RANSOMRESTORE
Back

Locky Ransomware Recovery: What Works and What Doesn't

Your files now end in `.locky`, `.zepto`, or `.odin`. The ransom note is on your desktop. Locky ransomware has been around since 2016, and while direct infections are rarer now, its techniques live on in newer families. Here's what recovery actually looks like — based on what we've seen in hundreds of Locky-specific cases.

5 min read

How Locky Gets In

Locky's primary delivery method was phishing email, and it was good at it.

The emails were designed to look like business communications — invoices from vendors, shipping notifications, resumes from job applicants. The subject lines were specific enough to seem legitimate. Most recipients who got hit weren't careless — they were busy.

The attachment chain:

Email with ZIP → ZIP contains VBS or JS script
→ Script runs via Windows Script Host (wscript.exe), downloads Locky binary
→ Binary executes and begins encryption

Sometimes the attachment was a Word document with macros. The user would open it, get a prompt to "enable content" to view it properly, click yes — and that's all it needed.

Later variants added additional delivery methods: exploit kits embedded in compromised websites, malicious ads, and brute-forced RDP connections. But email remained the primary vector.

What Happens After Execution

Once Locky runs, it's fast and methodical.

First: It checks for admin privileges and attempts to escalate if it doesn't have them. It creates registry entries to persist across reboots.

Then: It deletes shadow copies. This is deliberate. Shadow copies are Windows' automatic backup system — Locky removes them specifically to eliminate one of the most common free recovery options.

Then: It generates an AES-256 key unique to your system, contacts its command-and-control server, and sends that key back encrypted with the attacker's RSA-2048 public key. The key is now only accessible to the attackers. Your local machine has no copy.

Then: It encrypts. Locky doesn't waste time — it scans local drives, network shares, and mapped drives simultaneously. On a typical business machine with 50,000 files, Locky can complete encryption in under an hour.

Finally: It renames encrypted files to random hexadecimal strings and appends the variant extension. Your Q3_Report.xlsx becomes something like A1B2C3D4E5F6.locky. Ransom notes appear on the desktop.

Locky's encryption set the standard for modern ransomware

The AES + RSA hybrid encryption model Locky popularized — symmetric key for speed, asymmetric key for key protection — became the blueprint for virtually every ransomware family that followed. Understanding Locky's encryption isn't just about recovering from this specific family; it's about understanding how all modern ransomware works at the file level.

The Variants

Locky evolved rapidly in its first two years, changing extensions frequently — partly to evade detection, partly as operational updates:

Extension Period Notes
.locky Feb 2016 Original variant
.zepto Jun 2016 Smaller binary, slightly faster
.odin Sep 2016 Modified distribution method
.aesir Oct 2016 Improved evasion
.thor Oct 2016 Changed ransom note format
.zzzzz Nov 2016 Brief campaign
.xxx, .micro, .ttt Late 2016 Multiple simultaneous experiments

By 2017, the Locky operators appeared to shift focus to other projects. The infrastructure largely went quiet. But the codebase influenced groups that came after.

Recovery Options: What Actually Works

The hard truth: Locky uses genuine AES-256 + RSA-2048 encryption implemented correctly. Without the private key, brute-force decryption is not viable — period. So recovery comes down to finding the key another way, or bypassing the need for it.

Option 1: Free decryptors (check first, every time)

Some Locky variants have had decryptors developed after law enforcement operations compromised attacker infrastructure and seized keys. Because Locky is an older, well-documented family, a significant number of master keys have been recovered through law enforcement actions over the years.

Check both:

If your variant is covered, this is free and complete. If not, continue.

Option 2: Shadow copies

Locky specifically deletes shadow copies — but not every infection completes this step. If Locky was interrupted (you disconnected early, antivirus interfered, the script had a bug), shadow copies may survive.

Right-click an encrypted file → Properties → Previous Versions tab. Takes 30 seconds to check. Worth doing.

Option 3: Professional forensic recovery

For cases where neither free tools nor shadow copies work, forensic recovery looks for:

  • Law enforcement-recovered master keys for your specific variant (many older Locky keys have been published)
  • Key material that wasn't fully cleared from memory (if the machine was hibernated rather than shut down)
  • Partial encryption — some files may only be partially encrypted and can be reconstructed through data carving
  • Alternative copies of files in unexpected locations (recycle bin, temp files, print spooler, volume shadow snapshots that survived deletion)

Because Locky is an older, extensively documented family with many recovered keys available through law enforcement channels, the recovery outlook for Locky infections is generally more favorable than for newer, active ransomware families. Free assessment means you know before you pay anything.

For the broader recovery process, see our complete ransomware recovery guide.

What to Do Right Now If You Have Locky

  1. Disconnect from the network immediately — even if encryption looks finished. Stop any ongoing communication and prevent lateral spread.

  2. Hibernate the machine — don't leave it running (encryption continues), and don't do a normal shutdown (some variants delete shadow copies on shutdown). Hibernation preserves RAM (which may contain encryption key material for forensic analysis) while stopping the encryption process. If you don't know how to hibernate, pull the power plug immediately. Stopping the active destruction of your hard drive is far more important than preserving theoretical RAM data for forensics.

  3. Note the exact extension on your encrypted files — tells us the variant.

  4. Try NoMoreRansom and Emsisoft — takes 10 minutes, free.

  5. If those fail — contact a professional ransomware recovery service for assessment. Locky is a known, documented family. There are established recovery approaches.

For the full emergency checklist, see our ransomware emergency: 5 steps to take right now.

How to Prevent It

Locky's attack chain has been well-understood for years. The defenses aren't complicated — they're just not always implemented.

On email (where most attacks start):

  • Disable macros by default in Office (File → Options → Trust Center → Disable all macros with notification)
  • Train staff to verify unexpected attachments via a separate channel before opening
  • Email filtering that sandboxes attachments before delivery

On the system:

  • Keep Windows and Office updated — Locky exploited vulnerabilities that were often already patched
  • Disable Windows Script Host — Locky's .js and .vbs scripts run via wscript.exe, not your browser. Disabling WSH or changing the default file association for .js/.vbs files to Notepad prevents these scripts from executing silently. (In browsers, JavaScript is unrelated — disabling it there won't help and will break most websites.)
  • Run standard users as standard users, not local admins

On backups (your ultimate safety net):

  • One copy completely offline — not syncing, not connected
  • Test restoration quarterly. A backup you've never restored from is a backup of unknown quality.

(For the full prevention checklist, see our 9 ways to prevent ransomware.)

FAQ

Is Locky still a threat? Direct Locky infections are rare now. But successor ransomware families use nearly identical techniques — understanding Locky prepares you for current threats.

Can Locky be removed without losing files? Yes. Removing the malware is separate from decrypting files. You can remove Locky from your system while preserving encrypted files for recovery attempts.

Does Locky spread to other computers on the network? Yes — it scans for and encrypts network shares. If other machines were connected during the infection, check them too.

How long does Locky take to encrypt a full machine? 30 minutes to 2 hours on a typical business workstation, depending on file count and network speed. Faster on SSDs.

Can Locky-encrypted files be recovered without paying? In many cases, yes — particularly for older variants where law enforcement has seized and published master keys. Free decryptors cover several Locky variants. For variants without free tools, forensic recovery through data carving, shadow copy restoration, and recovered key databases can still yield results. Because Locky is a well-documented older family with extensive law enforcement key recoveries, the outlook is generally more favorable than for active, modern ransomware families.

Dealing with Locky-encrypted files right now?

Tell us your extension variant and we'll tell you what recovery options exist — free assessment, no commitment. Based on 12 years of experience and 1,000+ ransomware recovery cases.

In most cases, we respond within 3 hours.

RANSOMRESTORE

Remote ransomware recovery, digital forensics, and incident response.

Services

  • Emergency Breach Response
  • Ransomware Response & Recovery
  • Penetration Testing

Emergency Contact

Terms of Service|Privacy Policy
© 2026 Lyncore Intelligent Technology Limited (Operating as Ransomrestore). All rights reserved.