Locky Ransomware

What is Locky Ransomware?

Ransomware infections are designed to extort money from users. Locky Ransomware seeks to do that too, so if you ever detect it on your system, you should hurry to remove this threat from your computer. It is highly advisable to do that in order to protect other files that you create or transfer to your computer in the future. Unfortunately, it will be quite hard to get rid of this threat because it cannot be removed via Control Panel, it starts together with Windows OS, and it might even connect to the Internet without permission. Even though it is quite difficult to eliminate ransomware, we suggest doing that ASAP. If you need some help with that, read this article from beginning to end and then use the removal instructions.testtest

What does Locky Ransomware do?

Once Locky Ransomware manages to slither onto the computer, this infection will encrypt all the files and add the {unique_id}{identifier}.locky extension. In other words, original extensions of your files will be removed and you will see something similar to F37041F1D21A911B1B4FC26E19A8C9BC.locky instead of photo.jpg. In addition, Locky Ransomware will also add files, e.g. _Locky_recover_instructions.txt to different locations. This file contains instructions that should help users to gain access to their files again. In addition, users will find links leading to the decryption page there as well. If this threat manages to enter the system, more experienced users will also notice that several new registry keys have been created:

  • HKCU\Software\Locky\id (a unique ID)
  • HKCU\Software\Locky\pubkey (RSA public key)
  • HKCU\Software\Locky\completed (checks whether or not the ransomware finished the encryption process)
  • HKCU\Software\Locky\paytext (stores texts visible in ransom notes)

In fact, this threat will not only encrypt files and create files and registry keys. It has been observed that it will put a message on the screen after it finishes encrypting images, videos, music, and documents with such filename extensions as .vdi, .ARC, .pps, .CSV, .XLS, .PPT, .DOC, .wmv, .asf, .mpeg, .java, .sxd, .jpeg, and many others as well. Remember, this ransomware is not going to affect files whose path names contain $Recycle.Bin, System Volume Information, Windows, Boot, Program Files, Program Files (x86), AppData, Winnt, Application Data, and tmp components.

If Locky Ransomware has really managed to enter your system, it will change a user’s wallpaper to %UserpProfile%\Desktop\_Locky_recover_instructions.bmp too. The wallpaper itself will contain the same instructions that can be found in _Locky_rcover_instructions.txt or _Locky_recover_instructions.bmp files. An excerpt of the message can be found below:


All of your files are encrypted with RSA-2048 and AES-128 ciphers. More information about the RSA and AES can be found there:



Decrypting of your files is only possible with the privacy key and decrypt program, which is on our secret server.

Users will also be provided with links that they have to copy and paste into their address boxes. After doing that, they end up on payment pages. In most cases, users are asked to pay a ransom of 0.5 Bitcoin for the special software called Locky Decrypter. Yes, this software should help you to decrypt all your files and access them again. It is up to you whether or not to do that; however, you should know that it is the only way to recover files at the time of writing because Locky Ransomware deletes shadow copies of files by executing the following command: vssadmin.exe Delete Shadows /All /Quiet. It seems that the only way to decrypt files is to make a payment; however, you should know that nobody can guarantee that you will really gain access to your files. It should be also noted that you might recover your files from a backup (e.g. USB flash drive) after you get rid of the ransomware infection as well. In this case, you will not need to pay money.

Where does Locky Ransomware come from?

Many users cannot understand how Locky Ransomware has managed to enter their systems; however, you should know that it is not so difficult to explain. Research carried out by our specialists working at anti-spyware-101.com has shown that this ransomware infection enters systems after a user downloads the attachment available inside an email with a subject line similar to ATTN: Invoice J-9823145. The attachment itself is a Microsoft Word Document in most cases. If users open this file, they usually see a random set of letters, and they are informed that they have to enable macro. If they do that, the executable file of Locky Ransomware, which is svchost.exe, is downloaded and stored in %Temp%. Of course, users do not know that. As can be seen, ransomware infections are capable of entering systems really quickly, so users should never leave their systems unprotected. The easiest and quickest way to prevent malicious software from slithering onto computers is to install a trustworthy antimalware tool on the system.

How to delete Locky Ransomware?

It is a really hard task to remove ransomware infections from the system. Therefore, our specialists have prepared instructions for you. Unfortunately, they will not help you to unlock files. If you find it too difficult to erase this threat by hand, you should scan your computer with an antimalware scanner, such as SpyHunter. It will remove this infection and will protect your PC from similar infections day after day. Of course, you will have to upgrade it first and always keep it enabled.

Locky Ransomware removal instructions

  1. Open Windows Explorer.
  2. Enter %Temp% into the address bar and tap Enter.
  3. Locate svchost.exe, right-click on it, and select Delete.
  4. Remove Locky_recover_instructions.bmp from your desktop.
  5. Go to the Registry Editor (launch RUN, enter regedit, and click OK).
  6. Move to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers.
  7. Locate BackgroundHistoryPath0 and then delete it completely.
  8. Go to HKCU\Control Panel\Desktop\Wallpaper, right-click on it, and delete information from the Value data line. Click OK.
  9. Delete the following registry keys one by one:
100% FREE spyware scan and
tested removal of Locky Ransomware*

Leave a Comment

Enter the numbers in the box to the right *