Any files that are encrypted with Locky Ransomware
will be renamed with random alpha-numerical characters and have the .locky
extension appended to the end of the encrypted data filename in the following format [unique_id][identifier].locky...(i.e. something like F67091F1D24A922B1A7FC27E19A9D9BC.locky). Locky Ransomware will leave a file (ransom note) named _Locky_recover_instructions.txt, _HELP_INSTRUCTIONS.txt.
Older Locky variants will store various information in the registry under the following keys:
HKCU\Software\Locky\id - The unique ID assigned to the victim.
HKCU\Software\Locky\pubkey - The RSA public key.
HKCU\Software\Locky\paytext - The text that is stored in the ransom notes.
HKCU\Software\Locky\completed - Whether the ransomware finished encrypting the computer
The newest Locky variants do not create HKCU\Software\Locky registry entries anymore. If these keys are present, then either the system is infected with an older variant or some security/anti-ransomware software was installed and added the entries as a vaccine to prevent infection...the old Locky variant is not able to encrypt any files if these registry entries are present. According to several users commenting here
, Bitdefender Crypto-Ransomware Vaccine will create the HKCU\Software\Locky\ entry. Other security products may create the same entries as protection against infection.
If your files are not encrypted and there are no ransom notes...I doubt your system is infected.