The virus, claiming to use RZA4096 key is actually the latest variant of EDA2 ransomware viruses and is actually a fake encryption algorithm, pretending to be RSA-4096. What is typical for these variants is that they are in the hundreds when you count them, because the virus has been released as an open source-free code online. In case you have become a victim of the virus, it is advisable not to pay the demanded by it sum of 0.3 BTC and make sure to read our article to learn how to remove the virus and hopefully restore your files for free, using the EDA2 decrypter.
|Short Description||New EDA2 iteration. Using the .L0CKED file extension and a weak encryption algorithm.|
|Symptoms||Demands victims to visit a TOR-based web page. Demands payment of 0.3 BTC to decrypt files. Changes wallpaper and drops a DecryptFile.txt ransom note with the same demands.|
|Detection Tool|| See If Your System Has Been Affected by L0CKED Virus |
Malware Removal Tool
|User Experience||Join our forum to Discuss L0CKED Virus.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
How Does .L0CKED EDA2 Virus Infect
Similar to the other variants, the .L0CKED virus uses the same strategy to spread – a malicious executable which may be located on different places online. One of the most likely infection vectors is via e-mails. Such infections may be administered via a remote service which initiates massive spam campaigns of phishing e-mail messages. Such messages may resemble legitimate e-mails from providers, such as:
- A bank branch.
They also include convincing items, such as text as well as images, which are focused primarily on getting victims to open a malicious attachment. Once this has already happened, the .L0CKED virus, may drop a malicious executable on the compromised computer.
Then, the malicious .exe of the .L0CKED virus may create a user profile in the Computer Management tab and create registry values for this profile in the following key:
→ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
After this has been done, the .L0CKED virus may also create an Autorun.inf file which if executed on startup will get this EDA2 variant to get straight to file encryption on system startup.
.L0CKED EDA2 Ransomware – Post-Infection Actions
After already having infected the computer it has sent spam to, the . L0CKED virus begins to immediately encrypt files of the following types:
→ *.txt, *.doc, *.docx, *.xls, *.xlsx, *.ppt, *.pptx, *.odt, *.jpg, *.png, *.csv, *.sql, *.mdb, *.hwp, *.pdf, *.php, *.asp, *.aspx, *.html, *.xml, and *.psd.
After encryption the wallpaper is changed and the DecryptFile.txt ransom note is dropped, both of which have the same message for the user:
The message leads to a TOR-based website which has the following demands to pay the hefty sum of 0.3 BTC:
The bottom line is that this EDA2 variant is decryptable, just like the other EDA2 Ransomware versions and you should remove it immediately and decrypt the files.
How to Remove .L0CKED Virus and Decrypt The Files
In order to fully remove the virus and decrypt your files, we advise you to follow methodologically the instructions below. They will help you to firstly remove the .L0CKED virus’ files as well as the objects it has created in the Windows Registry. For maximum effectiveness, it is recommended to use an advanced anti-malware scanner and use it to remove all files associated with the virus from your computer.