Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove LockLock Virus and Restore .locklock Files

stf-locklock-ransomware-lock-crypto-virus-eda2-ransom-note

LockLock appears to be another ransomware cryptovirus that is based on the open-source EDA2 project. The virus encrypts a victim’s files and puts up a ransom note with contact details. When encryption is complete, the ransomware places the extension .locklock to them. If you have been infected by the virus and want to try to restore your files, you should read the article carefully.

Threat Summary

NameLockLock
TypeRansomware, Crypto-Virus
Short DescriptionThe ransomware will encrypt your files AES-256 algoritm for the encryption process. It wants you to buy a decryption password from its creator.
SymptomsThe ransomware will lock all files with the .locklock extension appended to them and display a ransom note with instructions on your desktop.
Distribution MethodSpam Emails, Email Attachments, Executable Files
Detection Tool See If Your System Has Been Affected by LockLock

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss LockLock.

LockLock Virus – Infection Spread

The LockLock virus is possible to spread with various methods. Malware researchers report that most infections are on Chinese users. Spam email campaigns are probably the most common tactic for spreading this infection. A spam email consists of a brief description which tries to convince the user that is of great importance and the full information is on a file attached to the letter. Such files may seem harmless, but if opened, they can release the payload of the cryptovirus and infect your computer machine.

Social media services or file-sharing networks two other ways which the LockLock ransomware utilize. A file which has a malicious script in it can be placed on these networks and be advertised as a useful application. If such a file is opened, its payload will be released, rendering your system compromised. Preventing that from happening is to avoid any suspicious email letters, links, or files. Before opening a file, check its signatures first, then its size and afterward, scan it with security software. You can read more ransomware prevention tips from our forum.

LockLock Virus – Technical Analysis

The LockLock virus is a ransomware which is based on the EDA2 open-source project. The project was created for educational purposes by some researcher, but it is being used in lots of real-life attacks to this very day.

The LockLock ransomware might create an entry in the Windows Registry such as:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

This entry allows LockLock to auto-start with each boot of the Windows Operating System.

When the encryption of all of your data is complete, the file READ_ME.TXT will be created. The file contains some contact details of the cyber-criminals behind the virus.

Below you can see the ransom note of the LockLock ransomware:

stf-locklock-ransomware-lock-crypto-virus-eda2-ransom-note

The above image will be set as your desktop background. The text in it reads:

HELLO!
YOUR COMPUTER HAS BEEN HACKED!
All files in your computer has been encrypted by RSA key
You can not OPEN and READ content in file

HOW TO RESTORE ALL FILES?
YES. I can help you and ONLY me can do it!
To UNLOCK your files you must:
1. Download tool “Decrypter LockLock virus”
2. Visit http://locklock.net and read information.
3. Enter Your Computer ID: (Open “READ_ME.TXT” on Desktop)
4. Run tools and enter Your Key then Click “Decrypt” button.
DONE. ALL FILE RESTORED!
—————-
If you can not access website above, you can contact me:
– Email: [email protected]
– Skype Chat: locklockrs

The LockLock virus does not push its victims to pay the ransom on any given time limit, nor does it set a price for paying the ransom. Both the ransom note and READ_ME.TXT point to two ways for contacting the cyber criminals, if the site does not work:

  • Email: [email protected]
  • Skype Chat: locklockrs

The site given in the ransom note does not work indeed. The Apache server seems to be down, as you can see that from the image right here:

stf-locklock-ransomware-lock-crypto-virus-eda2-apache-server-down

Do NOT contact these cyber crooks in any circumstance. There is nothing that can guarantee that you will get your files unlocked by contacting ransomware creators. Any financial support will just raise funds for more criminal activity.

The LockLock ransomware is known to encrypt files that are deemed most important for users. The list with encrypted file extensions may be incomplete, but here these extensions are surely to be encryted:

→.doc, .docx, .docm, .txt, .odt, .psd, .pdf, .xls, .xlsm, .xlsx, .jpg, .jpeg, .png, .bmp, .tiff, .html, .ppt, .pptx

All encrypted files will end up with the same extension, which is .locklock. The ransomware uses the AES-256 algorithm for its encryption. That is the same encryption method used for most EDA2 ransomware viruses.

You can see the detections of this virus on the VirusTotal website:

stf-locklock-ransomware-lock-crypto-virus-eda2-sample-detections-virus-total

The LockLock ransomware probably erases the Shadow Volume Copies from the Windows Operating System. Read below to learn how to remove this threat and how you can try to restore your files.

Remove LockLock Virus and Restore .locklock Files

If your computer got infected with the LockLock ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance of spreading further and infect more PCs. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 3. Restore files encrypted by LockLock.

Manually delete LockLock from your computer

Note! Substantial notification about the LockLock threat: Manual removal of LockLock requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove LockLock files and objects.
2. Find malicious files created by LockLock on your PC.
3. Fix registry entries created by LockLock on your PC.

Automatically remove LockLock by downloading an advanced anti-malware program

1. Remove LockLock with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by LockLock in the future
3. Restore files encrypted by LockLock
Optional: Using Alternative Anti-Malware Tools

How to Find Decryption Key for Files Encrypted By LockLock Ransomware

We have designed to make a tutorial which is as simple as possible to theoretically explain how could you detect your decryption key. Find out how

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.