Remove LockLock Virus and Restore .locklock Files - How to, Technology and PC Security Forum |

Remove LockLock Virus and Restore .locklock Files


LockLock appears to be another ransomware cryptovirus that is based on the open-source EDA2 project. The virus encrypts a victim’s files and puts up a ransom note with contact details. When encryption is complete, the ransomware places the extension .locklock to them. If you have been infected by the virus and want to try to restore your files, you should read the article carefully.

Threat Summary

TypeRansomware, Crypto-Virus
Short DescriptionThe ransomware will encrypt your files AES-256 algoritm for the encryption process. It wants you to buy a decryption password from its creator.
SymptomsThe ransomware will lock all files with the .locklock extension appended to them and display a ransom note with instructions on your desktop.
Distribution MethodSpam Emails, Email Attachments, Executable Files
Detection Tool See If Your System Has Been Affected by LockLock


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss LockLock.

LockLock Virus – Infection Spread

The LockLock virus is possible to spread with various methods. Malware researchers report that most infections are on Chinese users. Spam email campaigns are probably the most common tactic for spreading this infection. A spam email consists of a brief description which tries to convince the user that is of great importance and the full information is on a file attached to the letter. Such files may seem harmless, but if opened, they can release the payload of the cryptovirus and infect your computer machine.

Social media services or file-sharing networks two other ways which the LockLock ransomware utilize. A file which has a malicious script in it can be placed on these networks and be advertised as a useful application. If such a file is opened, its payload will be released, rendering your system compromised. Preventing that from happening is to avoid any suspicious email letters, links, or files. Before opening a file, check its signatures first, then its size and afterward, scan it with security software. You can read more ransomware prevention tips from our forum.

LockLock Virus – Technical Analysis

The LockLock virus is a ransomware which is based on the EDA2 open-source project. The project was created for educational purposes by some researcher, but it is being used in lots of real-life attacks to this very day.

The LockLock ransomware might create an entry in the Windows Registry such as:


This entry allows LockLock to auto-start with each boot of the Windows Operating System.

When the encryption of all of your data is complete, the file READ_ME.TXT will be created. The file contains some contact details of the cyber-criminals behind the virus.

Below you can see the ransom note of the LockLock ransomware:


The above image will be set as your desktop background. The text in it reads:

All files in your computer has been encrypted by RSA key
You can not OPEN and READ content in file

YES. I can help you and ONLY me can do it!
To UNLOCK your files you must:
1. Download tool “Decrypter LockLock virus”
2. Visit and read information.
3. Enter Your Computer ID: (Open “READ_ME.TXT” on Desktop)
4. Run tools and enter Your Key then Click “Decrypt” button.
If you can not access website above, you can contact me:
– Email:
– Skype Chat: locklockrs

The LockLock virus does not push its victims to pay the ransom on any given time limit, nor does it set a price for paying the ransom. Both the ransom note and READ_ME.TXT point to two ways for contacting the cyber criminals, if the site does not work:

  • Email:
  • Skype Chat: locklockrs

The site given in the ransom note does not work indeed. The Apache server seems to be down, as you can see that from the image right here:


Do NOT contact these cyber crooks in any circumstance. There is nothing that can guarantee that you will get your files unlocked by contacting ransomware creators. Any financial support will just raise funds for more criminal activity.

The LockLock ransomware is known to encrypt files that are deemed most important for users. The list with encrypted file extensions may be incomplete, but here these extensions are surely to be encryted:

→.doc, .docx, .docm, .txt, .odt, .psd, .pdf, .xls, .xlsm, .xlsx, .jpg, .jpeg, .png, .bmp, .tiff, .html, .ppt, .pptx

All encrypted files will end up with the same extension, which is .locklock. The ransomware uses the AES-256 algorithm for its encryption. That is the same encryption method used for most EDA2 ransomware viruses.

You can see the detections of this virus on the VirusTotal website:


The LockLock ransomware probably erases the Shadow Volume Copies from the Windows Operating System. Read below to learn how to remove this threat and how you can try to restore your files.

Remove LockLock Virus and Restore .locklock Files

If your computer got infected with the LockLock ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance of spreading further and infect more PCs. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 3. Restore files encrypted by LockLock.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share