Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Locked.zip (NotAHero) Ransomware Remove and Restore Files

This article is created to show you how to remove the NotAHero ransomware infection completely from your computer and restore files in a locked.zip archive.

A ransomware virus from the file encryption kind has been detected in April 2017 to use password protected .zip archives after it infects the users computers. The malware is also known as NotAHero ransomware and demands victims whose computers have been affected to pay a hefty ransom fee in BitCoins in order to get the password for the archive. The virus then drops a “Pay me bitcoins to get all your files unlocked.txt” file in which a BitCoin address of the cyber-criminals behind this virus can be located. In case you have become a victim of this ransomware infection, recommendations are to focus on reading the following article to learn how to remove NotAHero ransomware and restore files encrypted by it.

Threat Summary

Name

Locked.zip Virus

Type Ransomware
Short Description Archives important files on the compromised computers in a password protected .zip file and then demands a hefty ransom fee to be paid to get the unlock password.

Symptoms The victim may not be able to open the files. A file locked.zip may appear in their place. Additionally a file, named “Pay me bitcoins to get all your files unlocked.txt” may be found with a ransom note in it.
Distribution Method Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Locked.zip Virus

Download

Malware Removal Tool

User Experience Join our forum to Discuss Locked.zip Virus.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

NotAHero Locked.zip Virus – How Does It Infect

The infection process of the locked.zip file virus may be conducted via multiple different methods, the main of which is e-mail spam messages that may include malicious e-mail attachments embedded within them.

These e-mail attachments may be within an archive or may be uploaded as Microsoft Office documents, which only seem legitimate. They are usually accompanied by deceptive messages that aim to convince inexperienced victims of this ransomware infection to open the attachments. One example can be seen below:

Other methods of infecting users via this ransomware infection is to portray it as a fake setup of a program, a fake update of software or any other similar fraudulent file. Other files can also be uploaded on torrent websites, pretending to be files that are game patches or software activators as well as key generators, but actually cause the infection via obfuscated code, ran in the background, when opened.

Locked.zip File Virus – Infection Activity

For starters, after infection, the locked.zip ransomware may drop more than one malicious files on the victim’s computer. The dropped files are characterized as executable files and they may be concealed under different names In the following Windows directories:

  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalLow%
  • %SystemDrive%
  • %Windows%
  • %System32%

After these files are dropped, the malware may heavily interfere with te Windows registry entries, in other words modify some of them to make the malicious executables run when Windows boots up. The sub-keys in which modifications are likely made by adding value strings with custom data in them are the following:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

After this has been completed, the NotAHero ransomware virus then may shut down or inject malicious codes in any Windows processes that may interfere with it modifying the files of the victim.

→ bootsect.bak
iconcache.db
ntuser.dat
thumbs.db

In addition to those activities, the locked.zip virus may also perform a deletion of the shadow volume copies on the infected Windows machine. This is achievable by different iterations of the following commands.

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

NotAHero – Locked.zip Compression

Open source code of free compression programs such as RARlab, 7zip, WinRaR and others may have been used in order for NotAHero ransomware to transfer a file to a locked.zip archive after which set a custom password for it. These archives may appear like the following:

After the whole process is complete, the password for this infection may be unique for one infection or be the same for every infection. If it is unique and generated on sport it may be sent via an unsecured port to the server of te cyber-criminals who are behind NotAHero ransomware.
Afterwards, the following ransom note file is dropped on the infected system.

  • “Pay me bitcoins to get all your files unlocked.txt”

The file has very simple content, with only one demand:

“Send it to this adress
1NUsi15hENCZYu2Wy3q2RmRmBZF6LUU6pn”

What is interesting in this particular situation is that it is not specified how much should be sent, even though experts strongly advise against paying any ransom and using alternative methods to decode files instead.

Remove Locked.zip (NotAHero) Virus and Get Your Data Back

Before engaging in the removal process, it is important to back up all the files, no matter if they are compressed or no. Then, recommendations are to follow the removal steps below. They are divided in Manual and Automatic and step “1” of the manual removal instructions helps isolate the threat after which you can proceed with manually removing malicious files. In case manual removal represents difficulty for you, malware research experts strongly advise using an advanced anti-malware program to remove NotAHero virus automatically and ensure future protection as well.

After performing the removal, focus should be lying on how to restore files compressed by this ransomware virus. In the even that there is no free decryption which Is the following situation, we recommend you to see the alternative tools for file restoration below in step “2. Restore files archived by Locked.zip Virus” but only after performing a backup of all the files. We also recommend checking this article often because we will post an update if there is any development regarding file decryption for free.

Manually delete Locked.zip Virus from your computer

Note! Substantial notification about the Locked.zip Virus threat: Manual removal of Locked.zip Virus requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Locked.zip Virus files and objects
2.Find malicious files created by Locked.zip Virus on your PC

Automatically remove Locked.zip Virus by downloading an advanced anti-malware program

1. Remove Locked.zip Virus with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Locked.zip Virus
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.