Here’s a Quick Way to REMOVE Locky ransomware. How to Remove? (Uninstall Guide)

Locky ransomware removal instructions

What is Locky?

Locky is ransomware distributed via malicious .doc files attached to spam email messages. Each word document contains scrambled text, which appear to be macros. When users enable macro settings in the Word program, an executable file (the ransomware) is downloaded. Various files are then encrypted. Note that Locky changes all file names to a unique 16-letter and digit combination with .aesir, .shit, .thor, .locky, .zepto or .odin file extension. Thus, it becomes virtually impossible to identify the original files. All are encrypted using the RSA-2048 and AES-1024 algorithms and, therefore, a private key (stored on remote servers controlled by cyber criminals) is required for decryption. To decrypt the files, victims must pay a ransom.

After the files are encrypted, Locky creates an additional .txt and _HELP_instructions.html (or _WHAT_is.html) file in each folder containing the encrypted files. Furthermore, this ransomware changes the desktop wallpaper. Both text files and wallpaper contain the same message that informs users of the encryption. It states that files can only be decrypted using a decrypter developed by cyber criminals and costing .5 BitCoin (at time of research, .5 BTC was equivalent to $207.63). To proceed, the victim must install the Tor browser and follow a link provided in the text files/wallpaper. The website contains step-by-step payment instructions. Locky deletes all file shadow volume copies. Currently, there are no tools capable of decrypting files affected by Locky – the only solution to this problem is to restore your files from a backup.

Locky decrypt instructions

There are hundreds of ransomware-type malware infections similar or identical to Locky including, for instance, Cryptowall, JobCrypter, UmbreCrypt, TeslaCrypt, and DMA-Locker. All have identical behavior – they encrypt files and demand a ransom. The only difference is the size of ransom and type of algorithm used to encrypt the files. Research also shows that there is no guarantee that your files will ever be decrypted even after paying the ransom. By paying, you simply support cyber criminals’ malicious businesses. Therefore, you should never pay the ransom or attempt to contact them. Be aware also that malware such as Locky is usually distributed via fake software updates, P2P networks, malicious email attachments, and trojans. Therefore, it is very important to keep your installed software up-to-date and to double check what you are downloading. Be cautious when opening email attachments sent from suspicious addresses and use a legitimate anti-spyware or anti-virus suite.

Below is are screenshots of email messages used in Locky ransomware distribution.

For example – email subject – “ATTN: Invoice J-12345678”, infected attachment – “invoice_J-12345678.doc” (contains macros that download and install Locky ransomware on computers):

Dear someone, Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice. Let us know if you have any questions. We greatly appreciate your business!

Here are some screenshots of spam email messages containing infected attachments that install Locky ransomware on victims’ computers:

spam email distributing locky sample 4spam email distributing locky sample 3spam email distributing locky sample 2infected email attachment distributing Locky ransomware

Another way cyber criminals are distributing Locky ransomware are fake flash player update pop-ups “Your Flash Player may be out of date” (to stay safe users should only download Flash player from it’s developers website):

fake flash player update distributing locky ransomware

Screenshot of _HELP_instructions.html (or _WHAT_is.html) file created by Locky ransomware:

locky ransomware _HELP_instructions.html file

_Locky_recover_instructions.txt (or _HELP_instructions.txt) text file:

Text file with ransom payment instructions

Text presented in the desktop wallpaper and .txt files created by Locky:

All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
To receive your private key follow one of the links:
1. hxxp://
2. hxxp://
3. hxxp://
4. hxxp://
If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: hxxps://
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: 6dtxxxxm4crv6rr6.onion/07Bxxx75DC646805
4. Follow the instructions on the site.
!!! Your personal identification ID: 07Bxxx75DC646805 !!!

Screenshot of a desktop infected with Locky ransomware:

locky ransomware attacking victims computer

Locky ransomware website informing victims on how to pay the ransom to receive the “Locky Decrypter” software – supposedly software that will decrypt their compromised files:

Website selling Locky decryptor

File types targeted by Locky ransomware:

.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11 (Security copy), .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, wallet.dat

A ransom payment page (‘Locky Decryptor’):

locky decryptor payment page

Update 18 April 2016 – A new copycat ransomware has been released that impersonates Locky. AutoLocky is new ransomware created by cyber criminals using the AutoIt programming language. It attempts to impersonate the original Locky ransomware by assigning the .Locky extension to encrypted files. To determine if your computer is infected with AutoLocky ransomware, look at the ransom demand message – it differs from the original Locky ransomware. The good news for the victims of AutoLocky is that Fabian Wosar from Emsisoft has created a free decrypter that will decrypt compromised files free of charge. Download link – Emsisoft Decrypter for AutoLocky. Before using this tool, victims of AutoLocky should scan their computers with legitimate anti-malware software to first terminate its processes and remove associated malware files. You can then use the decrypter to regain control of your compromised data.

Screenshot of AutoLocky decrypter by Fabian Wosar from Emsisoft:

autolocky decrypter

Autolocky ransomware creates a Info.html and Info.txt file on the desktop:

autolocky ransomware

Text presented within these files:

Locky ransomware
All of your files are encrypted with RSA-2048 and AES-128 ciphers. More information about the RSA and AES can be found here: (crypto system)  Decrypting of your files is only possible with the following steps How to buy decryption? 1. You can make a payment with BitCoins, there are many methods to get them. 2. You should register BitCoin wallet (simplest online wallet OR some other methods of creating wallet) 3. Purchasing BitCoins – Although it’s not yet easy to buy bitcoins, it’s getting simpler every day.

Locky ransomware removal:

Quick menu:Quick solution to remove .locky (.zepto) virus

  • What is Locky?
  • STEP 1. Locky virus removal using safe mode with networking.
  • STEP 2. Locky ransomware removal using System Restore.

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in “Safe Mode with Networking”:

Windows 8 users: Start Windows 8 is Safe Mode with Networking – Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened “General PC Settings” window, select Advanced startup. Click the “Restart now” button. Your computer will now restart into the “Advanced Startup options menu”. Click the “Troubleshoot” button, and then click the “Advanced options” button. In the advanced option screen, click “Startup settings”. Click the “Restart” button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in “Safe Mode with Networking”:

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click “Restart” while holding “Shift” button on your keyboard. In the “choose an option” window click on the “Troubleshoot”, next select “Advanced options”. In the advanced options menu select “Startup Settings” and click on the “Restart” button. In the following window you should click the “F5” button on your keyboard. This will restart your operating system in safe mode with networking.

windows 10 safe mode with networking

Video showing how to start Windows 10 in “Safe Mode with Networking”:

Step 2

Log in to the account infected with the Locky virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.

Remover for .locky (.zepto) virus

If you need assistance removing locky , give us a call 24/7:
By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. SpyHunter’s free scanner is for malware detection. To remove the detected infections you will need to purchase a full version of this product. More information on SpyHunter. If you wish to uninstall SpyHunter follow these instructions. All the products we recommend were carefully tested and approved by our technicians as being one of the most effective solutions for removing this threat.

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using “Safe Mode with Command Prompt” and “System Restore”:

1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window, click “Next”.

restore system files and settings

5. Select one of the available Restore Points and click “Next” (this will restore your computer system to an earlier time and date, prior to the Locky ransomware virus infiltrating your PC).

select a restore point

6. In the opened window, click “Yes”.

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Locky ransomware files.

To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Locky are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the “Restore” button.

Restoring files encrypted by CryptoDefense

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by Locky, you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

shadow explorer screenshot

To protect your computer from file encrypting ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and Malwarebytes Anti-Ransomware, which artificially implant group policy objects into the registry to block rogue programs such as Locky ransomware.)

HitmanPro.Alert CryptoGuard – detects encryption of files and neutralises any attempts without need for user intervention:

hitmanproalert ransomware prevention application

Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately – before reaching users’ files:

malwarebytes anti-ransomware

  • The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.

Other tools known to remove Locky ransomware:

Locky ransomware analysis. How does this virus operate?

Locky virus is a dreadful computer parasite and definitely a public enemy, which managed to dangerously proliferate and infect thousands of computers since its first appearance at the beginning of 2016. Besides, convinced by the success of this virus, authors of this crypto-ransomware have created more differently named versions of it, such as Bart ransomware or Zepto virus. These viruses pose a serious threat to the computer system because Locky encryption algorithm can corrupt files not only on the compromised computer system and devices plugged into it, but also data on unmapped network shares. The reason why this virus encrypts victim’s data is that it wants to receive a ransom payment, and this is why this virus is known as Locky ransomware. After infecting the system, this Trojan-type pest uses an embedded encryption key (earlier, this ransomware used to connect to its Command & Control servers to get this key), then scans all system folders for particular file types and encrypts them with military-grade encryption, which securely detains victim’s files as hostages. The virus does not only encrypt files but also changes their filenames and adds .locky file extensions to them; this way, the virus seeks to confuse the victim and make it harder to decrypt particular data. If you are looking at .locky file extensions added to your data, you are infected with this ransomware which will keep your files blocked until you pay a ransom. To explain to the victim how to pay the ransom, the virus creates a ransom note called _Locky_recover_instructions.txt and saves a copy of it in every single folder that holds encrypted data. The ransom note contains the following message:


All of your files are encrypted with RSA-2048 and AES-128 ciphers.

More information about the RSA and AES can be found here:

[links to Wikipedia]

Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.

To receive your private key follow one of the links:

[links to .onion sites accessible via Tor browser]

If all of this addresses are not available, follow these steps:

[Instructions how to install Tor browser]

! ! ! Your personal identification ID: [ID number] ! ! !

After that, virus changes desktop background with a _Locky_recover_instructions.bmp image, which displays the same information as the ransom note provides. The .onion links presented in both these files left by the virus lead to Locky payment website, which offers the Locker Decrypter for 0.5 or 1.0 BTC, (approximately 300-600 USD dollars at the time of writing this report).

You might think, “why I have to pay when I can use Volume Shadow Copies to restore my data?” Well, we have to disappoint you by saying that the virus runs the following function – vssadmin.exe Delete Shadows /All /Quiet , which carries out elimination of these copies. Therefore, there is no way to recover your precious files from these copies. On top of that, malware researchers still cannot crack Locky source code and defeat this virus by creating a free Locky ransomware decryptor, so affected PC users have two options only:

  • Let crooks win and pay the ransom;
  • Refuse to pay the ransom and restore them from backup or wait until a decryption tool gets released.

If you decide to pay the ransom, you should note that security experts do NOT recommend doing so as there is no guarantee that hackers actually give their victims a key that they need. In this case, you have to remove Locky ransomware from your computer. You can use Reimage for that.

How does Locky infect victim’s computer?

This computer threat spreads as a malicious Word document attached to spam emails that pretend to be delivering an invoice:

Dear [Name],

Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice.

Let us know if you have any questions.

We greatly appreciate your business!

[Randomly generated name of the sender]

This email contains an attachment, which is named invoice J-[8 random numbers].doc. If the user opens this file using Word, Locky malware might start its malicious processes right away. It all depends on whether the user has Macros function enabled in Word or not. If user does not have Macros turned on, Locky’s document showcases a distorted text and then it asks to enable Macros to review it – “Enable macro if the data encoding is incorrect.” You should NOT do as commanded! If the user enables Macros, a malicious code gets activated. It downloads and runs an executive file of Locky virus, which immediately starts file encryption process. The ransomware runs its processes that scan system for personal files, including audio, video, image files, documents, and locks them using RSA-2048 and AES-128 encryption algorithms. What is more, this virus can access and encrypt data stored on external drives that are plugged into your device. After the encryption process is done, this virus renames the affected files – it adds a .locky extension to the filenames.

Recently, authors of Locky and Zepto created a new crafty technique to deceive anti-virus programs from detecting the source of infection and allowing the virus to freely encrypt all files without being stopped. For that, the virus is distributed via an archived JavaScript attachment, aka downloader script. Once executed, it downloads and decrypts malicious payload which arrives in the form of DLL file. This file is run with the help of rundll32.exe file. Typical antivirus programs consider the rundll32.exe file as safe one, so Locky and Zepto easily passes computer protection and steps into the system to wreak havoc there. We also must add that people who tend to keep their computers unprotected risk to be attacked by JS.Nemucod Trojan horse, which can remain silently in the system for a while and then drop malware on the system. This Trojan horse is well-known conspirator involved in Locky’s distribution scheme.

Variants of the Locky ransomware

Locky virus. The first version of the malware has been spotted at the beginning of 2016. Since then it was updated several times, and now it is responsible for 50% of recognized ransomware attacks. The virus drops a three (some versions leaves two) files that include a ransom note. Hackers launched malicious email campaigns and spread infected Word documents. When users activated macro command, virus infiltrated the system and encrypted files using AES-128 and RSA-2048 algorithms. Then it dropped a ransom note _Locky_recover_instructions.txt to each folder that stores encrypted files. The ransom note includes information about data encryption and decryption. Hackers explain that paying the ransom (0.5-1 BTC) is the only possibility to decrypt files. Ransom note also provides information how to purchase Bitcoins, install Tor browser and use Locky Decrypter – a tool which is supposed to restore all damaged files. Unfortunately, malware researchers haven’t created a free data decryption tool yet. However, we do not recommend using any data recovery solution suggested by the criminals. At the moment the only safe and free solution is to restore files from backups.

AutoLocky virus. Oppositely from Locky, AutoLocky was written not in C++ but in Autolt language; and this made malware the weakest version. Malware spreads via malicious spam emails. Hackers attach an infected PDF file, and when users open it, the virus gets inside and starts encrypting files using the AES-128 cipher. It demands 0.75 Bitcoins for data recovery, but it’s not necessary. There’s a free AutoLocky decryption tool.

.locky file extension virus. Similarly to other malware variants, it encodes files using RSA-2048 and AES-128 ciphers and appends a .locky file extension to all corrupted documents, pictures, audio, video and other files. Following data encryption, it drops a ransom note where hackers demand 0.5 Bitcoins. Unfortunately, malware researchers haven’t created a free decryption tool yet, but it’s not the reason to pay the ransom. If you have data backups, you can restore files after virus elimination. Another bad news is that .locky file extension virus has been updated in June 2016. The newest version is called Zepto virus. For possibility to decrypt files with Locky Decryptor criminals, ask for 4 BTC (about 2500 USD). Please, do not transfer this enormous amount of money, because there’s no guarantee that this tool will decrypts your files.

Bart virus. Instead of encrypting files with a sophisticated algorithm, this version of Locky virus adds files into a password-protected ZIP archive. All archives have .bart file extensions and only Bart Decryptor can retrieve damaged files for 3 BTC. The payment website offers translation to several languages and looks similar to Locky’s. The virus has another unique characteristic. Before data encryption, it checks computer’s default language settings. If targeted computer’s language is Russian, Ukrainian or Belorussian, malware uninstalls itself. Malware researchers have created a free decryption tool and this fact motivated hackers to update the virus. They have developed a Bart v2.0 ransomware virus that still adds targeted files to ZIP archive, but appends .bart2 extension to each of them. Unfortunately, this version is still undecryptable, unless you are willing to pay about 2 BTC for cyber criminals (NOT recommended).

ODIN virus. For data encryption virus use the same encryption method, but appends different file extension – .odin. The virus mostly targets Europe, but computers in Asia, Africa, and the USA suffered from it as well. The virus spreads via malicious email attachments. It’s already known that some emails have a subject line “Receipt [random numbers]”; however, there’re hundreds of different infected emails. After successful file encryption, it drops a ransom note and tells that the only possibility to get back access to the files is to pay the ransom.

Thor virus. This variant appeared on October 2016.It encrypts for more than 400 different file extensions and encodes them using RSA and AES encryption. Following a successful file encryption, virus delivers two files _WHAT_is.html and _WHAT_is.bmp. These files include so-called ransom messages and explain to victims that they can restore their files using Locky Decryptor for 0.5 Bitcoins.

Shit virus. At the same time when Thor launched its first campaigns, computer users from France reported that their files were corrupted and had a .shit file extension. For file encryption virus uses a military grade AES CBC 256-bit encryption and, unfortunately, there’s no way to decrypt them for free. The virus leaves the same ransom note and demands the same amount of money like Thor. Unfortunately, victims can restore their files for free only from backups.

Hucky virus. It’s a Hungarian version of the Locky which appends a .locky file extension to all affected files. It can only encrypt around 200 different file types. The virus uses an updated version of the _locky_recover_instructions.txt, and after file encryption malware drops a _Adatok_visszaallitasahoz_utasitasok.txt. In this ransom message, victims learn that they have only 24 hours to contact cyber criminals via provided email. Hackers do not reveal the size of the ransom, but it might vary from 0.5 to 2 BTC.

What to do if your computer gets hit by Locky malware

Speaking of ransomware, it is always better to secure yourself before it attacks you. No matter how attentive and careful computer user you are, you can still be deceived by cyber-criminals, because they tend to spread malware like Trojan horses. In other words, malware comes as a safe-looking file that is infected. We strongly recommend to regularly create copies of your data and store them on an external hard drive.

Unfortunately, Locky is a disastrous virus, which can lock your personal files forever. As we have mentioned, you should not think that it lets its victims recover their files from Shadow Copies because this noxious virus simply deletes them. Therefore, the only 100% working method to recover your files is to import them from an external drive. However, you must eliminate Locky malware before you do so, because as we have already stated before, it can encrypt records stored on external drives that are plugged into the infected machine, too.

If you do not have copies of your files xeroxed on an external drive, you have three options left:

  1. You can try to use one of these tools (they might help you to decrypt at least some of your files): Kaspersky virus-fighting utilities, R-Studio or Photorec;
  2. You can wait until someone creates a Locky decryption tool (this might take a long time);
  3. The last option is to pay the ransom, but we DO NOT recommend doing so. Not surprisingly, there is NO guarantee that cyber-criminals will give the decryption key for you. Plus, think about it – do you want to support cyber-criminals in such way?

To implement Locky removal, we recommend using one of the following anti-malware programs: Reimage (Windows OS) or Malwarebytes Anti Malware (Windows/Mac OS). Alternatively, you can try Plumbytes Anti-Malware software. These three programs are professional malware removal tools that can completely terminate Locky virus.

NOTE. Anti-malware programs DO NOT decrypt the encrypted data. They are meant to eliminate malicious programs and their components.

Quick tips on how to prevent ransomware attack:

    1. Keep your computer security software up-to-date. Update it as soon as the new version is available;
    2. Protect your PC with anti-malware software and make sure Windows Firewall is always turned on;
    3. Back up your files. We do not recommend using online data storage clouds because some viruses can reach them using your Internet connection;
    4. Do not wander through ‘Spam’ or ‘Junk’ email sections and make sure you do not open any suspicious emails or attachments that come with them;
    5. Update software frequently – make sure Java, Adobe Flash Player or other programs are up-to-date.

Instructions that will help you to complete Locky virus removal

Before you try to remove Locky virus from your computer, you have to realize that you are dealing with a seriously dangerous virus. To remove this virus entirely, you have to get rid of each of its files because it can easily come back to your computer and encrypt NEW files right after rebooting it. If you are looking for a reliable Locky ransomware removal tool, we recommend you to choose Reimage or Malwarebytes Anti Malware. However, the virus can attempt to block these programs, so in order to launch them, or if you do not have one of these yet – download them, you have to reboot your PC into the Safe Mode first. Please look at instructions provided below and carry them out carefully to run the malware removal program and complete Locky removal procedure.



Facebook By Weblizar Powered By Weblizar

PayPal Donation

AAKEYY Written by:

I have always expressed myself through creative means, I specialize in writing tech-related articles about the computer industry. I enjoy writing articles about the Internet, making money online, fitness & health.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.