.lockymap Files Virus (PyLocky Ransomware) – Remove and Restore Data

.lockymap Files Virus (PyLocky Ransomware) – Remove and Restore Data

This article is made with the goal of explaining what is the .lockymap PyLocky ransomware virus and how you can remove it from Windows plus how you can restore files, encrypted by it on your PC.

A new ransomware virus, going by the name of PyLocky ransomware has been detected to infect actively and encrypt files on the computers infected by it. The .lockymap variant of PyLocky ransomware then adds a ransom note whose main goal is to show you how you can pay a hefty ransom in order to get the cyber-criminals to recover your files. In the event that your computer has been infected by PyLocky ransomware virus, we recommend that you read this article as it will help you to remove this ransomware from your PC and restore your files.

Threat Summary

Name.lockymap Ransomware
TypeRansomware, Cryptovirus
Short DescriptionFiles are encrypted and the virus leaves a ransom note extorting victims to pay ransom in order to get their files to work once again.
SymptomsThe files on your computer have the .lockymap extension added to them and cannot be opened.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .lockymap Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .lockymap Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

PyLocky .lockymap Ransomware – Distribution

In order to infect a certain computer, the .lockymap files virus may be embedded as an attachment in a spam e-mail sent to you by the cyber-criminals themselves or via a spam bot. This e-mail may contain deceptive tactics to convince you that the attachment should immediately be opened:

Besides via e-mail, the PyLocky ransomware virus may also use other methods of infection. The crooks may upload the infection file in compromised WordPress sites, that may pretend as if they offer different programs the user needs for free download, such as:

  • Software installers.
  • Portable versions of programs.
  • Cracks.
  • A patch.
  • License activation software.
  • Keygens.

PyLocky .lockymap Ransomware – Analysis

Once the .lockymap ransomware virus has already infected your computer, the ransomware may start to download and run it’s payload. The payload of PyLocky ransomware, consists of several files, the main of which has the following information:

→ Name: facture_4739149_08.26.2018.exe
Size: 5.3 MB

In addition to the main infection file, other files may also be dropped on the victim’s computer and they are likely located in the following directories:

  • %Temp%
  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%

Among the files dropped on the user’s computer is also the ransom note file, called LOCKY-README.txt file. It has the following contents:

Please be adviced:

All your files, pictures document and data has been encrypted with Military Grade Encryption RSA ABS-256.
Your information is not lost. But Encrypted.

In order for you to restore your files you have to purchase Decrypter.

Follow this steps to restore your files.

1* Download the Tor Browser. ( Just type in google “Download Tor“

2‘ Browse to URL : http://4wcgqlckaazungm.onion/index.php

3* Purchase the Decryptor to restore your files.

It is very simple. If you don’t believe that we can restore your files, then you can restore 1 file of image format for free.
Be aware the time is ticking. Price will be doubled every 96 hours so use it wisely.

Your unique ID :


Please do not try to modify or delete any encrypted file as it will be hard to restore it.


You can contact support to help decrypt your files for you.

Click on support at http://4wcgqlckaazungm.onion/index.php

In addition to this, the PyLocky ransomware may also modify the Windows Registry Editor, primarily the Run and RunOnce registry sub-keys of it, creating values in them with the location of the malicious .exe file of PyLocky. This may ultimately result in the malicious files running automatically when you log in Windows:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

But this is not all that happens after infection with PyLocky ranomware, because the virus may also modify the volume shadow copies of the infected computer by executing the following commands:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

These commands may result in the .lockymap file version of PyLocky to delete all of the files you have backed up on your computer.

.lockymap PyLocky Virus – Encryption Process

The .lockymap variant of PyLocky virus may scan for the following types of files on your PC, after it infects it:


After this, the ransomware may encrypt the files, setting two different file extensions – .lockedfile and .lockymap. The encrypted files start to appear like the following:

Remove PyLocky Ransomware and Restore .lockymap Files

For the removal of this ransomware virus, we would suggest that you follow the removal instructions underneath this article. They have been created with the main purpose of allowing manual and automatic removal methods. If the manual removal steps do not help you or you cannot fully remove PyLocky by yourself, then researchers strognly recommend to download an advanced anti-malware program for the removal. Such software will completely and effectively remove PyLocky from your computer and make sure that it is protected from all sorts of advanced threats in the future as well.

If you wish to restore .lockedfile and .lockymap files encrypted by PyLocky ransowmare, we suggest that you try ot the alternative methods for file recovery in step “2. Restore files, encrypted by .lockymap Ransomware”. They may not be 100% effective to restore all of them but some of them may be able to recover a portion of the files.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share