Remove PowerLocky Ransomware and Restore .locky Encrypted Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove PowerLocky Ransomware and Restore .locky Encrypted Files

Locky-powerlocky-powerware-ransomware-main-sensorstechofrumRansomware virus, named PowerLocky has been reported to infect users and use encryption to encode the files of infected computers and append the .locky file extension in them. The PowerLocky Ransomware also leaves a ransom note, extorting users to pay the sum of approximately 500$ or 0.74 BTC as a ransom. PowerLocky is reported by researchers to have its name from two powerful ransomware viruses, Locky and PowerWare Ransomware. All users who have become victims of these viruses are advised to take extreme caution and read this article to learn how to remove PowerLocky Ransomware and restore their files.

Threat Summary

NamePowerLocky
TypeRansomware
Short DescriptionPowerLocky encrypts files with the AES-128 ciphers and asks a ransom payment of 0.7 BTC for decryption.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a “_HELP_instructions.html” file.
Distribution MethodPowerShell, Spam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by PowerLocky

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss PowerLocky Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

PowerLocky Ransomware – Distribution Methods

To be widespread across user PC’s, PowerLocky ransomware may use various methods to replicate. One of those methods may be via spam e-mail campaigns which may resemble various well-known services or offers, for example:

  • “Windows Free Upgrade Is Here”.
  • “Your PayPal Account Has Been Suspended.”
  • “Your Bank Account Receipt”.
  • “Your Debit Card Has Been Rendered Inactive”.

As soon as an e-mail has been opened by a user, he or she may find either malicious files or malicious URLs, which can cause different activities that can lead to infection of the computer:

  • Malicious redirects to web links that may cause infection via drive-by download.
  • Infection via an Exploit-kit.
  • Infection via malicious macros in infected Microsoft Office or Adobe documents.
  • Infection via a malicious .js(JavaScript) file.

PowerLocky Ransomware – Detailed Information

As soon as PowerLocky has infected a user PC, the ransomware may or may not drop its malicious payload. Since PowerWare Ransomware is a fileless ransomware, if this element is used, it may directly get to the encryption procedure. However, if the virus uses malicious files, it may drop them in the usually targeted file locations:

commonly used file names and folders

Here is a detection of PowerLocky’s main executable by several anti-malware products. It may either be directly activated or simply dropped on the computer:

virustotal-powerlocky-sensorstechforum-detections-ry-exe

After the encryption process of PowerLocky Ransomware has been initiated, the ransomware virus begins to scan for and encrypt files. It may scan for files with the following extensions and encrypt them if detects them:

powerware-ransomware-virus-sensorstechforum

After encrypting the files, the PowerLocky virus appends the .locky file extension to them, for instance:

Picture.jpg.locky

After encrypting the files, PowerLocky leaves an .html file, named “_HELP_instructions.html”. It has the following ransom instructions for the affected user:

→“We present a special software Locky Decrypter
which allows to decrypt and return control to all your encrypted files.
How to buy Locky decrypter?
1. Download and install Multibit application. This will give you your own Bitcoin-wallet address. You can find it under the “Request” tab. Paste this in the “Your BTC-address” field below._HELP_instructions-html-sensorstechforum
2. Buy Bitcoins, the price is 500 $ / 0.74290893 BTC and send it to your own Bitcoin-wallet address, they will show up in the Multibit app that you installed earlier. From there, hit the “Send” tab. Send the remaining BTC (bitcoin) to this Bitcoin-wallet address: {Unique-BTC-Address}
Now submit the form below, only if you’ve actually sent the Bitcoins. Upon manual verification of the transaction, you will receive the decrypter through email within 12 hours. ALL of your files/data will then be unlocked and decrypted automatically, HTML ransom files will also be removed.
Do NOT remove HTML ransom files or try to temper files in any way, because decrypter will not work anymore.
Please remember this is the only way to ever regain access to your files again!”Source: Infected Users

As visible above there are instructions on how to use the service Multibit to pay ransom money in BitCoin. This is the primary method of payment chosen by cyber-criminal gangs dealing with ransomware since it is untraceable.

PowerLocky Ransomware Virus – Removal and File Restoration

In case you have decided not to pay the ransom money which is highly recommended by security experts, we advise you to follow the step-by-step removal instructions which we have kindly provided below. They are methodologically arranged for maximum effectiveness. In case you fail to discover manually and remove all objects and processes associated with PowerLocky Ransomware, we strongly advise you to try automatic removal solution. It includes the usage of an advanced anti-malware product which will make sure the threat is permanently removed without any harm to the encrypted files and protect your PC in the future as well.

Since files which are encrypted by PowerLocky ransomware most likely have been ciphered with a powerful AES-128 encryption algorithm, it at this point not possible to directly decode them. However, we advise you to wait for an update in this article, which we will provide as soon as a decryptor has been released to the public. In the meantime, we suggest you to attempt the alternative methods in step “3. Restore files encrypted by PowerLocky.”

Manually delete PowerLocky from your computer

Note! Substantial notification about the PowerLocky threat: Manual removal of PowerLocky requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove PowerLocky files and objects
2.Find malicious files created by PowerLocky on your PC
3.Fix registry entries created by PowerLocky on your PC

Automatically remove PowerLocky by downloading an advanced anti-malware program

1. Remove PowerLocky with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by PowerLocky in the future
3. Restore files encrypted by PowerLocky
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.