.lckd Files Virus (l0cked Ransomware) – Remove and Decrypt Encrypted Data

.lckd Files Virus (l0cked Ransomware) – Remove and Decrypt Encrypted Data

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article has been created in order to explain what is the l0cked ransomware infection and how to remove it plus how to restore files, encrypted with the .lckd file extension appended to them.

A new ransomware virus, believed to be a version of the L0cked ransomware family of viruses has been reported by malware researchers to encrypt the files on the computers that have been infected by it. The malware, which leaves behind the file extension .lckd, also drops a ransom note, asking to contact [email protected] and gives a deadline to pay the sum of $250 in BitCoin to get the cyber-criminals to decrypt your files and make them openable again. The virus otherwise threatens to delete the files on your computer system. If your computer has been infected by the .lckd files virus, we recommend that you read the following article in order to learn how to remove this ransomware virus and restore files that have been encrypted by it on your PC.

Threat Summary

Name.lckd Files Virus
TypeRansomware, Cryptovirus
Short DescriptionBelieved to be a variant of the “l0cked” family of ransomware viruses. Encrypts your files and holds them hostage until a ransom is paid in BitCoin.
SymptomsThe files are encrypted and the .lckd file extension is added. The wallpaper on the infected computer is changed and a ransom note is automatically opened.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .lckd Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .lckd Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.lckd Files Virus – How Did I Get It

There are two primary methods via which the .lckd ransomware virus may have infected your computer system. These methods are believed to be either passive or active. If active methods are used, the cyber-criminals may send you the malicious infection object which is often an e-mail attachment or a malicious web link via chat. If sent by e-mail, the virus may resemble legitimate documents, for instance:

  • Invoices.
  • Receipts.
  • Purchase documents.
  • Car tickets and fees.
  • Banking information.

Usually, the cyber-criminals spamming you with such e-mails aim to mask them and make them appear as if they come from big companies, like:

  • PayPal.
  • DHL.
  • FedEx.
  • Amazon.
  • Banking information.
  • eBay.
  • AliExpress.

The e-mails may contain cunning statements in their body as well, for example:

In addition to malicious e-mails, the virus may also be passively uploaded on suspicious sites or torrent trackers. The malware is usually hidden as:

  • A driver or a setup of a free program.
  • A game patch.
  • Crack for programs or games.
  • Key generator.
  • Any other form of software license activators.
  • Fake cheats for games.

The .lckd Files Virus – Analysis

The .lckd files virus is from the cryptoviruses whose primary purpose is to encrypt files on your computer and make them seem corrupt and no longer able to be opened. As soon as it has infected your computer, the .lckd files virus aims to perform various different activities, starting with dropping it’s malicious payload on your computer. The payload may consist of one or more files and they may be located in the following Windows Directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%.
  • %Temp%

As soon as the malicious files of the .lckd ransomware infections are dropped on the victim’s computer, the malware may begin to create mutexes and may also copy itself under different names. The ransomware may also check if it’s running on a Virtual Drive and if this is the case, the .lckd files virus may delete itself.

The .lckd files virus may also delete the shadow volume copies on your PC by running commands in the Windows Command prompt as an administrator. The commands may be ran in the background of your computer system, without you even being able to stop them or notice them. This procedure may result in you not being able to restore the encrypted files on your PC via Windows backup. The commands are believed to be the following:

→ vssadmin delete shadowstorage /for={drive}: [/on={drive}{:] [/quiet] bcdedit /set bootstatuspolicy ignoreallfailures
bcdedit /set recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled No

In addition to this, the .lckd ransomware may also set custom registry value strings with data in them that points to the actual name and location of the malicious files. The data is located in the Run and RunOnce registry sub-keys, which have the following locations:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

After the .lckd files virus has modified your Windows Registries, the malware may also change your wallpaper to the following Image:

Text from Image:
Your Pc is hacked!

Files are encrypted, if you decrypt the files
contact us!

Email address : decrytorsoon301©aol.com.

As soon as the .lckd files virus has done this, the malware may also automatically open it’s ransom note, which appears like the following:

After this has been done, the .lckd files ransomware may begin to perform different types of activities, which eventually lead to your files being encrypted.

.lckd Files Virus – Encryption Process

In order for the .lckd files virus to encrypt the files on your PC, the malware may firstly scan your computer for specific files, while excluding system files, located in your %SystemDrive%. These files are usually documents, images, archvies, videos and other important data. The .lckd virus looks for the files based on a pre-configured file extensions. These file extensions are believed to be following:


In addition to this, the .lckd files virus may alter the header or blocks of data from the original files and then add it’s distinctive .lckd file extension. This may eventually result in the malware beginning to change your files to the following appearance:

Remove .lckd Files Virus and Restore Your Encrypted Files

In order to delete the .lckd ransomware from your computer, recommendations are to follow the manual or automatic removal instructions underneath this article. They are specifically created in order to help you to get rid of .lckd files virus based on how much experience you have with malware removal. Naturally, for maximum effectiveness, security researchers strongly advise victims to use an anti-malware software with advanced removal capabilities to automatically get rid of this ransomware infection and protect your computer against future infections.

If you want to restore files that have been encrypted by this infection on your PC, reccomendations are to follow the file recovery instructions in step “2. Restore files, encrypted by .lckd Files Virus” underneath. First try the decryptor and if this virus is a part of the l0cked family of ransomware infections, the program may work. If not however, do not despair and try the alternative methods in red underneath. These methods may not be a 100% guarantee you will be able to get .lckd files to open again but they may help you restore at least some of the encoded files.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share