SensorsTechForum - How to Technology and PC Security Forum

PC Security and Protection => Malware Removal Questions and Guides => Topic started by: never on February 17, 2016, 05:03:28 pm

Title: Remove .Locky Ransomware and Restore the Encrypted Files
Post by: never on February 17, 2016, 05:03:28 pm
The Locky ransomware is a new virus that has struck the world. It encrypts important documents and files. The threat is very serious, because it can lock people out of their database files as well. Locky ransomware encrypts files in a .locky extension, using RSA algorithm and AES-128 ciphers.

>More information about the Locky ransomware (http://sensorstechforum.com/remove-locky-ransomware-and-restore-locky-encrypted-files/)
(http://sensorstechforum.com/wp-content/uploads/2016/02/STF-locky-ransomware-tor2web-main-ransom-decrypt-website-page-info.png)

For now there is no known solution for decryption, but you can try using tools for Data Recovery, to try and restore your files.

N.B. This is an open topic about Locky ransomware. You can share your experience, ask for help, upload encrypted files in your comments. We will try to help you and in any way we can and will post solutions if we discover such. We urge all users to provide as much information as possible for our help to be more effective.
Title: Re: Remove .Locky Ransomware and Restore the Encrypted Files
Post by: James on February 18, 2016, 10:27:46 am
Darn! This thing hit me out of the blue! My work documents are locked!!

What do I do? Many of my work files are with the .locky extension and my back ups are a month old! Is there a way to unlock them?! Please help - these are important files!
Waiting for your answer!
Title: Re: Remove .Locky Ransomware and Restore the Encrypted Files
Post by: kqly on February 18, 2016, 10:35:40 am
Hello,

I have files encrypted with .locky extension. I upload here a screenshot with files this is how they look.

How to bring back my documents. I read "more information" and try Kaspersky decrypt but it is not working.

Please help thank you!
Title: Re: Remove .Locky Ransomware and Restore the Encrypted Files
Post by: mcinn on February 18, 2016, 10:42:08 am
Hi James and kqly,

First, have you already removed the ransomware with an anti-malware program?

Title: Re: Remove .Locky Ransomware and Restore the Encrypted Files
Post by: kqly on February 18, 2016, 10:45:21 am
Yes, I reinstall Windows and moved files to USB.
Title: Re: Remove .Locky Ransomware and Restore the Encrypted Files
Post by: never on February 18, 2016, 11:10:21 am
Hello,

Since there are a lot of users complaining and sending files  regarding .locky, I will write a general solution for the ransomware. It is not exactly a solution, but it is the closest you can get to one so far. We will keep you updated once a direct solution or other ways around it come up. Make sure you DO NOT FORMAT YOUR HARD DRIVE OR REINSTALL WINDOWS BEFORE TRYING THE BELOW-MENTIONED METHODS.

I have divided solutions into several methods:

Method 1: Use Volume Shadow Copies In Windows.

There are two options for that:
1) Go to Search and type "File History" after which open it and go to the last date the files were operational after which restore them. This will not work if you have reinstalled Windows.

2) Download Shadow Explorer (http://www.shadowexplorer.com/downloads.html). This is a free third-party software with the same  purpose.

Method 2: Use file recovery software.

There are many many file recovery programs out there. We have tested several so far:

Stellar Phoenix Windows Data Recovery Technicians License (http://sensorstechforum.com/windows-data-recovery-technicians-license-software-review/)
Data Recovery Pro by Pareto Logic (http://sensorstechforum.com/data-recovery-pro-by-pareto-logic-software-review/)
Stellar Phoenix Windows Data Recovery (http://sensorstechforum.com/stellar-phoenix-windows-data-recovery-software-review/)
Stellar Phoenix Photo Recovery (http://sensorstechforum.com/stellar-phoenix-photo-recovery-software-review/)

We have tested the programs but bear in mind that you may recover from tens to hundreds of files depending on the files' health. In case you reinstalled Windows and formatted your hard drive, for example, you chances may drop significantly. Keep that in mind before using these programs. Also, have in mind that they are not decryptors. This software is genuinely created to recover files that are missing so you might recover some data. For different computers there are different results.

Method 3: Go to a data recovery expert.

You can go to a specialist, but bear in mind that it will cost you a lot of money and it will provide you with relatively the same outcome as the software mentioned above, so we do not recommend it.

Method 4: Wait for a decryptor or another solution.

Despite the fact that .Locky uses a strong mixture of several encryption algorhithms, experts are constantly working on finding security weaknesses in the malware itself to reveal a method to unlock the files. We are constantly monitoring Cisco, Emsisoft and Kaspersky as well as other security blogs and forums and will keep you posted as fast as possible when a solution comes up.

Best Regards,
Never
Title: Re: Remove .Locky Ransomware and Restore the Encrypted Files
Post by: James on February 18, 2016, 11:25:00 am
Whoa! Thanks for the quick answers!

mcinn - yes, I removed the virus with a security app, but still lots of files are locked and this is a major issue for me!

never - thanks for the tips - will try them out!
Title: Re: Remove .Locky Ransomware and Restore the Encrypted Files
Post by: mcinn on February 18, 2016, 11:45:26 am
I was wondering if some victims have decided to pay the ransom... and found a discussion about it on Reddit. Some guy said that they paid coz they were desperate etc... And it worked.. However... My thought is that paying the ransom is not a good idea because financial resource from ransoms only supports cyber crime... and it's growing and evolving constantly... Just backup your files professionally and regularly, especially if you own a business!!! Simple as that. And this is what every IT security guy would advise you..

Just a thought I decided to drop here...
Title: Re: Remove .Locky Ransomware and Restore the Encrypted Files
Post by: never on February 18, 2016, 04:38:56 pm
Hello again,

Yes, backing up the files is the best solution, but the latest information points out that if the files are backed up in Windows, most ransomware infections, such as .locky delete this backup or encrypt the image file if the backup is created on a system image. This is why I would suggest using other approaches:

-Use an external USB, SSD, HDD or Memory Card to copy the files. This is a hands on approach and is suitable in case you do not have a lot of files to backup.

-Use an automatic backup uploaded to another server in your local network. Such servers should not be accessed by anyone. In fact only one, maximum two people should have access to the server and configure it so that it goes online only during specific times (for example, when backup is being performed).

-Use cloud backup. This is the 21st century`s solution - outsource it. There are many programs out there that encrypt your data and back it up so that its online on their servers but in the same time accessible only if yo go there. One of those programs is called SOS Online Backup (http://sensorstechforum.com/sos-online-backup-software-review/). I use it for my home network and it is very good, because it provides unlimited backup storage, which is good if you have A LOT of data.

Hope this helps some of you out there.
Regards,
Never
Title: Re: Remove .Locky Ransomware and Restore the Encrypted Files
Post by: James on February 19, 2016, 10:08:43 am
never - I have considered the methods you proposed up in the comments. It seems that shadow copies is a disabled option on my PC. I also don't want to pay anything for data recovery software unless necessary - do those programs have free trials, or can you recoommend good free ones?
Title: Re: Remove .Locky Ransomware and Restore the Encrypted Files
Post by: never on February 19, 2016, 12:17:08 pm
Yes, there are many free programs out there but they lack certain fundamental features such as choosing what type of files you are looking for or selecting an exact folder to scan. If any users know such programs that recover files in the same rate as the ones above, I urge them to share them with us.

Regards,
Never
Title: Re: Remove .Locky Ransomware and Restore the Encrypted Files
Post by: mcerdem on February 21, 2016, 02:26:35 pm
@for infected users, in order to i can analysis, please share here some encrypted and decrypted files (if you have) for locky ransomware.
Title: Re: Remove .Locky Ransomware and Restore the Encrypted Files
Post by: brahim on February 22, 2016, 04:24:48 pm
Hello,

I have files encrypted with .locky extension. I upload here a screenshot with files this is how they look.

How to bring back my documents.
I read "more information" and try Anti Malware, Kaspersky decrypt, Remo recouver, Recuva, SpyHunter...
but it is not working.

Please help thank you!
Title: Re: Remove .Locky Ransomware and Restore the Encrypted Files
Post by: Execute on February 24, 2016, 11:02:50 am
@brahim, yes, you can upload screenshots.

There is no reported working recovery method for now. Try other data recovery software like EasyUS (http://www.easeus.com/) which is among the good free ones, or you can try paid ones like Stellar Phoenix (http://sensorstechforum.com/stellar-phoenix-windows-data-recovery-software-review/) or the one by Pareto Logic (http://sensorstechforum.com/data-recovery-pro-by-pareto-logic-software-review/). If you have formatted your hard drives and if other software doesn't work at all, your chances are not that big, but you can still try. You might have some luck.

@James, what happened? Have you succeeded recovering any files?

Best Regards,
Execute
Title: Re: Remove .Locky Ransomware and Restore the Encrypted Files
Post by: mcerdem on February 24, 2016, 11:12:20 am
Hello,

I have files encrypted with .locky extension. I upload here a screenshot with files this is how they look.

How to bring back my documents.
I read "more information" and try Anti Malware, Kaspersky decrypt, Remo recouver, Recuva, SpyHunter...
but it is not working.

Please help thank you!

can you please one or more encrypted files to any upload web site ?
Title: Re: Remove .Locky Ransomware and Restore the Encrypted Files
Post by: James on February 26, 2016, 08:59:05 am
@Execute - yes, but unfortunately - not many. EaseUs recovered some files and Stellar phoenix recovered a few more, but the majority of my files, which i needed are still locked. :( I have saved them in another disk and will wait for a decryption tool or another method. Can you write to me and keep me updated if anything new is found?

Title: Re: Remove .Locky Ransomware and Restore the Encrypted Files
Post by: Execute on February 26, 2016, 10:00:40 am
@James,
sorry to hear that, but I guess there isn't much we can do. Saving the files is the right course of action.
We will keep you posted if there are new developments, undoubtedly!

Kind Regards,
Execute
Title: Re: Remove .Locky Ransomware and Restore the Encrypted Files
Post by: never on February 26, 2016, 04:18:37 pm
Hello, James

Try scanning multiple times for your files and let us know how that goes for you and if the results are the same or no. We are currently monitoring most of the big security companies who are aware of the situation and will let you known as a reply in this forum topic if a relevant decryption method has come out.

PS: We are also researching on new recovery software that is cheeper or for free and will keep you posted.

Meanwhile, if you know how to disassemble your hard drive, take it to your local data recovery expert and try it this way. If he or she is not able to recover the files, they usually may not charge you money for that.

Good Luck and Best Regards,
Never
Title: Re: Remove .Locky Ransomware and Restore the Encrypted Files
Post by: James on February 29, 2016, 08:06:43 am
@never - well, the extra scans didn't recover additional files. Thank you for the feedback, I appreciate it. I hope you find something that could help more. I don't want to touch my hard drive and besides, I don't know any data recovery experts where I am.

Thanks again!
Title: Re: Remove .Locky Ransomware and Restore the Encrypted Files
Post by: mcerdem on May 02, 2016, 01:34:05 pm
is anyone succeed for decryption for .locky files ?