/Shadow explorer program to recover your data. Check out at the bottom of the removal guide.

  • hi i was infected with this rather nasty trojan yesterday, all our files where encrypted luckily we managed to remove sensitive data as soon as we saw the encryption taking place. tried all the methods at the top still virus is detected in system, also tried to manually remove it through windows and restored system, but no luck, currently working on recovering the files by using recuva. fingers crossed.

  • Hi Rhiannon,

    Don’t be hesitant to delete anything related to Locky. If it prevents you from deleting it make sure you loaded your PC in safe mode (step 1).

  • Hi James, unfortunately sometimes paying is the only solution, especially when it comes to a lot of valuable data. Warn your clients to purchase an anti-virus and/or backup their files. An yearly fee of backup service costs less than the ransom they just paid and it will also protect against HDD failure and other misfortunes.

  • Hi John,

    Windows XP is considered outdated for a reason – the shadow clone files (used to recover these files) were implemented in Vista and all subsequent windows versions. Unfortunately there isn’t anything you can do for your files except paying the money they ask for.

  • Hi Vinny, you shouldn’t be seeing locky files in Recuva – those files are encrypted too. It appears that the virus has gone smarter and it overwriting its own files in order to make the original files disappear completely. Unfortunately there isn’t anything more we can do to help at this point.

  • yes,I have other ips: 3dns.adobe.com 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com activate.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.wip.adobe.com activate.wip1.adobe.com activate.wip2.adobe.com activate.wip3.adobe.com activate.wip4.adobe.com adobe-dns.adobe.com adobe-dns-1.adobe.com adobe-dns-2.adobe.com adobe-dns-3.adobe.com adobe-dns-4.adobe.com adobeereg.com practivate.adobe practivate.adobe.com practivate.adobe.newoa practivate.adobe.ntp practivate.adobe.ipp ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com ereg.wip2.adobe.com ereg.wip3.adobe.com ereg.wip4.adobe.com hl2rcv.adobe.com wip.adobe.com wip1.adobe.com wip2.adobe.com wip3.adobe.com wip4.adobe.com http://www.adobeereg.com wwis-dubc1-vip60.adobe.com http://www.wip.adobe.com http://www.wip1.adobe.com http://www.wip2.adobe.com http://www.wip3.adobe.com http://www.wip4.adobe.com wwis-dubc1-vip60.adobe.com crl.verisign.net CRL.VERISIGN.NET ood.opsource.net

    this.. Please help

    • Hi tanya,

      These are legitimate IPs created by some of your Adobe software products such as adobe readers. You don’t need to delete those.

  • Hello,

    The ransomware shouldn’t be able to do anything you to your drive physically. Perhaps it was another problem that caused this. Hope everything is OK for you. When you get the replacement it would be a good idea to install some security software – ransomware can infect even very careful people when they are distracted.

  • Hi there, is largely depends on what set of permissions is assigned to the normal account. A restrictive set may block the installation of the ransomware in the first place, but it may also interfere with the working process of the people in the office. I don’t know the nature of your work, so I can’t give better advice.

  • Hi Malav, currently there doesn’t exist any program that can directly decrypt the files from this virus.

  • Hi Kelly, unfortunately I don’t think you can change the time point, but you can get more accurate information if you ask the people that created Shadow Explorer. Glad you could get rid of the virus.

  • Hello, you can also try the Shadow Explorer program, sometimes it work’s when Recuva won’t.

    Unfortunately you don’t have many options on this one – that’s what makes the virus so dangerous.

  • Hi Henrik,

    No, this address is part of your LAN network. I have no idea what’s linked to it, but it’s not a foreign hacker.

  • Hi Suzy, first try recovering the files using Recuva/Shadow Explorer.

    After you manage to recover everything the best solution remains to just format the whole HDD and reinstall windows. The anti-virus should have dealt with the ransomware, but one can never be too careful…

  • Hi Beth, there is not a clear cut guide for this. Anything with unknown manufacturer that also uses a lot of CPU/RAM.

    If the virus already revealed itself its probably too late anyway.

    • We’re going to do a system restore to save what we can but o thought we had to remove the virus as well or would the restore do that?

      • Hi Beth, using the backup system restore point will also remove the virus, provided the restore point was created before the infection occurred.

  • Hi Jaypee, unfortunately not much can be done. Sometimes the virus purposefully rewrites the files multiple times so they become unrecoverable.

  • Hi there, .xlsx is the normal format for excel. Either the files are corrupted or there is a problem with your Excel and you need to re-install it.

  • Hi Beatrice, if you are writing from the infected computer press Ctrl+Alt+Del and sort the processes by CPU/RAM consumption. Anything that uses a lot of these and looks like a windows process (Svc.host or similar) or like a random process is probably the virus!

    Files that have their original formatting are not affected. Quickly copy everything you need (that is not encrypted) on the portable drive. Download SpyHunter from our site and scan for Locky. If you find and remove it – all is good. If you don’t I recommend that you format the PC and reinstall windows. If the virus lies dormant and inactive Spyhunter probably won’t be able to find it and you’ll be sitting on a landmine waiting to explode.

  • Hi
    The locky virus has also bugged my conputer i’m not that stiupid to open a suspicious email somebody else did
    Now he knew that i dont have any image or backup point, no backup at all.
    M using Windows 8.1
    I just want to recover my files
    It has very precious documents.
    Can i do that after removing the virus?
    Or can i still do that with softwares like recuva?
    I tried recuva but it still recovers the locky files even after checking the deep scan.
    Need help? Really….

    • Hi Kanav, yeah that’s unfortunate, especially if someone else used your computer.
      You can also try the Shadow Explorer program, but I doubt it will be effective. Seems like Locky has overwriten your files in order to make them unrecoverable.

  • No, unfortunately it is not possible 🙁 Just recover the files you can. The decryption process doesn’t work like how you think it does. Think of it as a cipher – the rules of what is what have to be understood in order to break it. Scientists are working on decrypting locky, but how will that take? No one can tell you.
    I suggest, you get rid of the virus if it remains on your PC, recover however many files you can, then wipe your Windows and start anew. And don’t buy the locky decryptor – we’ve had many reports that it simply doesn’t work. The criminals just try to scam you again.

  • Unfortunately there is little advice I can give you :(. Believe me, if there was a better way, I’d instantly update the post with it. Recover the files you can, swallow the loss, wipe your Windows copy clean, and move on. You may want to check out some good anti-malware programs and choose one.
    DO NOT PAY THE RANSOM. Not only will this help the crooks create a stronger version, but there are many accounts by users that their files were not returned, especially by locky.

  • Hi Astrit, I will actually recommend that you do a system format. There is a good chance you have a Trojan Horse lurking on your PC if Locky was already installed.

    With that said you can open the command prompt and do the following commands:
    del /s /q /f *.locky

    BE WARNED! This is risky, since this command will delete all files that end with .locky on your C: drive!

  • Hi eric, some people are able to restore files using the shadow clone copies. That’s a workaround. It is true that you cannot decrypt files encrypted by Locky.

  • Hi Ivan,

    No ETA on a decrypter, one will likely never be discovered. If shadow copy didn’t survive you are out of luck.

  • Hi Eric,

    If Spyhunter found locky then it’s OK, as the virus process has been terminated. If you are still seeing the instructions you can go to the regedit and delete the registry lines responsible. Hit Win+R, type regedit. Use the search to find anything with the word locky in it, delete all files and strings that come up as a result.

  • My stepmother hit the virus around March 14 2016, so it hitting a lot of computers now.. she did not get prompted for the ransom yet. but looks like all her word docs and excel docs have been replaced with the locky file extension. Advised her to shut down and stop using the computer as of today when I found this out reviewing her computer for why files was disappearing. No idea yet if I can recover her files but will try some of the recommendations. but regardless, I have to get the virus itself removed. She gets emails from many friends that like to pass around pictures and jokes.. seems one of them was the virus.
    So everyone please be careful.

  • hello, I´m having the same problem with the LOCKY ransomware. I was able to get the public key by regedit. Is there some way I can use this key to decrypt the files?

    • Hi Carlos,

      The public key will unfortunately do you no good. You need the private key, which is what the ransom is for. Try restoring the original deleted files as per our guide if you don’t want to pay any money to locky crooks.

  • Hello Carlos,

    Unfortunately there is no information that could help you decrypt .locky files. The only way we know of, we have provided for you. We are sorry it didn’t work out for you.

  • Hello Ahmed,

    Please try to follow our guide. Maybe it would help you, we certainly hope so.

Leave a Comment