@dzoslite
In most of the cases, the victims download the ransomware to their computers themselves as a regular email attachment, typically, a Microsoft Word or Microsoft Excel file carrying an embedded script which gets executed if the
Macros is enabled.
Then, the AES and RSA encryption algorithms come to play, followed by the addition of specific file extensions to the infected files.
The file which provides data recovery instructions is called _Locky_recover_instructions.txt.
It is saved on computer's desktop and opened each time the user tries to open any of encrypted files.
While Locky was the biggest threat of 2016, experts are doubtful the virus will ever come close to its initial success.
For example, the Hollywood Hospital in the US paid a ransom of $17,000 to recover invaluable files.
Nevertheless, this does not stop the ransomware creators from trying.
In June, virus researchers have detected a new variant of Locky spreading via a malicious spam campaign hosted by the Necurs botnet.
Unlike its predecessor, the malware currently infiltrates the machines running outdated and unsupported Windows versions such as Windows Vista or XP.
Later variants are protected by Data Execution Prevention (DEP) which block the malware unpacker automatically .
The variants of the infection spread their malicious executable locky.exe via email, attached as a zip file labeled with random digits.
Locky does not touch tmp, AppData, Program Files, Windows and a few others folders, but encrypts the rest of the PC files with RSA-2048 and AES-128 ciphers.
Eventually, the virus marks encrypted documents with .loptr extensions and drops a document called
loptr-[random_4_chars].htm to list out the data recovery conditions.
Locky developers even try to foist the infection under a disguise of a scanned file.
Note that the latest version of the threat is delivered under a fake of Microsoft Store in
.7z folder instead of .rar and .zip.
The supposed sender writes under the name of Microsoft Store 2017.
Even though Microsoft Store exists, full credential of a representative are indicated in genuine emails sent (if sent at all!) by Microsoft company.
try to do a complete scan with Spyhunter please .
after that scan also with malewarebytes.
for the leftovers