.L0CKED File Virus (Decrypt Files) - How to, Technology and PC Security Forum | SensorsTechForum.com

.L0CKED File Virus (Decrypt Files)

This article aims to help you remove the new EDA2 .L0CKED ransomware variant dropping DecryptFile.txt note and to try and restore .L0CKED encrypted files.

The virus, claiming to use RZA4096 key is actually the latest variant of EDA2 ransomware viruses and is actually a fake encryption algorithm, pretending to be RSA-4096. What is typical for these variants is that they are in the hundreds when you count them, because the virus has been released as an open source-free code online. In case you have become a victim of the virus, it is advisable not to pay the demanded by it sum of 0.3 BTC and make sure to read our article to learn how to remove the virus and hopefully restore your files for free, using the EDA2 decrypter.

Threat Summary


L0CKED Virus

TypeRansomware Virus
Short DescriptionNew EDA2 iteration. Using the .L0CKED file extension and a weak encryption algorithm.
SymptomsDemands victims to visit a TOR-based web page. Demands payment of 0.3 BTC to decrypt files. Changes wallpaper and drops a DecryptFile.txt ransom note with the same demands.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by L0CKED Virus


Malware Removal Tool

User ExperienceJoin our forum to Discuss L0CKED Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does .L0CKED EDA2 Virus Infect

Since this virus has been released in numerous variants, such as PokemonGo ransomware and FSociety which’s idea comes from the Anonymous-inspired hacking group in the Mr.Robot tv-series.

Similar to the other variants, the .L0CKED virus uses the same strategy to spread – a malicious executable which may be located on different places online. One of the most likely infection vectors is via e-mails. Such infections may be administered via a remote service which initiates massive spam campaigns of phishing e-mail messages. Such messages may resemble legitimate e-mails from providers, such as:

  • FedEx.
  • Amazon.
  • eBay.
  • Wallmart.
  • A bank branch.

They also include convincing items, such as text as well as images, which are focused primarily on getting victims to open a malicious attachment. Once this has already happened, the .L0CKED virus, may drop a malicious executable on the compromised computer.

Then, the malicious .exe of the .L0CKED virus may create a user profile in the Computer Management tab and create registry values for this profile in the following key:

→ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

After this has been done, the .L0CKED virus may also create an Autorun.inf file which if executed on startup will get this EDA2 variant to get straight to file encryption on system startup.

.L0CKED EDA2 Ransomware – Post-Infection Actions

After already having infected the computer it has sent spam to, the . L0CKED virus begins to immediately encrypt files of the following types:

→ *.txt, *.doc, *.docx, *.xls, *.xlsx, *.ppt, *.pptx, *.odt, *.jpg, *.png, *.csv, *.sql, *.mdb, *.hwp, *.pdf, *.php, *.asp, *.aspx, *.html, *.xml, and *.psd.

After encryption the wallpaper is changed and the DecryptFile.txt ransom note is dropped, both of which have the same message for the user:

The message leads to a TOR-based website which has the following demands to pay the hefty sum of 0.3 BTC:

The bottom line is that this EDA2 variant is decryptable, just like the other EDA2 Ransomware versions and you should remove it immediately and decrypt the files.

How to Remove .L0CKED Virus and Decrypt The Files

In order to fully remove the virus and decrypt your files, we advise you to follow methodologically the instructions below. They will help you to firstly remove the .L0CKED virus’ files as well as the objects it has created in the Windows Registry. For maximum effectiveness, it is recommended to use an advanced anti-malware scanner and use it to remove all files associated with the virus from your computer.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share