LockMe Virus – How to Remove & Restore .lockme Files

This article has been created in order to help you by explaining how to remove LockMe Virus virus from your computer system and how to restore .lockme encrypted files.

The LockMe virus is a new ransomware strain that is actively being pushed to computer victims worldwide. It seeks to cause a lot of dangerous system changes, steal sensitive files and process sensitive user files. The victims are left with encrypted data and several other malware installed on their computers. Read our in-depth removal guide to learn more about the threat.

Threat Summary

Name LockMe
Type Ransomware, Cryptovirus
Short Description The main goal of the LockMe virus is to encrypt sensitive user files and extort the victims for a ransom fee payment.
Symptoms The LockMe ransomware component processes target files and renames them with the .lockme extension.
Distribution Method Spam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by malware


Malware Removal Tool

User Experience Join Our Forum to Discuss LockMe.
Data Recovery Tool Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

LockMe Virus – Infection Process

The LockMe virus is being distributed using different tactics. At the moment the attack campaigns are still in their infancy and the experts cannot judge which is the primary method. We presume that the most popular strategies are going to be used.

One of the most widely used strategies involves the coordination of spam email messages. They utilize social engineering tactics in order to coerce the victims into interacting with it. The criminals can bundle the malware files as attachments. They are disguised as useful software or may be placed inside archives. Another email tactic includes the inclusion of hyperlinks that often pose as password reset links, login pages and etc. In some cases the criminals can also use infected documents that contain malware scripts. They can be spreadsheets, presentations or rich text documents that when opened present a notification prompt. The targets are asked to enable the built-in scripts (macros). If this is done the virus infection follows.

Hacker-controlled pages can also serve the malware files using a similar methodology. They are often disguised using template engines that copy well-known web services and download portals. Various types of web scripts including banners, pop-ups, ads and others can supplement them to increase the infection ratio.

The other tactic involves the use of browser hijackers that represent counterfeit browser plugins. They are often distributed on the official software repositories of the most popular web browsers. Usually the code is made compatible with them and the majority of them: Mozilla Firefox, Google Chrome, Safari, Internet Explorer, Opera and Microsoft Edge. Once installed they can modify the settings of the applications by redirecting the victims to a malware page. The virus infection is caused during the initial delivery.

LockMe Virus – Analysis and Activity

The initial security analysis of the LockMe virus does not reveal a correlation with any of the known malware families. This means that it is likely that the threat has been made by the criminals behind it. Another likely possibility is that this is a custom code acquired through the hacker underground forums.

The engine is built on a modular framework which can be customized according to the targets. The hacker operators can opt to start an information gathering module that can start extracting sensitive data from the compromised hosts. When used in conjunction with a stealth protection feature it can act against the discovered security software. In such cases the virus files start to look out for any installed sandbox environments, debuggers, virtual machines and anti-virus programs. They can be automatically bypassed or deleted. If the engine is unable to do so it may choose to delete itself to avoid detection. The other function performed by the data gathering module involves the extraction of information categorized into two main types:

  • Anonymous Data — This type of information includes system hardware information and details on the operating system which are used by the malware operators for statistical purposes.
  • Personally-Identifiable Information — This type of information can be used to directly expose the victim’s identity. The module can gather files that are related to the victim’s name, address, social security number and etc. The LockMe virus can also be programmed to extract strings related to online accounts, passwords and etc.

The LockMe virus has been observed to extract information related to the language settings set up by the victims. This is used later during the ransomware process to present an appropriate version of the ransom note. The analyzed samples reveals that there are a set of 54 specific language presets. A Trojan instance can also accompany the ransomware infection. It is used by the criminals to spy on the victims in real time, as well as take over control of the victim machines. Using the LockMe virus the hackers can also deliver additional threats>

LockMe Virus — Encryption Process

Once all modules have complete execution the ransomware component is launched. It uses a list of built-in target file extensions which are processed using a strong cipher. Usually the most popular file types are affected:

  • Images
  • Videos
  • Music
  • Archives
  • Backups
  • Databases

All processed files are renamed with the .lockme extension. The ransomware note is created in a file called README_FOR_DECRYPT_YOUR_FILES.txt which reads the following message:

All of your files have been Encrypted with military grade system and impossible to brute force, cracking, or reverse engineering it !
If you want all of your files back send me 0.03 BTC .
[+] Your Unique ID : [***] [+] Send BTC To This Address : 1LockMeEPLr4ZRsoht8Wp6idBsT5TuBXtX
[+] Send BTC : 0.03 BTC
[+] Contact Email : |
*) Don’t try change the ‘.lockme’ extensions , if you change it , your all files can be broken and can’t be restored forever .
*) If you’ve made a payment contact | .
*) If you not made a payment all of your private files will be leaked on internet (private photos, documents, videos, and more) .
Question : How to buy Bitcoin ?
Answer : You can buy Bitcoin at this Website : , , , , , etc .
[+] Your IP : [***] | Your ID : [***] [+]

The hackers use the standard blackmail tactics by demanding a ransom fee of 0.03 BTC which at the current currency conversion rate is about $230.

The security analysis reveals that the LockMe virus can generate a ransomware note in many languages — a total of 54 distinct versions have been found. The displayed versions is probably shown depending on the regional settings that have been selected during their operating system installation.

A second LockMe virus strain has been identified in recent attack campaigns which uses a slightly different ransomware note. It shows a red background screen with the following text written on it:


All of your file have been “Encrypted” wth “Military Grade System” and impossible to Brute Force it,
Cracking it, and Reverse Engineering It.

Your UNIQUE ID: ###################################3333
Address Bitcoin: 1LockMeEPLr4ZRsoht8Wp6idBsT5TuBXtX

How to Remove LockMe Virus and Restore LockMe Encrypted Files

In order to make sure that this malware is permanently gone from your computer, you should follow the manual or automatic removal instructions down below. If you have the experience in removing ransomware manually, we advise you to focus on the first 2 steps from the manual removal and to look for the registry files which we have explained in the analysis part above. Otherwise, if you want a more automatic and faster solution and lack the expertise in malware removal, we urge you to download an advanced anti-malware program, which aims to automatically perform the removal operation of LockMe ransomware and secures your computer against future infections in real-time.

If you want to restore files that have been encrypted by this ransomware infection, we advise you to try out the alternative tools for file recovery down below in step “2. Restore files encrypted by LockMe Files Virus”. They may not guarantee fully that you will recover all of the files, but if you haven’t reinstalled your OS already, there is a good chance that you might just restore them.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share