Decryption tool released for Locky ransomware impersonator

AutoLocky ransomware has a “laughable” flaw.

David bisson
David Bisson

Decryption tool released for Locky ransomware impersonator

A decryption tool has been released for a crypto-malware variant that loves to impersonate the now-infamous Locky ransomware.

At this time, it is not known how AutoLocky, an apparent wannabe of the Locky ransomware, is being distributed.

As it uses an Adobe PDF icon, Lawrence Abrams of Bleeping Computer reasons that AutoLocky could be circulating as a fake email attachment. Abrams goes on to note that AutoLocky shares Locky’s habit of changing the file extension to .locky:

Sign up to our free newsletter.
Security news, advice, and tips.

“Once installed, AutoLocky will scan all fixed drives for targeted data files and encrypt them using the AES-128 algorithm. When a file is encrypted, the ransomware will append the .locky extension on to the filename.”

The list of file types targeted by AutoLocky is extensive, maximising its opportunities to wreak havoc for users who have not backed up their data securely:

.docm, .docx, .dot, .doc, .txt, .xls, .xlsx, .xlsm, .7z, .zip, .rar, .jpeg, .jpg, .bmp, .pdf, .ppsm, .ppsx, .ppam, .potm, .potx, .pptm, .pptx, .pps, .pot, .ppt, .xlw, .xll, .xlam, .xla, .xlsb, .xltm, .xltx, .xlm, .xlt, .xml, .dotm, .dotx, .odf, .std, .sxd, .otg, .sti, .sxi, .otp, .odg, .odp, .stc, .sxc, .ots, .ods, .sxg, .stw, .sxw, .odm, .oth, .ott, .odt, .odb, .csv, .rtf, .accdr, .accdt, .accde, .accdb, .sldm, .sldx, .drf, .blend, .apj, .3ds, .dwg, .sda, .ps, .pat, .fxg, .fhd, .fh, .dxb, .drw, .design, .ddrw, .ddoc, .dcs, .wb2, .psd, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .pl, .py, .lua, .css, .js, .asp, .php, .incpas, .asm, .hpp, .h, .cpp, .c, .csl, .csh, .cpi, .cgm, .cdx, .cdrw, .cdr6, .cdr5, .cdr4, .cdr3, .cdr, .awg, .ait, .ai, .agd1, .ycbcra, .x3f, .stx, .st8, .st7, .st6, .st5, .st4, .srw, .srf, .sr2, .sd1, .sd0, .rwz, .rwl, .rw2, .raw, .raf, .ra2, .ptx, .pef, .pcd, .orf, .nwb, .nrw, .nop, .nef, .ndd, .mrw, .mos, .mfw, .mef, .mdc, .kdc, .kc2, .iiq, .gry, .grey, .gray, .fpx, .fff, .exf, .erf, .dng, .dcr, .dc2, .crw, .craw, .cr2, .cmt, .cib, .ce2, .ce1, .arw, .3pr, .3fr, .mdb, .sqlitedb, .sqlite3, .sqlite, .sql, .sdf, .sav, .sas7bdat, .s3db, .rdb, .psafe3, .nyf, .nx2, .nx1, .nsh, .nsg, .nsf, .nsd, .ns4, .ns3, .ns2, .myd, .kpdx, .kdbx, .idx, .ibz, .ibd, .fdb, .erbsql, .db3, .dbf, .db-journal, .db, .cls, .bdb, .al, .adb, .backupdb, .bik, .backup

Once the encryption process is complete, the ransomware creates and loads up an extortion message in which it purports itself to be Locky.

Unlike Locky, however, AutoLocky does not use Tor for its command and control (C&C) servers. It is also written in the AutoIt scripting language rather than Visual C++, a programming choice which has proven to be the ransomware’s downfall.

After reviewing its AutoIt decompiled script, Fabian Wosar, the security researcher who also developed a tool to help victims of the Petya ransomware decrypt their files, has created a downloadable decryption tool that victims can use to restore access to their files.

Once victims have terminated AutoLocky’s process and startup link, they can use the decryption tool (available on Emsisoft’s website) to specify which locations they want to decrypt.


If you have been affected by AutoLocky, I recommend that you use Wosar’s tool to decrypt your files as soon as possible. Whenever a crypto-ransomware decryption tool is created, you never know if the malware authors might be savvy and irate enough to patch their code for weaknesses, which could prevent the tool from working in the near-future. With that in mind, all victims should make use of the tool sooner rather than later.

If the decryption tool doesn’t work in the future, there’s still hope users can recover their files.

At this time, AutoLocky does not delete the Shadow Volume Copies on an infected computer, which means a user could recover their files via the use of Shadow Copy restore software. Most solutions might not be able to recover all of a user’s files, but they could in the very least recover some.

Hit by ransomware

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

7 comments on “Decryption tool released for Locky ransomware impersonator”

  1. Cihan Erdem

    good day, does anyone have solution for .locky files ?

    1. shaw · in reply to Cihan Erdem
  2. Eddy

    Cihan, delete them.
    As you can read in the article, there is no decrypter for locky (yet?)

    1. Cihan · in reply to Eddy

      ok but why i have to delete ?

  3. Sneha Capoor

    I have read about Locky ransomware removal at systweak blog too. I found there very nice information.

  4. M.Cihan Erdem

    As known recently most of users have been infected ransomware virus which changes all important documents like (pdf,doc,docx, xls,xlsx,dwg,mp3,mp4,mpeg,avi,vb) to ".vvv, .ecc, .ezz, .exx, .xyz, .zzz, .aaa, .abc, .ccc, .xxx, .ttt, .micro, .mp3, .xtbl, .cerber, .enc, .encrypted" and no extension on last version" are encrypted and not usable/readable unfortunately. I can help infected users to decrypt their files, you can contact with me with below email address if you or one of your friend had been infected this kind of virus.

    Email: [email protected]

  5. George

    The removal of the actual virus is not that hard, I managed to remove it by using an Anti-Malware called MalwareFox. However the decryption/data restoration can be a huge pain, not to mention that it's impossible to restore your files if you have an SSD, or so I've heard.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.