Remove Takahiro Locker Ransomware and Restore Encrypted Files - How to, Technology and PC Security Forum |

Remove Takahiro Locker Ransomware and Restore Encrypted Files


Takahiro Locker is the name of a ransomware, which has its ransom message written in Japanese. Despite that, Japanese users might not be the only ones targeted. The ransomware seeks to encrypt files with a small number of extensions, but ones with the most important data to users. To see how to remove this ransomware and what can try to restore your files, you should read this article to its end.

Threat Summary

NameTakahiro Locker
Short DescriptionThe ransomware encrypts files asks for a ransom of 3 Bitcoins.
SymptomsThe ransomware locks mainly documents and pictures among media files. It creates a ransom note written in Japanese.
Distribution MethodSpam Emails, Email Attachments, Executable Files
Detection Tool See If Your System Has Been Affected by Takahiro Locker


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Takahiro Locker.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Takahiro Locker Ransomware – Delivery

Takahiro Locker ransomware has an .exe file which delivers its payload. That executable file is delivered in a couple of ways. One of the ways is if the file is dropped by other malware, and another – if the user downloaded the file without knowing about it. Malicious websites, social media networks, and file-sharing services can all be the source of download.

Spam emails are not excluded from delivering this ransomware infection. Inside emails, there could be malicious code – either as an attachment or in the body of the email. Downloading an attachment or simply opening an email might download the malware executable of Takahiro Locker. Be very careful around spam emails and files with an unknown origin if you want to avoid not getting infected.

Takahiro Locker Ransomware – Technical Overview

Takahiro Locker is how this ransomware is called. That is the name showing in the lock screen after file encryption. It is believed that is Japanese in origin but might also target other Japanese speakers across the world.

Below is a list with the most popular names of Takahiro Locker shown as detections in anti-malware programs:

  • Trojan.Win32.Scar.nzln (Kaspersky)
  • Trojan.GenericKD.3222895 (BitDefender)
  • W32/Scar.NZLN!tr (Fortinet)
  • Ransom_TAKALOCKER.A (TrendMicro)

Once the payload is unleashed, the ransomware will make new folders on the compromised computer and create the following directory:

→%User Temp%\Google\Chrome

Inside it will copy itself under the name “Update.exe”, and this will look exactly like a temporary update for the Google Chrome browser. After that, two registry entries will be made inside the Windows Registry.

→HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Google Chrome Update Check = %User Temp%\Google\Chrome\Update.exe

→HKEY_CURRENT_USER\Software\Google\Update\SEND SENDING = [random address]

The first registry entry integrates an auto-start mechanism in Windows so that the ransomware can launch with each boot of the Operating System. The second string in the registry will probably send information to the malware owner via some electronic address.


You can see this error show up on your screen at some point later (Image on the right). The error message says: “WARNING RUNNING KILL ME! ”. The message serves as an initiation for the plot of the ransom note. It is all part of the scare plan to trick you into paying the ransom. Afterward, Takahiro Locker ransomware will start encrypting files.

The encrypted files are usually documents and pictures, but it can lock other files people use on a daily basis. Once the encryption is done, a ransom note is created, and this lock screen pops up:


The ransom note on the lock screen is written in Japanese, but a rough translation reads:

this is Tang, a Lawyer.
You have made an illegal file transfer, so I have locked your PC.
To unlock your files, you need to pay 3 Bitcoins within 3 days.
You need to have 30,000 Japanese Yen, to transfer them to Bitcoins and send them to me.
If you don’t pay within 3 days, the key for decryption will be deleted from where the server is stored and the data of your PC can no longer be returned.
Click the button “Next”.

As we see from the note above, the price of the ransom 3 Bitcoins. And the threat of not sending a decryption key if the ransom is not paid within 3 days is probably true.

Everything from the error message to the ransom note is very cleverly made. In most countries the trick might work, because governments watch about file downloads, and this action is punishable by law. Having strict laws about downloads might work in the few countries which speak Japanese – Japan, Palau, Brazil, United States, Peru, Philippines, France.

Do NOT pay the ransom if you recognize that you have been hit with this ransomware. Paying will only supply the malware creators with money, which will probably be used for other criminal acts. No proof exists that the decrypter tool given for money will even work.

Takahiro Locker is detected on VirusTotal from a lot of security programs:


The Takahiro Locker ransomware locks files with extensions related to documents, pictures, torrents, videos, music and archives. The extensions that the ransomware seeks to encrypt are very specific and small in number, but are what people still use to store their important data. The encrypted extensions are these:

→.txt, .jpg, .png, .bmp, .zip, .rar, .torrent, .7z, .sql, .pdf, .tar, .mp3, .mp4, .flv, .lnk, .html, .php

Interestingly enough, Takahiro Locker does not tamper with any files in these locations:

  • Windows
  • Steam
  • Origin
  • Program Files
  • the Recycle Bin

Takahiro Locker ransomware probably also deletes Shadow Volume Copies from the Windows Operating System.

Remove Takahiro Locker Ransomware and Restore Encrypted Files

If your PC is infected with the Takahiro Locker ransomware, you should have experience in removing malware. You should get rid of the ransomware as soon as possible before it has the chance to continue encrypting files or spread deeper in your network. We recommend that you follow the step-by-step instructions provided down here.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share