'.Locked_file File Extension' Ransomware Removal Guide

Threat Level:
9/10
Rate this Article:
Comments (0)
Article Views: 363
Category: Trojans

'.Locked_file File Extension' Ransomware is a ransomware-type computer malware that appends encrypted files with a “.locked_file” extension. Indeed, this application was designed to encrypt your files and then demand that you pay its creators an unspecified sum of money to get them back. However, you only have 72 hours to pay because, if you fail to meet the deadline, the cyber criminals will delete your unique decryption key. In any case, you should not trust cyber criminals to keep their word and, therefore, you ought to remove this ransomware instead of paying the ransom. We have more detailed information about '.Locked_file File Extension' Ransomware below, so if you are interested, please continue reading.

There is no information on how '.Locked_file File Extension' Ransomware is distributed. Our guess is that its creators have set up an email server to send fake emails to people disguised as tax return forms, receipts, invoices, and so on. The emails might have an attached file that can pose as a PDF or DOC document while it is an EXE file, in fact. If you open the attached file, then your PC can become infected with this ransomware. The main executable does not copy itself anywhere, so you should check %USERPROFILE%\Desktop, %USERPROFILE%\Downloads, and %TEMP% for this ransomware and delete it at once.

However, if your PC were to become infected with this ransomware, then it is too late to do anything about it because it is set to initiate the encryption process immediately upon infection. Testing has shown that this ransomware first enumerates system information and executes a “CACLS "[FILENAME]" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "[FILENAME]" command.

  • CACLS is used to set access permissions to [FILE]
  • /E - Edits permission instead of replacing it
  • /G %USERNAME%:F - User grants full control of file
  • /C - Continue on access denied errors
  • ATTRIB - displays, sets, or removes the read-only, archive, system, and hidden attributes assigned to files or directories.
  • ATTRIB -R clears file attribute for read-only files.
  • -A Clears attribute for archive files
  • -H Clears for hidden files

This ransomware also enumerates the files present on your PC but is set to skip folders such as WINDOWS, PROGRAM FILES, APPDATA, APPLICATION DATA, TEMP, TMP and many others. It was also set not to encrypt file types that include but are not limited to .LST, .PKEY, .SKEY, .LNK, .EXE, .TMP, .ICO, .000, .SYS, .DAT, .INF, .DLL, .DAT, .REG, .DRV, .DEV, .PIF, .MBR, .INI, .XML, .LIST, .TTF, and .LOG. All other file types not in this exclusion list are set to be encrypted by this ransomware. It appends the encrypted files with a “.locked_file” file extension. Once this ransomware has encrypted your files, it will drop a ransom note named !HOW_TO_UNLOCK_FILES!.html in each folder where files were encrypted. The ransomware changes the default name of the files and also adds its restoreassistant2@tutanota.com email address. The note says you have to contact the criminals and pay the ransom within 72 hours because your decryption key will be deleted otherwise. However, you should not comply with this demand because there is no telling whether the cyber crooks will keep their word.

As you can see, '.Locked_file File Extension' Ransomware is a dangerous application that can render your files useless lumps of bytes. However, you should not comply with the cyber criminals’ demands and pay the ransom because you cannot be sure that they will send you the decryption key. Therefore, we recommend to be on the safe side of things and remove this ransomware using an anti-malware program such as SpyHunter or the manual removal guide featured below.

How to delete this ransomware manually

  1. Press Win+E keys.
  2. In the File Explorer’s address box, enter the following file paths.
    • %USERPROFILE\Downloads
    • %USERPROFILE\Desktop
    • %TEMP%
  3. Identify the ransomware’s executable.
  4. Right-click it and click Delete.
Download Remover for '.Locked_file File Extension' Ransomware *
*SpyHunter scanner, published on this site, is intended to be used only as a detection tool. To use the removal functionality, you will need to purchase the full version of SpyHunter.

'.Locked_file File Extension' Ransomware Screenshots:

'.Locked_file File Extension' Ransomware
'.Locked_file File Extension' Ransomware

'.Locked_file File Extension' Ransomware technical info for manual removal:

Files Modified/Created on the system:

# File Name File Size (Bytes) File Hash
1b5034183d4d2aca1e586b4a4bf22f32e4204c4b6d288c171d5252636c11248a0.exe910848 bytesMD5: 45498bbe9ef5e6158864d2c8b825e704

Memory Processes Created:

# Process Name Process Filename Main module size
1b5034183d4d2aca1e586b4a4bf22f32e4204c4b6d288c171d5252636c11248a0.exeb5034183d4d2aca1e586b4a4bf22f32e4204c4b6d288c171d5252636c11248a0.exe910848 bytes

Comments are closed.