.L0CKED File Virus (Decrypt Files) - How to, Technology and PC Security Forum | SensorsTechForum.com

.L0CKED File Virus (Decrypt Files)

This article aims to help you remove the new EDA2 .L0CKED ransomware variant dropping DecryptFile.txt note and to try and restore .L0CKED encrypted files.

The virus, claiming to use RZA4096 key is actually the latest variant of EDA2 ransomware viruses and is actually a fake encryption algorithm, pretending to be RSA-4096. What is typical for these variants is that they are in the hundreds when you count them, because the virus has been released as an open source-free code online. In case you have become a victim of the virus, it is advisable not to pay the demanded by it sum of 0.3 BTC and make sure to read our article to learn how to remove the virus and hopefully restore your files for free, using the EDA2 decrypter.

Threat Summary


L0CKED Virus

TypeRansomware Virus
Short DescriptionNew EDA2 iteration. Using the .L0CKED file extension and a weak encryption algorithm.
SymptomsDemands victims to visit a TOR-based web page. Demands payment of 0.3 BTC to decrypt files. Changes wallpaper and drops a DecryptFile.txt ransom note with the same demands.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by L0CKED Virus


Malware Removal Tool

User ExperienceJoin our forum to Discuss L0CKED Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does .L0CKED EDA2 Virus Infect

Since this virus has been released in numerous variants, such as PokemonGo ransomware and FSociety which’s idea comes from the Anonymous-inspired hacking group in the Mr.Robot tv-series.

Similar to the other variants, the .L0CKED virus uses the same strategy to spread – a malicious executable which may be located on different places online. One of the most likely infection vectors is via e-mails. Such infections may be administered via a remote service which initiates massive spam campaigns of phishing e-mail messages. Such messages may resemble legitimate e-mails from providers, such as:

  • FedEx.
  • Amazon.
  • eBay.
  • Wallmart.
  • A bank branch.

They also include convincing items, such as text as well as images, which are focused primarily on getting victims to open a malicious attachment. Once this has already happened, the .L0CKED virus, may drop a malicious executable on the compromised computer.

Then, the malicious .exe of the .L0CKED virus may create a user profile in the Computer Management tab and create registry values for this profile in the following key:

→ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

After this has been done, the .L0CKED virus may also create an Autorun.inf file which if executed on startup will get this EDA2 variant to get straight to file encryption on system startup.

.L0CKED EDA2 Ransomware – Post-Infection Actions

After already having infected the computer it has sent spam to, the . L0CKED virus begins to immediately encrypt files of the following types:

→ *.txt, *.doc, *.docx, *.xls, *.xlsx, *.ppt, *.pptx, *.odt, *.jpg, *.png, *.csv, *.sql, *.mdb, *.hwp, *.pdf, *.php, *.asp, *.aspx, *.html, *.xml, and *.psd.

After encryption the wallpaper is changed and the DecryptFile.txt ransom note is dropped, both of which have the same message for the user:

The message leads to a TOR-based website which has the following demands to pay the hefty sum of 0.3 BTC:

The bottom line is that this EDA2 variant is decryptable, just like the other EDA2 Ransomware versions and you should remove it immediately and decrypt the files.

How to Remove .L0CKED Virus and Decrypt The Files

In order to fully remove the virus and decrypt your files, we advise you to follow methodologically the instructions below. They will help you to firstly remove the .L0CKED virus’ files as well as the objects it has created in the Windows Registry. For maximum effectiveness, it is recommended to use an advanced anti-malware scanner and use it to remove all files associated with the virus from your computer.

Manually delete L0CKED Virus from your computer

Note! Substantial notification about the L0CKED Virus threat: Manual removal of L0CKED Virus requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove L0CKED Virus files and objects
2.Find malicious files created by L0CKED Virus on your PC

Automatically remove L0CKED Virus by downloading an advanced anti-malware program

1. Remove L0CKED Virus with SpyHunter Anti-Malware Tool and back up your data
2. Decrypt Files encrypted by L0CKED Virus
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.