Remove AutoLocky Ransomware and Decrypt Your .locky Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove AutoLocky Ransomware and Decrypt Your .locky Files

shutterstock_271501652A new ransomware which pretends to be one of the “big fish” in this segment of malware has been reported to infect users. The ransomware imitates Locky ransomware and is named AutoLocky by malware researchers. Not only this, but it even sets the .locky file extension after encrypting the files. Besides several other differences this ransomware works in the same principle like any other crypto malware – encrypting the user files after which demanding BitCoin payment for the decryption of the files.

NameAutoLocky
TypeRansomware
Short DescriptionEncrypts the user’s files appending the .locky extension and impersonates Locky Ransomware.
SymptomsThe user may witness info.txt and info.html files on his desktop containing ransom instructions explaining how to pay 0.75 bitcoin for file decryption.
Distribution MethodVia malicious files, macros or Exploit kits featured in malicious URLs.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by AutoLocky
User Experience Join our forum to discuss AutoLocky.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

AutoLocky Ransomware – Distribution

To spread to various systems, this ransomware may use several different distribution methods. One of them is via malicious links posted on social media, comments or as replies on forums. The other distribution method that you are more likely to encounter is via spam e-mails. The spam e-mails may contain different malicious files in an archive. Some of those files are usually Microsoft Word, Excel or .PDF documents with infected macros. This means that when the document is opened, and editing is enabled by the user, the malware may use a malicious macro script that will infect the user with malware.

AutoLocky Ransomware In Detail

Once activated on the victim PC, AutoLocky creates several files in key Windows folders:

→ Startup executable located in the “%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Start.lnk.” file.
“%UserProfile%\Desktop\info.html – Ransom note
“%UserProfile%\Desktop\info.txt

The ransomware then begins to look for the following files to encrypt:

→ .pptx,.sql,pat,fxg,fhd,fh,dxb,drw,design,ddrw,ddoc,dcs,wb2,psd,p7c,p7b,p12,pfx,pem,crt,cer,der,pl,py,lua,css,js,asp,php,incpas,asm,hpp,h,cpp,c,csl,csh,cpi,cgm,cdx,cdrw,cdr6,cdr5,cdr4,cdr3,cdr,awg,ait,ai,agd1,ycbcra,x3f,stx,st8,st7,st6,st5,st4,srw,srf,sr2,sd1,sd0,rwz,rwl,rw2,raw,raf,ra2,ptx,pef,pcd,orf,nwb,nrw,nop,nef,ndd,mrw,mos,mfw,mef,mdc,kdc,kc2,iiq,gry,grey,gray,fpx,fff,exf,erf,dng,dcr,dc2,crw,craw,cr2,cmt,cib,ce2,ce1,arw,3pr,3fr,mdb,sqlitedb,sqlite3,sqlite,sql,sdf,sav,sas7bdat,s3db,rdb,psafe3,nyf,nx2,nx1,nsh,nsg,nsf,nsd,ns4,ns3,ns2,myd,kpdx,kdbx,idx,ibz,ibd,fdb,erbsql,db3,dbf,db-journal,db,cls,bdb,al,adb,backupdb,bik,backup Source: BleepingComputer

So far it is believed that the ransomware uses strong RSA-2048 and AES-128 encryption algorithms which are practically near impossible to decipher directly. After file encryption, the ransomware displays the following ransom message:

→ “Locky Ransomware
All of you files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
{links to Wikipedia}
Decrypting of your files is only possible with the following steps.
How to buy decryption?
1.You can make a payment with BitCoins; there are many methods to get them.
2.You should register BitCoin wallet (simplest online wallet OR some other methods of creating wallet)
3.Purchasing Bitcoins – Although it’s not yet easy to buy bitcoins, it’s getting simpler every day.”

The ransomware has been reported to demand around 0.75 BTC as ransom money from the victims. However malware research experts report that it does not use Tor networking like the original Locky Ransomware, and it uses different programming language than Locky’s C++.

Remove Locky Ransomware and Get Your Files Back

First, before restoring your files, you should remove this ransomware from your computer. To do this effectively, we strongly recommend backing up the encrypted data before following the instructions in the steps below.

After removing AutoLocky, it is time to recover your files. Fortunately, Emsisoft have developed decrypters for AutoLocky ransomware, and you can download it by clicking on step “4. Restore files encrypted by AutoLocky”. The decryptor works fairly easy; you just have to:
1. Open it and wait for it to discover the decryption key.
2. Press OK after the decryption key has been found.
3. Wait for your files to be decrypted one by one.

1. Boot Your PC In Safe Mode to isolate and remove AutoLocky
2. Remove AutoLocky with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by AutoLocky in the future
4. Restore files encrypted by AutoLocky
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...