Kill Locky ransomware and recover your files
Locky encrypts your files and demands a ransom. Here's how to remove it and try to get your data back without paying.
This is infuriating. I know.
Locky pops up, renames all your documents, images, and databases to random strings with a .locky extension, and leaves a ransom note. You don't pay. Here's what works.
Step one: Stop the encryption cold
As soon as you see the ransom note or weird file extensions, kill the Wi-Fi or pull the ethernet cable. If you're on a network, unplug the machine immediately. Locky spreads via SMB shares and can encrypt network drives too. You want to contain it.
Then boot into Safe Mode with Networking. For Windows 10, hold Shift while clicking Restart, then Troubleshoot > Advanced options > Startup Settings > Restart > press 5 for Safe Mode with Networking. If the infection is already deep, you might need a rescue disk — I recommend Kaspersky Rescue Disk 18 or Bitdefender Rescue Mode. Boot from USB, run a full scan. That kills the active process before it can re-encrypt anything.
Step two: Remove the malware
Run Malwarebytes Anti-Malware (free version works fine) in Safe Mode. Do a full scan. Then run HitmanPro (free trial, 30-day full scan). Locky often drops a loader in C:\Users\[username]\AppData\Local\Temp\ or C:\Windows\Temp\ — a random .exe or .dll. HitmanPro catches those. I've also seen Locky hide as a scheduled task named something like "{random}" under Task Scheduler Library > Microsoft > Windows. Delete any suspicious tasks.
After that, run a quick check with Sophos Virus Removal Tool — it specifically targets ransomware variants. One pass clears it 99% of the time.
Step three: Try to decrypt your files
Now the hard part. Locky uses RSA-2048 with AES-128 encryption. If it's the original Locky strain (2016-era), you might be in luck. The No More Ransom project by Europol, Kaspersky, and McAfee released a decryptor for some Locky variants. Head to nomoreransom.org, download the Emsisoft Decrypter for Locky, and run it.
The tool checks for a specific encryption pattern. If it says 'no key found' — sorry, that version's key is gone or never captured. A few newer Locky variants (like the .zepto or .odin versions) have no public decryptor. In that case, stop trying tools that claim to brute-force it — they're scams. Your only option is restoring from backup.
Why this works
Locky doesn't delete the original files; it encrypts them in place and appends the .locky extension. The Malwarebytes+HitmanPro combo removes the active payload and any persistence mechanisms (registry run keys, scheduled tasks). The decryptor works because law enforcement seized the command-and-control servers for certain Locky campaigns and recovered the private keys. If your files are encrypted with one of those keys, you're golden. If not, the encryption is mathematically sound — no backdoor.
Less common variations
Some Locky variants drop a ransom note named _WHAT_IS.html or _HOW_TO_RECOVER.html that opens automatically. Others use a different extension: .zepto, .odin, .shit. The fix is identical — remove the malware, try the same decryptor. If it fails, you're likely dealing with a variant that used a unique key per victim (common since 2017).
Another twist: Locky sometimes deletes Volume Shadow Copies via vssadmin.exe. You can check manually: open Command Prompt as admin and run vssadmin list shadows. If any exist, try restoring from Previous Versions (right-click the folder, Properties, Previous Versions). But don't rely on that — Locky targets those shadows aggressively.
I've also seen a fake 'Locky decryptor' trojan that claims to decrypt but installs more malware. Only use tools from nomoreransom.org or Emsisoft's official site. Avoid random YouTube links or forum posts that promise a 'cracked' decryptor.
Prevention — don't get hit twice
Locky arrives via malicious email attachments (usually .docm or .xlsm with macros). Never enable macros on documents you didn't expect. Set your Office suite (2016 or later) to disable all macros by default: File > Options > Trust Center > Trust Center Settings > Macro Settings > 'Disable all macros with notification'.
Back up offline. I use a 3-2-1 rule: three copies of your data, on two different media, one offsite (like a USB drive you unplug after each backup). For Windows 10, use File History (Settings > Update & Security > Backup) but point it to an external drive that's disconnected after backups. No cloud sync that's always on — Locky can encrypt OneDrive files too if they're synced.
Finally, enable Controlled Folder Access in Windows Defender (Windows 10/11). It blocks unauthorized apps from modifying your Documents, Pictures, and Desktop folders. Turn it on: Windows Security > Virus & threat protection > Ransomware protection > Controlled folder access > On. It's not perfect but stops many Locky attempts right at the door.
Locky's a pain, but you don't have to pay. Most victims who act fast can remove it cleanly. The decryption part is luck-based, but backups? That's a choice. Make it now.
Was this solution helpful?