It’s a tough task to restore data encrypted by the Locky virus, but some techniques can make files accessible again without the necessity to pay the ransom.
What is Locky ransomware?
Going by the strange name of “Locky”, the ransom Trojan in question falls under the malware category where the implementation of cryptography is flawless. What this means is that the victims are mostly bound to meet the attackers’ demands otherwise they run the risk of losing all of their personal data. Locky has been around since mid-February this year and is still in the wild. It spreads via fake invoices sent to numerous users with the help of a botnet. The ZIP archives attached to the rogue emails contain a type of Microsoft Word document in Docm format. These files are tricky as their content originally doesn’t make sense, but a prompt to enable macros assures the user that the alleged invoice will become readable. Once the unsuspecting person manually activates macros, though, Locky is instantly deployed in the target environment.
When inside and running, the offending code first scans the all letter volumes of the hard drive, as well as removable and network drives, in pursuit of the victim’s personal files. The modus operandi is as follows: Locky compares every data item against a predefined array of file extensions, including .wma, .mid, .mkv, .rar, .gif, .sql, .pptx, .xlsx, .docx and tens of others. It doesn’t take a genius to understand that these formats reflect the most widespread forms of data, where the likelihood of their being personal is high. The basic objective once such items have been found is to prevent the user from being able to open or otherwise handle them. To that end, the ransomware utilizes a mixture of AES and RSA algorithms. Combining symmetric and asymmetric crypto is an approach that makes the information scrambled for good.
The encoded files don’t even look like they did prior to the compromise. Filenames morph into 32-character hexadecimal lines, and they are followed by the extension of “.locky”. The ransomware adds restoration walkthroughs into every folder with encrypted data. They are named “_Locky_recover_instructions.txt (.bmp, .html)” or “_HELP_instructions.txt (.bmp, .html)”. The one in BMP format will replace the desktop background. It says, “All of your files are encrypted with RSA-2048 and AES-128 ciphers”. To unlock the data, the user has to follow one of the Tor links provided in these ransom notes and submit 0.5 BTC to the criminals’ Bitcoins wallet.
Buyout of the private RSA key, however, is not the only option. The infected person can and definitely should try to restore their files using VSS (Volume Snapshot Service), which is a Windows-native backup feature. Forensic tools may be able to do the trick as well. Keep reading this article to learn more.
Locky removal
By removing this ransomware, you can ascertain it will not do any further damage. The linked-to automated cleanup tool is capable of detecting malicious executables of all known crypto viruses and obliterating the entirety of their harmful components. One thing to keep in mind, though, is that the data left behind will stay inaccessible until the appropriate recovery measures are adopted.
1. Download and install Locky virus remover. Run the suite and click Start Computer Scan.
2. As soon as the scan report is ready, make sure all the malicious entries on the list are selected and click Fix Threats to get the cleaning job done.
File recovery how-to’s
Now that you have taken care of the offending code proper, it’s high time you tried to restore the scrambled files. Regular data backups prior to the compromise pose the optimal means to reinstate the information. In this case, just use your backup service provider’s appropriate functionality to download the most recent copies of files. If the reserve storage is on a piece of external hardware, simply transfer the data back to your PC.
Unfortunately, some users don’t have a sound backup strategy that would make them resilient to such breaches. If you happen to be in that category, the dilemma is to either pay the ransom or take advantage of the best practices of forensic data restoration. The former modus operandi (ransom) should be your last resort, so try the routines below first.
a) Explore ‘shadows’
As enigmatic as it sounds, this is a completely down-to-earth method that might do the trick in some ransomware attack cases. The idea is to use snapshots of files made by the operating system during critical updates and the addition of new restore points. The applet called ShadowExplorer automates the workflow of finding these previous versions and restoring them to a location of choice or the original folder.
The problem is, some crypto ransomware strains execute the “vssadmin.exe Delete Shadows /All /Quiet” command to disable this Windows service. To see whether this technique can work in your case, go ahead and do the following: download ShadowExplorer, install and launch it. Right-click on a random path, for example, Documents and Settings, select the Export feature and pick the directory to which the contents of this folder should be restored. If this helped, proceed with the rest of your data in the same fashion.
b) Use recovery software
There are solutions that traverse computer drives and connected media in search of obliterated data, and may be able to reinstate it. The reason why tools like Data Recovery Pro can be useful in ransomware-related predicaments is that some of these Trojans erase original versions of files, leaving their enciphered copies on the hard disk. If that’s the case, the above-mentioned application will scan the machine, list all recoverable entries in the scan report, and let you get those items back. Be advised it’s critical to remove the virus for good before you get down to this workaround.
Double-check for Locky remnants
Do not leave anything to chance when dealing with ransomware. Unless removed efficiently, these threats can relaunch the crypto attack and scramble everything you’ve been struggling to restore using the above methods. To add insult to injury, ransom Trojans may be accompanied by other infections, such as banking malware that steals victims’ sensitive credentials. One way or another, rescan your system to make sure you’re good to go.
Leave a Reply