'.Locked_file File Extension' Ransomware Removal Guide

Do you know what '.Locked_file File Extension' Ransomware is?

Our cyber security specialists have recently tested a program called '.Locked_file File Extension' Ransomware. Research has shown that it is a program designed to infect your PC secretly and then encrypt your files. After encrypting them, it asks the victim to pay a ransom to get a decryption key. From the outset, we want to tell you that you should not trust cyber criminals to keep their word. Hence, they might not send you the key once you have paid, so you should just remove this ransomware instead of complying with the cyber criminals’ demands because it is possible that they will not keep their word.

If your computer becomes infected with '.Locked_file File Extension' Ransomware, then it will enumerate system information and execute a CACLS "[FILENAME]" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "[FILENAME]" command. This command grants certain permissions to this ransomware. The symbols used in this command have been dissected and include the following:

  • CACLS is used to set access permissions to [FILE];
  • /E - Edits permission instead of replacing it;
  • /G %USERNAME%:F - User grants full control of file;
  • /C - Continue on access denied errors;
  • ATTRIB - displays, sets, or removes the read-only, archive, system, and hidden attributes assigned to files or directories;
  • ATTRIB -R clears file attribute for read-only files;
  • ATTRIB -A Clears attribute for archive files;
  • ATTRIB -H Clears for hidden files.

Furthermore, this ransomware creates registry keys that might be used to check if the system is already compromised. These keys include HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.locked_file\ and HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.skey\. Once executed, '.Locked_file File Extension' Ransomware enumerates the files on the computer but skips certain locations that include but are not limited to PROGRAMDATA, TEMP, BOOT, PROGRAM FILES, and WINDOWS, among others. Apparently, this ransomware avoids encrypting files in location that are vital to running the operating system. Furthermore, this ransomware was set to encrypt many file formats that include pictures, documents, videos, audios, and so on. However, there are some file types that this ransomware does not encrypt. These files include, without limitation .XML, .LIST, .TTF, .LOG, .JA, .BAT, .CMD, .VBS, .JS, .CFG, .DOWNLOAD, .NFO, .MSI, .CHK, .DMP, .MUI, and many others. This ransomware also creates a mutex. It is is used to check if process is already started.

'.Locked_file File Extension' Ransomware appends the encrypted files with a .locked_file file extension and also adds the email restoreassistant2@tutanota.com to contact the developers and also randomizes the file names. Once the encryption is complete, this ransomware is set to drop a ransom note called "!HOW_TO_UNLOCK_FILES!.html" in each folder where a file was encrypted. The note demands that you contact the cyber criminals within 72 hours. The amount to be paid is not specified in the note, so we think that the sum is revealed to you after you contact the criminals via email.

In closing, '.Locked_file File Extension' Ransomware is nothing but a program used to extort money. Do not count on its creators to keep their word and send you the decryption key because they might not. Therefore, we recommend that you remove this ransomware from your PC altogether using an anti-malware program such as our featured SpyHunter anti-malware program or delete the files manually using the guide below.

Manual Removal Guide

  1. Hold down Windows+E keys.
  2. Type the following file paths in the address box and press Enter.
    • %TEMP%
    • %USERPROFILE\Downloads
    • %USERPROFILE\Desktop
  3. Find the randomly-named executable.
  4. Right-click it and click Delete.
  5. Empty the Recycle Bin.

In non-techie terms:

'.Locked_file File Extension' Ransomware is a malicious application designed to encrypt your personal files and demand that you pay money to decrypt them. However, you may not get the promised decryption key once you have paid. Therefore, we advise against complying with the criminals’ demands and remove this program instead.