Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Locked-In Ransomware Help & Support (RESTORE_CORUPTED_FILES.HTML)

  • Please log in to reply
1 reply to this topic

#1 Demonslay335


    Ransomware Hunter

  • Security Colleague
  • 3,579 posts
  • Gender:Male
  • Location:USA
  • Local time:07:48 PM

Posted 13 December 2016 - 03:16 PM

A new ransomware first spotted by submission to ID Ransomware, and sample found by Karsten Hahn, the Locked-In ransomware encrypts victim's files with AES, and appends a random extension to each file.


The ransom note left behind is "RESTORE_CORUPTED_FILES.HTML" or "RESTORE_NOVALID_FILES.HTML", and looks like the below image.




The following is the text from the ransom note.


What happened to your files?

All your files are encrypted and can be restored only after payment. For encryption we used persistent improved algorithm AES256
For each file, generate a unique decryption key and adds a random number of bytes,which makes decryption impossible without the use of a special configuration file,which has all of the information needed to decrypt your files. After encryption, we carefully erased the old blocks on the HDD that did not have the possibility to recover files using special utilities for recovering lost files such as Recuva , etc..

What will happen if I try to restore files?

If you yourself attempt to restore a file ,you break the sequence files in the system and once we get our interpreter ,it will not help,as all files are encrypted in a certain order.

The good news is this ransomware is decryptable. If you have been affected by this ransomware, please post in this topic if you need assistance in acquiring your keys. The decrypter will automatically try to search for the keys if ran on the infected system.






Free decrypter is available here: https://download.bleepingcomputer.com/demonslay335/LockedInDecrypter.zip


Please note, the password for the zip file is "false-positive". This is a temporary response to false positives being triggered by Google SafeBrowsing and antivirus.

Edited by Demonslay335, 17 January 2017 - 06:50 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

BC AdBot (Login to Remove)


#2 Amigo-A


  • Members
  • 610 posts
  • Gender:Male
  • Location:3st station from Sun
  • Local time:06:48 AM

Posted 14 December 2016 - 07:45 AM

A post on Twitter informed about extension ".novalid" 

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users