Locked Ransomware Removal Guide

Do you know what Locked Ransomware is?

Locked Ransomware is a new infection that has started spreading at the beginning of March, 2016. It does not differ much from other well-known ransomware infections (e.g. HydraCrypt Ransomware, JS.Crypto Ransomware, and Chimera Ransomware) because it also encrypts files, puts a message on the screen, and asks users to pay a ransom. The infection itself is based on EDA2, which is known to be the open-source ransomware code – it can be downloaded from github.com. This is, surely, a new thing; however, we cannot say that Locked Ransomware is a completely unique infection because it uses the AES encryption algorithm, which is considered to be one of the strongest encryptions. Even though Locked Ransomware is quite new, it is not a difficult task to remove it. Unfortunately, we cannot say the same about the decryption of files. Users who are not planning on paying money to cyber criminals should definitely read this article from beginning to end – there is one way to restore files without paying money.Locked Ransomware Removal GuideLocked Ransomware screenshot
Scroll down for full removal instructions

As you already know, Locked Ransomware seeks to extort money from users, so it will lock all the files, including, documents, pictures, and videos the moment it enters the system. It will assign the .locked extension to all of them, .e.g. picture.jpg.locked, so you will not need much effort to find out which of the files have been encrypted. Our team of specialists has thoroughly tested this infection and found that it usually encrypts files with these extensions:

".txt", ".doc", ".docx", ".xls", ".xlsx", ".pdf", ".pps", ".ppt", ".pptx", ".odt", ".gif", ".jpg", ".png", ".db", ".csv", ".sql", ".mdb"".sln"".php", ".asp", ".aspx", ".html", ".xml", ".psd", ".frm", ".myd", ".myi", ".dbf", ".mp3", ".mp4", ".avi", ".mov", ".mpg", ".rm", ".wmv", ".m4a", ".mpa", ".wav", ".sav", ".gam", ".log", ".ged", ".msg", ".myo", ".tax", ".ynab", ".ifx", ".ofx", ".qfx", ".qif", ".qdf", ".tax2013", ".tax2014", ".tax2015", ".box", ".ncf", ".nsf", ".ntf", and ".lwp"

It needs several minutes to do that, and then it changes the wallpaper. If you see the black wallpaper with the red message saying that “It looks like your files have been encrypted,” we are sure that you have encountered Locked Ransomware.

The ransomware infection will also place the READ_IT.txt file on the Desktop after the encryption of files. The message users find there informs that they need to pay a ransom of approximately $200 within 72 hours in order to gain access to files. Of course, the ransom has to be transferred in Bitcoins. Users are also instructed that they need to transfer the EXACT sum of money, for instance, 0.50095 BTC if they wish to unlock their files. The key for unlocking files will appear on let-me-help-you-with-that.webnode.com within several days after making a payment – it will be put under the sum a user pays. As we have managed to find out, this key will have to be inserted into the decryptor which users will have to open themselves by double-clicking on Decrypter.exe located in %USERPROFILE%. Users can know that the decryption process has been successful if they notice that the Desktop wallpaper is changed to “Thank you (BTW, this is just a wallpaper).” You can change this wallpaper easily (download and save the picture, right-click on it, and select Set as desktop background).

The tone of the message itself is quite friendly; however, this infection is not friendly at all. Luckily, there is still a way to restore files it has locked without paying money. Users who are going to pay a ransom should not delete Locked Ransomware; however, if you are not planning on doing that, you need to remove this infection as soon as possible. After doing that, you need to restore all your files from a backup, i.e. copy and paste all your files from a backup, e.g. a USB flash drive to your system. Make backups of your files periodically because there are hundreds of other ransomware infections that are capable of encrypting all the files.

It is known that ransomware infections are spread as spam email attachments. Users who download these attachments infect their systems, so it is better not to do that ever again. Of course, this is not the only way how these threats can sneak onto computers. Therefore, you should stay away from file-sharing and torrent websites and do not download programs from third-party web pages. It is highly recommended to keep the system clean all the time too because the malicious software might download other threats and install them behind a user’s back. Finally, our security experts suggest investing in a reliable security application. As long as you keep it active and update it periodically, malicious software will not enter ever again.

If you have decided that you are not going to pay a ransom, you need to remove Locked Ransomware and then try to recover files from some kind of backup. Users who are going to delete this infection manually have to delete the main files of this threat one by one. If they do not wish to do that alone, they need to scan the system with SpyHunter. This antimalware tool will delete all the existing infections in the blink of an eye. Unfortunately, it cannot decrypt your files.

Delete Locked Ransomware

  1. Find the malicious .exe file you have downloaded, right-click on it, and select Delete.
  2. Locate the .exe file with random letters in %APPDATA%.
  3. Right-click on it and select Delete.
  4. Go to %USERPROFILE%.
  5. Delete Decrypter.exe and ransom.jpg files one by one.
  6. Remove READ_IT.txt from the Desktop.

In non-techie terms:

If you are going to remove Locked Ransomware in a manual way, you should not forget that other threats might be hiding on the system and you need to erase them too. Don’t worry; you can easily find out whether or not these threats are installed on your PC by scanning the system with a diagnostic scanner. It can be downloaded from our web page. In case it detects anything, erase those threats ASAP.