If you discover that your computer is infected with ransomware you should immediately shutdown the computer and if possible create a copy or image of your hard drive. Doing that allows you to save the complete state of your hard drive in the event that a free decryption solution is developed in the future. If you do not plan on paying the ransom and can restore from a backup, then scan your computer with an anti-virus or anti-malware program and let it remove everything. Crypto malware ransomware is typically programmed to automatically remove itself
...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. As such, they don't know how long the malware was on the system before being alerted or if other malware was installed along with the ransomware.
If your antivirus did not detect and remove anything, additional scans should be performed with other security programs like Malwarebytes Anti-Malware
and Emsisoft Anti-Malware
. You can also supplement your anti-virus or get a second opinion by performing an Online Virus Scan
is one of the more effective online scanners.
If you need individual assistance only with removing the malware infection
, follow the instructions in the Malware Removal and Log Section Preparation Guide
...all other questions or comments should be posted in the support topics. When you have done that, start a new topic and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum
, NOT here
, for assistance by the Malware Response Team.
Locky Ransomware Encrypts Local Files and Unmapped Network Shares
Locky will store various information in the registry under the following keys:
HKCU\Software\Locky\id - The unique ID assigned to the victim.
HKCU\Software\Locky\pubkey - The RSA public key.
HKCU\Software\Locky\paytext - The text that is stored in the ransom notes.
HKCU\Software\Locky\completed - Whether the ransomware finished encrypting the computer
Locky related Files
Locky related Registry entries
HKCU\Control Panel\Desktop\Wallpaper "%UserProfile%\Desktop\_Locky_recover_instructions.bmp"
You can submit samples of encrypted files and ransom notes to ID Ransomware
for assistance with identification and confirmation.
Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here
) with a link to this topic.
There is an ongoing discussion in this topic where you can ask questions and seek further assistance.
Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in the above support topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.
The BC Staff