Lock75 (Fluffy) File Virus Restore Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Lock75 (Fluffy) File Virus Restore Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Article, designed to help you remove Fluffy-TAR ransomware and hopefully get back files encrypted with the lock75 extension added to them.

A ransomware virus, using the lock75 extension appended immediately after the names of the encrypted files has been detected. The virus is named Fluffy-TAR ransomware and uses the strongest AES cipher possible, the AES-256 to encrypt files on the computers infected by it. After the encryption, the Fluffy virus drops a well-designed ransom note which demands from victims to pay the sum of 0,039 BTC in order for the cyber-criminals behind it to get the files back. In case your computer has been infected by the Fluffy ransomware, recommendations are to read this article carefully.

Threat Summary


Lock75 Virus

Short DescriptionThe malware encrypts users files using the AES-256 encryption cipher, making direct decryption possible only via a unique symmetric decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions” screen, asking to pay approximately 0,039 BTC. Changed file names and the file-extension lock75 has been used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Lock75 Virus


Malware Removal Tool

User ExperienceJoin our forum to Discuss Lock75 Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Fluffy lock75 Virus – How Does It Infect

The distribution process of Fluffy ransomware may be performed by utilizing spam e-mail messages to infect user PC’s. Usually such messages are sent via spamming software and spam kits that contain a pre-configured list of victims’ e-mail addresses. The spam messages usually contain deceitful e-mail message within them that aims to lure users into either clicking on a web link or opening the attachment, similar to the example image below:


Such convincing statements may sometimes even include information about your account, such as your name, address and so on. This information is usually gathered from websites to which many victims have registered and left their personal information. Those websites if compromised can reveal multiple different details about users, making them potential victims to Fluffy ransomware’s distributers.

Other forms of spreading this infection is if fake installers of programs, game activation software, license removers and other fake executables may be used on torrent websites via compromised accounts and downloaded by the victim. Also such may be published in suspicious websites or linked towards the user PC as a result of having a PUP (Potentially Unwanted Program) installed on your computer.

Fluffy Ransomware – Infection Activity

Once Fluffy ransomware has already infected a given computer, the virus may use exploits to drop it’s malicious files while remaining undetected on the victim’s computer. Once this has been done, the Fluffy ransomware infection may begin to connect to the following hosts:

  • – Romanian
  • – Swedish

From these hosts, the malicious files of the Fluffy virus may be downloaded onto the computer of the victim. These files may consist of a malicious executable and an image, named as the following:

  • Fluffy.exe
  • Fluffy.png

Along with these malicious files, Fluffy ransomware may also drop other support files that may perform malicious activity on the compromised computer. One of those activities may be to delete the shadow volume copies on the infected computer – activity achieved by using the following commands:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

In addition to this, Fluffy ransomware may also perform multiple other activities amongst which are the interfering of the Windows Registry sub-keys for running programs on system boot and changing the wallpaper:

→ HKEY_CURRENT_USER\Control Panel\Desktop\
HKEY_USERS\.DEFAULT\Control Panel\Desktop\

Fluffy Virus – Encryption Process

The process of encrypting files, encoded by Fluffy ransomware is achieved via utilizing the AES-256 encryption algorithm which encrypts files by replacing blocks of data with the algorithm itself. This makes the files no longer openable and the virus then generates a symmetric decryption key which is then sent to the servers of the cyber-criminals, making them the only one able to decrypt the files.

The encrypted files have the lock75 expansion added to them and may appear like the image below displays:

After the encryption process has been completed, the lock75 ransomware infection may drop it’s ransom note, which contains the following message that leads to the TOR-based web-page 3qsp4lc4ajyk4ccb.onion:

What’s happening?
Oh no! Fluffy-TAR has encrypted some of your files! It means they are not lost, but cannot be used until decrypted.
They are “locked”, you could say. If you see a file which name ends with “lock75”, it means this file is encrypted. The process is easily reversible but requires a key.
What do I do?
To get your files back, you must buy the decryption key. This payment must be done in Bitcoins, a cryptographic currency. Bitcoin is becoming more and more accessible and nowadays, it is really easy to use bitcoins. See the online interface (button below) for a more detailed introduction to bitcoins.
To get your files back, please send exactly (or more if you want) 0.039 Bitcoins to this address, BEFORE the countdown below ends:
Uppercase/lowercase matter! Make sure you send to the right address! (you can scan the QR code to copy it)
After sending the payment, wait an hour then click the “Retrieve key automatically” button below.
The software will then receive the key and decrypt ALL encrypted files.
Without the key, it is impossible to decrypt your files. Without the proper payment, it is impossible to get the key.
When the countdown reaches zero, you will lose all encrypted documents.
Please note: If you have an antivirus, disable it now if you don’t want to lose your data.

Among the encrypted files are the following file types:

→ .3fr, .7z, .abu, .accdb, .ai, .arp, .arw, .asp, .aspx, .ass, .asset, .ava, .avi,.bas, .bay, .bdcr, .bdcu, .bdd, .bdp, .bds, .bikey, .blend, .bmp, .bpdr, .bpdu, .bsdr, .bsdu, .c, .cc,.cd, .cdr, .cer, .class, .com, .config, .cpp, .cr2, .crt, .crw, .cs, .csv, .cxx, .db, .dbf, .dbx,.dcr, .dd, .dds, .der, .dng, .doc, .docm, .docx, .DTD, .dwg, .dxf, .dxg, .eps, .erf, .fdb, .forge, .gdb,.gif, .groups, .gsd, .gsf, .h, .hpp, .htm, .html, .ims, .indd, .iss, .jar, .java, .jpe, .jpeg, .jpg,.js, .jsp, .kdc, .key, .kwm, .lua, .m, .md, .mdb, .mdf, .mef, .mp3, .mpg, .mrw, .msg, .nef,.nrw, .oab, .obj, .odb, .odm, .odp, .ods, .odt, .orf, .ost, .p12, .p7b, .p7c, .pab, .PAS, .pas, .pdb,.pdd, .pdf, .pef, .pem, .pfx, .php, .pl, .png, .ppk, .ppt, .pptm, .pptx, .ps, .psd, .pst, .psw, .ptx, .pwm, .py, .r3d, .raf, .rar, .RAW, .raw, .rgx, .rik, .rm, .rtf, .rw2, .rwl, .safe, .sav, .sln,.sql, .srf, .srw, .swf, .swift, .tex, .txt, .vcf, .vsd, .wb2, .wpd, .wps, .xcf, .xlk, .xls, .xlsb,.xlsm, .xlsx, .xml, .zip

Fluffy lock75 Virus– How to Remove it and Restore Your Files

After the inevitable has happened, the virus advice is to backup the files encrypted by the lock75 ransomware, the first action should be to backup the encrypted data.

Then we recommend following the removal instructions below, which will help you isolate this virus and remove it’s files. In case you feel uncertain in manual removal, recommendations are to focus on removing the encrypted files automatically by using an advanced anti-malware program. Such will ensure that all files and objects associated with Fluffy ransomware are removed from your computer and that future protection is ensured.

After removing Fluffy ransomware, we advise using the methods in step “2. Restore files encrypted by Fluffy” from the instructions below. They may not ensure the recovery of all your files, but via them you can restore at least some of the data.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share