Get the 411 on Spyware
Locklock Ransomware Removal Guide
China-based Internet users beware because a new ransomware called Locklock Ransomware is on the loose and is set to target users based in China only. Apparently, you must want to remove this application because its only objective is to encrypt the files on your PC and offer you to purchase a decryptor for an unspecified sum of money. Its creator might ask for much money, so you should think through your options before deciding to pay it. This ransomware is open-source, so we think that security researchers might develop a free decryption tool. Until then, we recommend that you delete this malicious program.
Interestingly, even though this ransomware is known to infect computers based only in China, its ransom note is in English. What this note basically says is that your files have been encrypted and that you need to send an email to locklockrs@aol.com or contact the developer via the provided Skype name to get them decrypted. However, no one is going to decrypt them for free because the whole philosophy behind this application is extortion of money. The sum of money that can be demanded of you to pay is also unknown and may vary as each case is different.
This application uses the Advanced Encryption System (AES) with a 256-bit size key, so its encryption is quite strong. However, we have found that it is based on the EDA2 open-source ransomware project, so there might be a free decryption tool already in the works. In any case, Locklock Ransomware is set to encrypt most of the files on your computer which include, without limitation, file formats such as .7z; .asp; .avi; .bmp; .cad; .cdr; .doc; .docm; .docx;. and .gif. In all, this ransomware seems to encrypt well over one hundred file formats. Furthermore, it must be said that it will target and encrypt files in most locations on your computer, but it will skip system folder so as not to disrupt the operating system. While encrypting the various file formats, this ransomware is set to append them with the .locklock extension and remove the file icon which indicates that a file has indeed been encrypted.
Once the encryption has been completed, this ransomware will drop a text file named READ_ME.TXT on the desktop. This file serves as a ransom note and, as stated previously, the text inside it calls on you to contact the cyber criminal in control of this ransomware and purchase the key. We have no doubt that you will be asked to purchase Bitcoins first and pay for the decryptor in Bitcoins because the transaction cannot be traced back to any location. We have found that this ransomware's Control and Command (C&C) server is located at locklock.net/tmp/savekey.php, and this server is where the decryption keys are sent to, but you cannot access them of course. However, it indicates that the decryption key is not stored locally but remotely. Now that you know the inner-workings of this ransomware let us take a look at how it is distributed.
Like most malware of this time, Locklock Ransomware is being distributed using malicious emails that contain zipped attachment files that drop this ransomware's executables once the attached files are opened. The infection takes place secretly, and it could only be stopped by a powerful antimalware program. Take note that the emails may look like receipts, invoices, tax return forms, and so on. The emails should be in English, so that might give this infection away and save you the trouble of dealing with the consequences. Furthermore, we have received information that Locklock Ransomware can also be dropped by Trojans featured on infected websites.
If your computer has been infected with this ransomware and it has encrypted your files, then we suggest removing it first and then looking for ways to decrypt them because purchasing the decryptor from the cyber criminal will only encourage him/her to release more similar infections. Also, there is no guarantee that you will receive the decryptor once you have paid. You can delete Locklock Ransomware manually, but we recommend using an antimalware tool as the name of its executable is randomized in each infection.
How to delete this ransomware manually
- Press Windows+E keys
- Check the following locations for the executable.
- %ALLUSERSPROFILE%\Start Menu\Programs\Startup
- %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
- %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
- %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
- %TEMP%
- Identify the executable, right-click it and click Delete.
- Empty the Recycle Bin.
