Locked.zip (NotAHero) Ransomware Remove and Restore Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Locked.zip (NotAHero) Ransomware Remove and Restore Files

This article is created to show you how to remove the NotAHero ransomware infection completely from your computer and restore files in a locked.zip archive.

A ransomware virus from the file encryption kind has been detected in April 2017 to use password protected .zip archives after it infects the users computers. The malware is also known as NotAHero ransomware and demands victims whose computers have been affected to pay a hefty ransom fee in BitCoins in order to get the password for the archive. The virus then drops a “Pay me bitcoins to get all your files unlocked.txt” file in which a BitCoin address of the cyber-criminals behind this virus can be located. In case you have become a victim of this ransomware infection, recommendations are to focus on reading the following article to learn how to remove NotAHero ransomware and restore files encrypted by it.

Threat Summary


Locked.zip Virus

Short DescriptionArchives important files on the compromised computers in a password protected .zip file and then demands a hefty ransom fee to be paid to get the unlock password.

SymptomsThe victim may not be able to open the files. A file locked.zip may appear in their place. Additionally a file, named “Pay me bitcoins to get all your files unlocked.txt” may be found with a ransom note in it.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Locked.zip Virus


Malware Removal Tool

User ExperienceJoin our forum to Discuss Locked.zip Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

NotAHero Locked.zip Virus – How Does It Infect

The infection process of the locked.zip file virus may be conducted via multiple different methods, the main of which is e-mail spam messages that may include malicious e-mail attachments embedded within them.

These e-mail attachments may be within an archive or may be uploaded as Microsoft Office documents, which only seem legitimate. They are usually accompanied by deceptive messages that aim to convince inexperienced victims of this ransomware infection to open the attachments. One example can be seen below:

Other methods of infecting users via this ransomware infection is to portray it as a fake setup of a program, a fake update of software or any other similar fraudulent file. Other files can also be uploaded on torrent websites, pretending to be files that are game patches or software activators as well as key generators, but actually cause the infection via obfuscated code, ran in the background, when opened.

Locked.zip File Virus – Infection Activity

For starters, after infection, the locked.zip ransomware may drop more than one malicious files on the victim’s computer. The dropped files are characterized as executable files and they may be concealed under different names In the following Windows directories:

  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalLow%
  • %SystemDrive%
  • %Windows%
  • %System32%

After these files are dropped, the malware may heavily interfere with te Windows registry entries, in other words modify some of them to make the malicious executables run when Windows boots up. The sub-keys in which modifications are likely made by adding value strings with custom data in them are the following:


After this has been completed, the NotAHero ransomware virus then may shut down or inject malicious codes in any Windows processes that may interfere with it modifying the files of the victim.

→ bootsect.bak

In addition to those activities, the locked.zip virus may also perform a deletion of the shadow volume copies on the infected Windows machine. This is achievable by different iterations of the following commands.

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

NotAHero – Locked.zip Compression

Open source code of free compression programs such as RARlab, 7zip, WinRaR and others may have been used in order for NotAHero ransomware to transfer a file to a locked.zip archive after which set a custom password for it. These archives may appear like the following:

After the whole process is complete, the password for this infection may be unique for one infection or be the same for every infection. If it is unique and generated on sport it may be sent via an unsecured port to the server of te cyber-criminals who are behind NotAHero ransomware.
Afterwards, the following ransom note file is dropped on the infected system.

  • “Pay me bitcoins to get all your files unlocked.txt”

The file has very simple content, with only one demand:

“Send it to this adress

What is interesting in this particular situation is that it is not specified how much should be sent, even though experts strongly advise against paying any ransom and using alternative methods to decode files instead.

Remove Locked.zip (NotAHero) Virus and Get Your Data Back

Before engaging in the removal process, it is important to back up all the files, no matter if they are compressed or no. Then, recommendations are to follow the removal steps below. They are divided in Manual and Automatic and step “1” of the manual removal instructions helps isolate the threat after which you can proceed with manually removing malicious files. In case manual removal represents difficulty for you, malware research experts strongly advise using an advanced anti-malware program to remove NotAHero virus automatically and ensure future protection as well.

After performing the removal, focus should be lying on how to restore files compressed by this ransomware virus. In the even that there is no free decryption which Is the following situation, we recommend you to see the alternative tools for file restoration below in step “2. Restore files archived by Locked.zip Virus” but only after performing a backup of all the files. We also recommend checking this article often because we will post an update if there is any development regarding file decryption for free.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share