Under adverse conditions of the Locky virus attack, knowing the following facts about this ransomware can mitigate the damage and even help restore files.
The main objective of cryptography is to deliberately make fragments of data unreadable so that man-in-the-middle and suchlike attacks do not disclose the sensitive information being protected. However, cybercrime has successfully ventured into twisting this principle. While the crypto facet remains invariable, the goals have turned upside down. Malicious programs called ransomware contaminate computers in a furtive way, encrypt all files that bear importance to victims, and demand money for decryption. Locky, which is one of such offending applications, goes this exact route. It employs two cryptosystems, symmetric and asymmetric one, to make one’s valuable files inaccessible; appends the .locky extension to every corrupted file; and provides a recovery methodology via files named _Locky_recover_instructions or _HELP_instructions.
The above-mentioned ransom notes come in three formats. The graphical one, _Locky_recover_instructions.bmp, is an image file that automatically shows up on the desktop background. The HTML and TXT counterparts of this file are implanted into all directories that hold at least one encrypted entry. The gist of these alerts is concisely described at the very beginning: “Important information! All of your files are encrypted with RSA-2048 and AES-128 ciphers.” Then, after a few references to the Wiki overview of these algorithms, goes the restoration advice: “Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.” The ransom directions also contain the victim’s personal identification ID, which they are supposed to enter on the Locky Decryptor Page.
The Locky Decryptor Page, by the way, is a Tor gateway rather than a standard Internet site. The Onion Router makes all such communication anonymous and protects the extortionists from being tracked down. To visit it, though, the infected user has to download and install Tor Browser and then follow their unique .onion link. According to that page, the combo of the private RSA key and decrypt solution costs 0.5-1 Bitcoin, which is several hundred US dollars.
To add insult to injury, Locky totally skews the names of encrypted files so that the victim fails to identify the most valuable data objects. Indeed, it’s impossible to find ties between an arbitrary document previously named “piechart.xlsx” and an item that looks like this – 5267F0FE7295F1F5378574B667A7AE14.locky. This breach is definitely a predicament that needs urgent fixing. Unfortunately, no one has thought of a method to obtain the private decryption key without being able to access the perpetrators-run server. Under the circumstances, users are bound to pay the ransom, or try a number of techniques that may be effective in some ransomware assault scenarios.
Run security software to remove Locky virus
Antimalware industry has got an efficient response to threats like Locky ransomware, sometimes after the fact, though. A combination of signature-based detection and heuristics built into the recommended security tool can accurately identify the plague so that removal becomes a simple, one-click experience. Be advised, however, that this action alone will not get your files decrypted.
Download and install Locky virus remover. Once the tool is running, click Start Computer Scan.
- Upon completion of the scan, the program will display a list of harmful items that were detected. Select the Fix Threats feature in order to have the ransom trojan automatically removed.
Avenues of restoring .locky files
If your data is backed up to an offsite vault, such as an external piece of hardware or secure cloud storage, then you are minutes away from recovery. Just make sure you obliterate the crypto virus before downloading unaffected copies of your files. This is undoubtedly the most advantageous scenario.
The methods below apply to the incidents where no backup is in place. They don’t involve decryption proper. However, each one poses a workaround to unscramble the data that the operating system may have backed up before the attack took place. Most samples of crypto ransomware are programmed to disable the appropriate emergency mechanisms built into the OS, but some strains are reportedly unsuccessful in doing so. One way or another, the following techniques are definitely worthwhile.
Plan A: Harness 'Shadow Copies' of your files
The Windows feature called VSS, which stands for Volume Shadow Copy Service, makes snapshots of all data files at specified points in time, which typically correspond to System Restore events and important updates. The Locky virus has got a response for VSS based troubleshooting on the victims’ end, attempting to disable this module after contaminating a PC. However, it doesn’t always succeed in this.
Here is what you need to do to find out if this method can be of use in your case. Download and install Shadow Explorer, a lightweight and intuitive app tasked with administering reserve copies of all files stored on mapped drives. Select a folder or file, right-click on it with your mouse, select Export and define the path to which the object will be restored.
Plan B: Let data recovery software do its job
Specially crafted recovery tools pursue the goal of reinstating accidentally deleted files or information that vanished because of critical hardware or software errors. Their application domain covers some instances of ransomware attacks as well. Under the circumstances, consider installing an effective suite called Stellar Data Recovery, run a scan to find out what fragments of data can be restored, and chance your arm rescuing them.
Don’t underestimate ransomware
Having adopted the entirety of measures in a bid to get the encoded files back, consider rescanning your machine to make sure the crypto ransomware is no longer inside. There may be a relapse in case the cleanup hasn’t been thorough, so spare a minute or two double-checking.