LCK ransomware removal

LCK ransomware is a file-encrypting malware, part of the Dharma malware family. Adds the [].LCK extension to encrypted files, drops FILES ENCRYPTED.txt ransom note and shows an additional pop-up note.


Ransomware (3)

Discovered by malware researcher Jakub Kroustek, LCK ransomware is malware that encrypts files. It’s part of the notorious Dharma ransomware family, and can be differentiated from other versions by the .LCK extension added to encrypted files. We have reported on other versions in the past, including  Dme, Cve, and FLYU.

Users will be unable to open encrypted files until they are decrypted with the special decryptor. The gang behind this ransomware will try to sell the decryptor to victims, though the exact price is not known. The ransom note the ransomware drops explains that users can receive a decryptor if they contact with their unique ID that’s written in the ransom note and is part of the extension added to encrypted files. If victims were to send an email, they would receive information about how they need to pay, likely between $100 and $1000. Whatever the sum may be, paying the ransom is not recommended. Not only does it support future criminal activity, it also doesn’t guarantee file decryption. There is nothing to force cyber criminals to send the decryptor, and they are unlikely to feel obligated to help, seeing as they are the ones who encrypted the files in the first place.

Unfortunately, this means that backup is currently the only sure way recover files. Ransomware is one of the main reasons why backing up files is so important. Had users backed up files prior to their computers getting infected, they could start file recovery as soon as they remove LCK ransomware. But users should first make sure that the ransomware is gone completely before accessing backup, as those files may become encrypted otherwise.

Users should be very careful with decryptors offered on the Internet. There are many fake ones out there, and some of them may be distributing malware. Malware researchers do release decryptors to help users recover files for free but one for LCK ransomware is not available. If it were to be released, it would come from legitimate sources like Emsisoft, NoMoreRansom, malware researchers and anti-virus vendors.

How can ransomware infect a computer?

There are a variety of ways ransomware can enter a computer, though it’s often the result of users’ bad browsing habits. Users often open unsolicited email attachments without first checking that they’re safe. Furthermore, they pirate via torrents, click on ads while on high-risk websites, etc. If users take the time to learn better habits, they would be able to avoid all kinds of malware.

Spam email campaigns are often quite effective when it comes to distributing malware. Users’ email addresses are usually bought from various hacker forums, and they’re used to launch these spam campaigns. In the majority of cases, the emails carrying some kind of malware will be quite obvious. First of all, they will be sent from random-looking email addresses. Even if the sender’s email does look legitimate, users should check it with a search engine. The second and perhaps the most noticeable sign of a malicious email is an abundance of grammar and spelling mistakes. But even when everything checks out, users should still scan all unsolicited email attachments with anti-virus software or VirusTotal before opening them.

Pirating via torrents also often leads to a malware infection. Torrent sites are usually unregulated, which means it’s easy to upload a malicious file disguised as some kind of movie, TV show, or game that’s popular at the time. When Game of Thrones was airing, torrent sites were full of malware disguised as episodes. Thus, downloading copyrighted content via torrents is highly discouraged, and not only because it’s illegal.

What does LCK ransomware do?

When the malware initiates, it will start file encryption. Encrypted files will be immediately obvious because they will have an extension added to them. The extension contains a user’s unique ID and .[].LCK. For example, image.jpg would become image.jpg.unique ID.[].LCK. Files with that extension will not be openable, unless they are first decrypted with the decryptor.

The ransomware shows a pop-up ransom note but also drops FILES ENCRYPTED.txt. The pop-up note has more information and explains that files have been encrypted and how victims can recover them. They are asked to send an email to either or with their unique ID. The price for the decryptor is not mentioned in the note, though it will likely range between $100 and $1000, as that is usually how much cyber crooks want from regular users. Paying, as we’ve already explained, is not recommended because it does not guarantee file decryption.

Here is the text from the pop-up ransom note:

Don’t worry,you can return all your files!
If you want to restore them, follow this link:email YOUR ID –
If you have not been answered via the link within 12 hours, write to us by
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

If users have backup, they can start decrypting files as soon as they remove LCK ransomware from their computers.

LCK ransomware removal

Users need to use anti-malware software to safely delete LCK ransomware from their computers. Unfortunately, removing the ransomware does not decrypt files.

LCK ransomware is detected as:

  • by Kaspersky
  • A Variant Of Win32/Filecoder.Crysis.P by ESET
  • Trojan.Ransom.Crysis.E (B) by Emsisoft
  • Ransom.Crysis by Malwarebytes
  • Ransom:Win32/Wadhrama!hoa by Microsoft
  • Ransom.Win32.CRYSIS.SM by TrendMicro
  • Win32:RansomX-gen [Ransom] by Avast/AVG
  • Trojan.Ransom.Crysis.E by BitDefender