Jump to content

Files encrypted with Locky cryptolocker Please help


Recommended Posts



I’m sorry to see your pc is  affected by a file-encrypting ransomware infection, "locky".
Is this a home use computer, or, do you use this for a business purpose?

How this pc got this ransomware is not knowable.
It may have been from malvertising on some website. Or it may have been some attachment that was opened, such as from an Email.
Did anyone open an attachment, possibly a Word document, which came in by email?

What programs or add-ons have been added to this pc recently?

IF you have prior offline backups of your system, that would be the best to get back any corrupted ( encrypted ) documents and files.

In any event, copy off those of your user documents that are now “changed” with those “odd  locky extensions” onto some large USB drive as sort of future insurance against the day when someone, somewhere may come up with a decryptor utility.

The “locky” is a very very new variant of crypto-style ransomware. It is only just started to be seen in the past week.
If your computer is on a network, physically disconnect it from the network.

I'm afraid I have bad news for you.  There's nothing we can do to "fix" personal files that are not backed up.
We can remove the infection but can’t cure or resurrect the corrupted /encrypted documents & files.

Do you have a very recent backup of this system on external or offline discs?

Note:  The main infector would have removed itself after doing the damage.  All that would left about would be any nag-image type files & lots of "help decrypt" type notes so that you are lured to pay the ransom.
Also, be very aware, that the Locky would have disabled the Windows System Restore service and also would have wiped any old Windows shadow copies of your documents.

There are some articles on Bleepingcomputer forum that have some added details on "locky".
This page is one of those

Link to post
Share on other sites

Thanks for the reply. I find it very informative.


Yes, Its my buddy's laptop. He uses his laptop(personal laptop) for business purpose. He received an email which had some invoice email with an attachment. usually he gets the invoice emails from his customers from offshore. It looked similar what described in the articles.


It seems post opening the email with attachment caused this issue. No recent add ons or applications added. I see only this email causing the issue. Sadly he didn't had any backup taken and strange is that it also removed system restore too from the computer. 


No previous versions of files and no shadow copy.


My friend already took re installation of OS with complete formatting the hard drive by the time i looked into his computer.


Thanks for the help though. Appreciate it.  Will spread new ransomeware info with others.



Link to post
Share on other sites

The safest thing is indeed is to wipe the system and re-image from a known good backup image.


Please make all aware that these crypto-ransomwares do in fact disable System Restore service and do in essence, do away with old restore points.


As your friend has business use computers, urge him to look at our offerings for Business.

The Malwarebytes Anti-Exploit for Business   ( as well as our consumer Premium Malwarebytes Anti-Exploit) do block this variant of ransomware.


But also, situational awareness ( especially with email attachments) is always a must in this current age of ever evolving & quickly changing malware.

Safer practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Free games & free programs are like "candy".  We do not accept them from "strangers".
Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself.  Do not double click in the email.  Always Save first and then scan with antivirus program.

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address   ( one that does not fit or is odd looking or has typos).

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog
Dont remove your current login.  Just use the new Standard-user-level one for everyday use while on the internet.

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.