LockLock appears to be another ransomware cryptovirus that is based on the open-source EDA2 project. The virus encrypts a victim’s files and puts up a ransom note with contact details. When encryption is complete, the ransomware places the extension .locklock to them. If you have been infected by the virus and want to try to restore your files, you should read the article carefully.
|Short Description||The ransomware will encrypt your files AES-256 algoritm for the encryption process. It wants you to buy a decryption password from its creator.|
|Symptoms||The ransomware will lock all files with the .locklock extension appended to them and display a ransom note with instructions on your desktop.|
|Distribution Method||Spam Emails, Email Attachments, Executable Files|
|Detection Tool|| See If Your System Has Been Affected by LockLock |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss LockLock.|
LockLock Virus – Infection Spread
The LockLock virus is possible to spread with various methods. Malware researchers report that most infections are on Chinese users. Spam email campaigns are probably the most common tactic for spreading this infection. A spam email consists of a brief description which tries to convince the user that is of great importance and the full information is on a file attached to the letter. Such files may seem harmless, but if opened, they can release the payload of the cryptovirus and infect your computer machine.
Social media services or file-sharing networks two other ways which the LockLock ransomware utilize. A file which has a malicious script in it can be placed on these networks and be advertised as a useful application. If such a file is opened, its payload will be released, rendering your system compromised. Preventing that from happening is to avoid any suspicious email letters, links, or files. Before opening a file, check its signatures first, then its size and afterward, scan it with security software. You can read more ransomware prevention tips from our forum.
LockLock Virus – Technical Analysis
The LockLock virus is a ransomware which is based on the EDA2 open-source project. The project was created for educational purposes by some researcher, but it is being used in lots of real-life attacks to this very day.
The LockLock ransomware might create an entry in the Windows Registry such as:
This entry allows LockLock to auto-start with each boot of the Windows Operating System.
When the encryption of all of your data is complete, the file READ_ME.TXT will be created. The file contains some contact details of the cyber-criminals behind the virus.
Below you can see the ransom note of the LockLock ransomware:
The above image will be set as your desktop background. The text in it reads:
YOUR COMPUTER HAS BEEN HACKED!
All files in your computer has been encrypted by RSA key
You can not OPEN and READ content in file
HOW TO RESTORE ALL FILES?
YES. I can help you and ONLY me can do it!
To UNLOCK your files you must:
1. Download tool “Decrypter LockLock virus”
2. Visit http://locklock.net and read information.
3. Enter Your Computer ID: (Open “READ_ME.TXT” on Desktop)
4. Run tools and enter Your Key then Click “Decrypt” button.
DONE. ALL FILE RESTORED!
If you can not access website above, you can contact me:
– Email: email@example.com
– Skype Chat: locklockrs
The LockLock virus does not push its victims to pay the ransom on any given time limit, nor does it set a price for paying the ransom. Both the ransom note and READ_ME.TXT point to two ways for contacting the cyber criminals, if the site does not work:
- Email: firstname.lastname@example.org
- Skype Chat: locklockrs
The site given in the ransom note does not work indeed. The Apache server seems to be down, as you can see that from the image right here:
Do NOT contact these cyber crooks in any circumstance. There is nothing that can guarantee that you will get your files unlocked by contacting ransomware creators. Any financial support will just raise funds for more criminal activity.
The LockLock ransomware is known to encrypt files that are deemed most important for users. The list with encrypted file extensions may be incomplete, but here these extensions are surely to be encryted:
→.doc, .docx, .docm, .txt, .odt, .psd, .pdf, .xls, .xlsm, .xlsx, .jpg, .jpeg, .png, .bmp, .tiff, .html, .ppt, .pptx
All encrypted files will end up with the same extension, which is .locklock. The ransomware uses the AES-256 algorithm for its encryption. That is the same encryption method used for most EDA2 ransomware viruses.
You can see the detections of this virus on the VirusTotal website:
The LockLock ransomware probably erases the Shadow Volume Copies from the Windows Operating System. Read below to learn how to remove this threat and how you can try to restore your files.
Remove LockLock Virus and Restore .locklock Files
If your computer got infected with the LockLock ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance of spreading further and infect more PCs. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 3. Restore files encrypted by LockLock.