The article will help you remove Lockify ransomware completely. Follow the Lockify ransomware removal instructions at the end of the article.
Lockify is the name of a ransomware cryptovirus. The extension .Lockify will get appended to every encrypted file. AES is believed to be the encryption algorithm which is used, as the ransomware is a variant stemming from the HiddenTear/EDA2 project. The Lockify cryptovirus will put a ransom note with instructions in a html type of file. Keep reading and see how you could try to potentially recover some of your files.
|Short Description||The ransomware is a modified variant of HiddenTear. It encrypts files on your computer and leaves a ransom message that looks like the first variants of CERBER, but it says LOCKIFY instead.|
|Symptoms||The ransomware will encrypt your files and put the extension .Lockify on your files after it completes its encryption process.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by Lockify |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Lockify.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Lockify Ransomware – Infection
Lockify ransomware could spread its infection by using more than one method. A payload file which drops the malicious script for the ransomware is seen to circle the Internet. Your computer system will get encrypted by the cryptovirus if its malicious script gets executed. You can check out the detections for one such payload dropper, uploaded to the VirusTotal service for analysis:
Lockify ransomware might also be spreading its payload file via social media and file-sharing networks. Freeware that is spread on the Web can be presented as helpful but could also hide the malicious script for this cryptovirus. Refrain from opening files after you have downloaded them, especially if they come from places like suspicious emails and links with unknown origins. Instead, you should scan the files with a security tool and check them for anything that seems out of place.
Lockify Ransomware – In Detail
Lockify ransomware is the name given to a virus with an encryption function. Interestingly enough, the ransomware copies the ransom note design of earlier CERBER versions, uses a name that is close to that of “Locky”, but is in fact a variant of HiddenTear. The extension .Lockify will get appended to all files that become locked after the encryption process is set and done.
Lockify ransomware makes entries in the Windows Registry to achieve a form of persistence, and even launch and repress processes inside the Windows Operating System. Some of these entries are designed in a way that will start the virus automatically with every launch of Windows.
The ransom note will be placed inside a file after the encryption process is complete. The file with the ransom note is named Readme.hta. Inside it there will be instructions for paying the ransom. Here is how the note looks like:
The note reads the following:
Can’t you find the necessary files?
Is the content of your files not readable?
It is normal because the files’ names and the data in your files have been encrypted by “Lockify Ransomware”.
It means your files are NOT damaged! Your files are modified only. This modification is reversible.
From now it is not possible to use your files until they will be decrypted.
The only way to decrypt your files safely is to buy the special decryption software “Lockify Decryptor”.
Any attempts to restore your files with the third-party software will be fatal for your files!
You can proceed with purchasing of the decryption software at your personal page:
If this page cannot be opened click here to get a new address of your personal page.
If the address of your personal page is the same as before after you tried to get a new one,
you can try to get a new address in one hour.
At this page you will receive the complete instructions how to buy the decryption software for restoring all your files.
Also at this page you will be able to restore any one file for free to be sure “Lockify Decryptor” will help you.
If your personal page is not available for a long period there is another way to open your personal page – installation and use of Tor Browser:
run your Internet browser (if you do not know what it is run the Internet Explorer);
enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER;
wait for the site loading;
on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;
run Tor Browser;
connect with the button “Connect” (if you use the English version);
a normal Internet browser window will be opened after the initialization;
type or copy the address
in this browser address bar;
the site should be loaded; if for some reason the site is not loading wait for a moment and try again.
If you have any problems during installation or use of Tor Browser, please, visit https://www.youtube.com and type request in the search bar “Install Tor Browser Windows” and you will find a lot of training videos about Tor Browser installation and use.
You will find the instructions (“*HELP_DECRYPT*.hta”) for restoring your files in any folder with your encrypted files.
The instructions “*HELP_DECRYPT*.hta” in the folders with your encrypted files are not viruses! The instructions “*HELP_DECRYPT*.hta” will help you to decrypt your files.
Remember! The worst situation already happened and now the future of your files depends on your determination and speed of your actions.
The ransomware is reported to be a HiddenTear/EDA2 variant by the malware researcher Michael Gillespie. You can read more about the HiddenTear open-source project from the corresponding article in our blog.
Despite being a modified variant of HiddenTear, the ransomware’s ransom note resembles that of earlier CERBER variants. Inside the note of Lockify ransomware you will find more hints about how to contact the cybercriminals about the ransom payment. The Bitcoin address used for this ransomware is 1J1dgwQHvQpsrLssx5pR2PiFZVh3Hw61Fn. However, you should NOT under any circumstances pay or contact these crooks. Your files may not get restored upon paying, and nobody could give you a guarantee for that. Furthermore, giving money to criminals will likely motivate them to do more crime, like the creation of more ransomware.
Lockify Ransomware – Encryption Process
Lockify ransomware is a HiddenTear variant as mentioned before, but it only seeks to encrypt files that have the following extensions:
→.class, .ctor, .docb, .docx, .dotx, .java, .jpeg, .lay6, .ms11, .potx, .ppsx, .pptx, .qcow2, .sldx, .SQLITEDB, .tar, .bz2, .text, .vmdk, .xlsm, .xltm
Each one of the files that gets encrypted will receive the same extension appended to them, and that is the .Lockify extension. The encryption which is utilized by the ransomware is believed to be AES since that algorithm is used by most HiddenTear variants.
The Lockify cryptovirus could be set to erase the Shadow Volume Copies from the Windows operating system by using the following command:
→vssadmin.exe delete shadows /all /Quiet
If the command above is executed, it will make decryption efforts harder, if you try to use a recovery method that involves the Shadow Volume Copies. Keep on reading and check out what ways you can try to potentially restore some of your files.
Remove Lockify Ransomware and Restore .Lockify Files
If your computer got infected with the Lockify ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.