Remove WickedLocker Virus and Restore .locked Files - How to, Technology and PC Security Forum |

Remove WickedLocker Virus and Restore .locked Files


WickedLocker is the name of a new ransomware cryptovirus based on the open-source HiddenTear project. All encrypted files will have the extension .locked appended to them. After it locks your files it demands 1 Bitcoin as payment. To see how to remove the ransomware and how you can try to restore your files, read the article to the end.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionThe ransomware will encrypt your files and then display a ransom note with instructions for payment. It demands 1 Bitcoin for unlocking your files.
SymptomsAll encrypted files will get the extension .locked appended to them.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by WickedLocker


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss WickedLocker.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

WickedLocker Virus – Distribution Tactics

The WickedLocker ransomware could use different tactics to enter your computer machine. The payload file might be spread with spam emails. The spam emails usually have an attached file and are written in a way to make you feel that they are important including their attachment. If you open the attached file, it will release the malicious script and infect your computer system.

WickedLocker ransomware might infect your computer device by using other tactics. The malware creators might be distributing their payload file via social media and file-sharing services. Refrain from opening files from suspicious emails, links or an unknown source. Before opening, you should scan those files with a security program and check their size and signatures. You should read the ransomware prevention tips from the topic in the forum.

WickedLocker Virus – Technical Analysis

WickedLocker is a cryptovirus that was found in the wild by the malware researcher
Jack (@malwareforme). The ransomware is based on the well-known HiddenTear open-source project.

Your files get encrypted and will all have the extension .locked being appended to every one of them after the encryption process is complete. The instructions with demands for payment are placed in multiple files spread on your computer, inside folders with encrypted files.

When the WickedLocker ransomware initiates its payload, it can create entries in the Windows Registry. That can make the ransomware more durable, and it could put it in different locations on your PC. Besides, the registry entries could make the cryptovirus launch automatically with each start of the Windows operating system.

You can view a screenshot of the file containing the ransom message done here:


The ransom note is put inside multiple files with the name READ_IT_[number].txt. It reads the following:

Your personal files are locked.

To unlock your files and work as normal you have to send 1 bitcoin to our wallet.

Send 1 BTC address
14wV6DktpJEzY5U2BiJwRpdaFFPn8kVn7S and send the transaction id to [email protected]

Apart from the ransom note, which is also put as a desktop background, there is a window that loads up after your files get encrypted. You can see its contents below:


Your personal files are locked!
Your personal files are locked.
To unlock your files and work as normal you have to send 1 bitcoin to our
Send 1 BTC to address [redacted] and press next >>.
Next >>


1. Send 1 BTC to the following address:
2. Enter your email address:
3. Enter the Transaction ID:
4. Click Pay >>
<< Back Pay >>

You are asked to pay the sum of 1 Bitcoin. That amounts to 700 US dollars at the time of writing this article. The email [email protected] is used for contacting the cybercriminals. However, you should NOT think of contacting them or paying anything as that will only support the crooks. Nobody can guarantee you that by paying you will recover your files to their previous state, before the encryption.

The WickedLocker ransomware will encrypt files and append the .locked extension to every one of them. For the time being, a list with file extensions which the ransomware searches to encrypt is not available. Most of these files are probably documents, pictures, databases and other important files.

The WickedLocker virus is very likely to delete the Shadow Volume Copies from the Windows operating system by using the following command:

→vssadmin.exe delete shadows /all /Quiet

Continue to read and see what ways you can try out to hopefully restore your files.

Remove WickedLocker and Restore .locked Files

If your computer got infected with the WickedLocker ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by WickedLocker.

Manually delete WickedLocker from your computer

Note! Substantial notification about the WickedLocker threat: Manual removal of WickedLocker requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove WickedLocker files and objects
2.Find malicious files created by WickedLocker on your PC

Automatically remove WickedLocker by downloading an advanced anti-malware program

1. Remove WickedLocker with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by WickedLocker
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.