Remove .Locked virus and Recover Encrypted Files

12 Oct

.Locked virus is another data-encrypting malware that has been created by cyber-criminals using “Hidden Tear Project”. It uses AES encryption cipher to lock the targeted files and make it totally inaccessible for the users. .locked extension is added in every file that gets encrypted. The cyber-criminals demand the victims to pay a fine of 0.022 BTC as ransom. .Locked virus is also known by its alias named as “Ultimo Ransomware”. Since the personal files get locked, most of the victims gets panic and agrees to pay the ransom.

  • Is it Safe to Pay the Ransom Money?
  • Does Cyber-criminals Decrypts the Files after Receiving Ransom Money?
  • What is the Alternate Ways to Recover Important Data?

This article will provide you the complete details of .Locked virus and answers to all the questions that has been mentioned above. Follow the instructions that have been mentioned here to remove this malware and recover your personal files and data with alternate method.

Depth Analysis of .Locked virus

The file named as Weaterunion MTCN.exe triggers this malware in the PC. It creates a lot of entries and values in the registries in order to create its persistence. Whenever the Windows Startup process is executed, the Run and RunOnce registry keys triggers this files and hence the ransomware gets active on the PC. This new values will trigger the automatic execution of the ransomware. A file named as READ_IT.txt is stored on the desktop wallpaper as well as in the folder containing the encrypted files. This is the ransom note file that says:

Oooopppsss Your Files Has Been Encrypted

Your Unique GUID for Decrypt: j43as8fk-29gp-61da-3671-h03c83472r74

SEND ME SOME 0.022 Bitcoin on Adress: 1CCnFhbLT1VSMUqXaSqsYUAwcGU4evkbJo

After Confirming The Payment, ALL YOUR FILES CAN BE DECRYPTED.

If you do not make payment within 48 Hrs, you will lose the ability to decrypt them.

Make your Bitcoin Wallet on: xxxxs://www.coinbase.com/ or xxxx://blockchain.info”.

How to buy /sell and send Bitcoin :

xxxxs://support.coinbase.com/customer/en/portal/topics/***

xxxxs://support.coinbase.com/customer/en/portal/topics/***

xxxxs://support.coinbase.com/customer/en/portal/topics/***

After the payment, enter the wallet from which paid, and email, in which contact you. blackgoldl23@protonmail.com”,

After receiving the payment, we will contact you.

As you can clearly read in this ransom note, the cyber-criminals blackmail the victims to pay certain money to them as ransom. It gives a deadline of 48 hours to pay the ransom money. It can encrypt large number of files basically the files and related to MS Office, multimedia, PDF and so on. Some of the files extensions that it can encrypt are →.txt, .doc, .docx, .xls, .xlsx, .pdf, .pps, .ppt, .pptx, .odt, .gif, .jpg, .png, .db, .csv, .sql, .mdb.sln.php, .asp, .aspx, .html, .xml, .psd, .frm, .myd, .myi, .dbf, .mp3, .mp4, .avi, .mov, .mpg, .rm, .wmv, .m4a, .mpa, .wav, .sav, .gam, .log, .ged, .msg, .myo, .tax, .ynab, .ifx, .ofx, .qfx, .qif, .qdf, .tax2013, .tax2014, .tax2015, .box, .ncf, .nsf, .ntf, .lwp and so on.

The cyber-criminals execute the →vssadmin.exe delete shadows /all /Quiet command in order to delete “Shadow Volume Copies”. In order to win the victims trust, it asks the victims to provide a single encrypted file and it will be decrypted for free as sample. Remember that all these are tricks and manipulation.

In most cases, the cyber-criminals don’t provide the original decryption key even after the money is paid. It is never recommended nor is it safe to pay ransom money. The best way to get the files back is to use the “Backup files” if available. Your prime aim should be to remove .Locked virus from PC so that other files and programs remain safe. So, before using the backup files or data recovery software, it is advised to scan the PC with a powerful anti-malware tool that has strong scanning algorithm and programming logics.

Remove .Locked virus  using powerful Windows Scanner
Download Automatic Removal Tool to eliminate infectious threat

Now, if you don’t want to face all these functions later inside the PC with .Locked virus  then you were highly suggested to delete .Locked virus  by installing expert’s anti-malware tool inside the PC.

So, what is anti-malware tool?

Anti-malware tool (SpyHunter 4) is a powerful real time protection programs for the Windows Operating System which has been created by Enigma Software Group. It is fully capable to protect the Computer against threat like .Locked virus . However, you can also remove this threat by manual process but it is little bit complexly. Besides that, the manual process requires Computer skill. That means, you need to put some extra effort on your PC in order to remove .Locked virus . As well as, you should have ability to revert back any wrong steps which you have taken in manual process. Otherwise the PC might be goes even worst conditions. On the other hand with the anti-malware tool you don’t requires any extra Computer skill or effort. The Spy Hunter has been designed between experts and novice Users level. Thus, you can easily operate without any worries of harm your Computer. Therefore, in my opinion I would like to prefer anti-malware tool in order to uninstall .Locked virus  from Computer.

Complete tutorial to delete .Locked virus  using automatic removal method

download-anti-spyware

  1. As you will run anti-malware tool, you will see two options located in middle of screen. Please click on **Scan Computer Now** option in order to proceed to full System scan.step-1
  2. You can also see the error result while scanning of PC.step-2
  3. If you want to scan any particular volume drive or removal pen drives then you can use this Custom Scan option.step-3
  4. Spyware Helpdesk will help you in solving the PC’s errors online (just like Customer services).step-4
  5. System Guard, this functions will helps you to keep your Computer safe from offline threat.step-5
  6. By using Network Sentry Option your browser will safe from online threat and your online activities will be protected by this anti-malware tool.step-6
  7. Al last, by enabling the Scan Scheduler function, your Computer will automatically keep scanned timely by this tool and notifies you if this tool caught any error.step-7

How to get rid of .Locked virus  manually?

Eliminate .Locked virus  by going through Control Panel:

  1. Click on the Start menu icon located on below left of screen (Right click for Windows 8 and 8.1 Users).control-panel-1
  1. Select Control Panel option > Programs.control-panel-2
  1. The Programs which were installed on PC were located in this list.control-panel-3
  1. Please find out .Locked virus  as well as their associated files and click on it to uninstall it.control-panel-4

Remove .Locked virus  entries from Windows Registry box:

  1. In order to go to the Windows registry box, please click on Win logo button+ R key together.manual1
  1. Type **regedit** in run dialog box. (If it asks your permission to open this window then click on Yes button)manual2
  1. Registry Box will suddenly open up please go through every location given below in this window in order to find out and delete .Locked virus .manual3
  • HKLM\SOFTWARE\Classes\AppID\ .Locked virus .exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions
  • HKEY_CURRENT_USER\Software\Opera Software
    Explorer\Main\Start Page Redirect=http://random.com
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\virus name
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Shell = %AppData%\IDP.ARES.Generic.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Random
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Random.

Method to prevent .Locked virus  and other similar threats in future

After all, the single biggest factor in preventing a threat like .Locked virus  infection is lies upon you. Even you already install anti-malware and you scan your Computer timely, if you don’t be carefully towards your PC while using it. It is obviously to get infected by .Locked virus  again. Therefore, you just need vigilance to avoid being affected by threat in future and n some tips and suggestion mention here will hopefully prevent your Computer from infection in coming time.

  • Keep your anti-malware updated.
  • Use strong passwords for valuable information to prevent from hacking.
  • Disable auto-run functions for downloaded files and injected drives.
  • Block auto update from network inside System.
  • Leave it out unknown recipient email attachments.
  • Avoid connecting to open source network like Wi-Fi.
  • Use hardware based firewall in order to protect your System against infections.
  • Deploy DNS protection from automatically get modified.
  • Use ad blocker extension and software in order to surf without getting any additional commercial ads and junk notifications.
  • Do not use any untrusted or unofficial domain for surfing and downloading files inside browser.

Click here to Download Automatic Removal Tool to Uninstall .Locked virus 

Leave a Reply