.lockedfile Files Virus (PyLocky) – How to Remove + Restore Data

.lockedfile Files Virus (PyLocky) – How to Remove + Restore Data


with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by .lockedfile PyLocky virus and other threats.
Threats such as .lockedfile PyLocky virus may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

This article has been created with the main purpose to explain what exactly is the .lockedfile extension ransomware, called PyLocky and how to remove it from your computer plus how you can try and restore files, encrypted by this virus.

A new ransomware variant, using the .lockedfile has been detected to still be active by researchers. The ransomware is an evolved variant of a previously detected PyLocky virus. The main purpose of the infection is to make it so that the files on your computer can not be opened at all by encrypting them. Furthermore, in addition to this, the PyLocky ransomware also adds a ransom note file which aims to get users to pay ransom in BitCoin in order to get their files to work again. If your computer has been infected by the PyLocky ransomware, we recommend that you read this article as it aims to help you to remove this ransomware infection from your computer and hopefully restore files, encrypted by it without having to pay ransom.

Threat Summary

Name.lockedfile PyLocky virus
TypeRansomware, Cryptovirus
Short DescriptionFiles are encrypted and the virus leaves a ransom note extorting victims to pay ransom in order to get their files to work once again.
SymptomsThe files on your computer have the .lockedfile extension added to them and cannot be opened.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .lockedfile PyLocky virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .lockedfile PyLocky virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

PyLocky .lockedfile Ransomware – Distribution

The main method by which this ransomware virus may land on your Windows machine is by using a malicious file that is executed either automatically or by you if you are deceived into doing so. Such files often carry exploits so that the infection on your computer remains no longer openable. These files can be seen in the form of e-mail attachments in e-mails, like the example below:

In addition to via e-mail, the file may also pretend to be an important document of some sort, such as:

  • Setups of programs.
  • Portable software.
  • Cracks for games or software.
  • Patches.
  • License activators.
  • Key generators.

PyLocky Ransomware – Analysis

Once an infection with PyLocky commences, the ransomware virus may immediatey drop it’s payload on the victim’s computer. The payload of this virus may be located in the following Windows directories:

  • %AppData%
  • %Temp%
  • %LocalLow%
  • %Local%
  • %Roaming%
  • Texttt
  • Texttt

Once the files are In place, the .lockedfile variant of PyLocky may then modify the Windows Registry Editor of the infected machine so that it immediately starts when you log in Windows. To do this, the virus may add registry values in the following Windows sub-keys:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In addition to this, the PyLocky ransomware also drops it’s ransom note file, reported to have the following message in several different languages:

Furthermore, the .lockedfile variant of PyLocky may also take actions towards deleting backups and shadow volume copies of the infected computer by running the following commands as an administrator:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

.lockedfile PyLocky Virus – Encryption Process

According to researchers, the .lockedfile files are encrypted with the AES encryption algorithm which generates an asymmetric decryption key that may be RSA encrypted itself. To do the encryption, PyLocky may first copy your files then delete their original variants and shortly after this encrypt the copies. If your computer has been infected by PyLocky ransomware, the following file types are at stake:


These file types are basically often used files on your computer, like documents, videos, images, audio files, archives and many other. The ransowmare skips encrypting files in the system folders of Windows, because you would still need to use your computer in order to pay the ransom.

After the encryption is complete, the files, encoded by this virus look like the following:

.lockedfile Files Virus (PyLocky) – Decryptor Released

There is a decrypter tool released for the Pylocky ransomware. The tool was initially released for the Windows variants versions of the cryptovirus. You can download the tool via the Decryption Tool link here. The tool requires the PCAP file of the outbound connection attempt to the C&C servers.

.lockedfile Files Virus (PyLocky) – Decryptor Released

There is a decrypter tool released for the Pylocky ransomware. The tool was initially released for the Windows variants versions of the cryptovirus. You can download the tool via the Decryption Tool link here. The tool requires the PCAP file of the outbound connection attempt to the C&C servers.

Remove PyLocky Ransomware and Restore .lockedfile Files

If you want to remove this variant of PyLocky ransomware virus, we strongly suggest that you follow the removal instructions underneath this article as they have been divided in manual and automatic removal steps. If manual steps do not work or you feel unsure in doing them, be advised that most experts would recommend using an advanced anti-malware software to automatically scan for and remove PyLocky .lockedfile ransomware from your PC.

If you wish to restore files, encrypted by PyLocky ransomware, it is strongly reccomended that you try out the alternative methods in step “2. Restore files, encrypted by .lockedfile PyLocky virus”. They may not be a 100% solution, but with their aid you may be able to recover some or most of your files.

Note! Your computer system may be affected by .lockedfile PyLocky virus and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as .lockedfile PyLocky virus.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove .lockedfile PyLocky virus follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove .lockedfile PyLocky virus files and objects
2. Find files created by .lockedfile PyLocky virus on your PC

Before starting the Automatic Removal below, please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by .lockedfile PyLocky virus

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share