This article explains what are .diablo6 encrypted files and what is the latest Locky Decryptor ransomware virus. It also shows how to restore .diablo6 encrypted files and how to remove Locky Decryptor virus fully.
The most devastating ransomware in the world right now – Locky ransomware is back! The virus this time uses sophisticated e-mail schemes that either contain malicious web links to spread it or e-mail spam, with no topic and messages similar to “Files attached. Thanks!”. The e-mails have a .vbs script file in them which is .ZIP archived and when you open the file, the .diablo6 Locky virus infects your computer system. The virus is very dangerous and users are warned to be careful, as it uses sophisticated RSA+AES encryption combination to encrypt the files on compromised computers. If you have been infected by the .diablo6 variant of the notorious Locky ransomware, we strongly suggest that you read our blog post and learn how to remove Locky ransomware and how to restore your encrypted files without having to pay the ransom.
| Threat Name | Locky Ransomware |
| Category | Ransomware virus. |
| Main Activity | Infects the computer after which encrypts important documents and holds them hostage until a ransom is paid. |
| Signs of Presence | Files are encrypted with the .diablo6 file extension. |
| Spread | Via malicious e-mail spam and set of infection tools. |
| Detection+Removal | DOWNLOAD REMOVAL TOOL FOR Locky Ransomware |
| File Recovery | Download Data Recovery Software, to see how many files encrypted by Locky Ransomware ransomware you will be able to recover. |
Locky .diablo6 Ransomware Virus Technical Details
1.Distribution
Security experts have discovered that the .diablo6 iteration of Locky is distributed via spam messages containing malicious e-mail attachments in the form of .zip files. The name of the archive is “E-2017-{month}-{day}-{UniqueID}.zip”.
The text body of the email was as it follows:
Dear {First Name},
We’ve been receiving spam mailout from your address recently. Contents and logging of such messages are in the attachment.
Please look into it and contact us.
Best Regards,
Edith Hancock
ISP Support Tel.: (840) 414-21-61
If you receive a similar email message, beware that it is spam containing malware and you shouldn’t open anything in it under any circumstances.
2.Infection details
The .diablo6 iteration of Locky is not much different than the previous versions, especially the .loptr one. The .diablo6 variant uses Javascript files and could also employ .vbs files for the infection process. Once the infection is initiated, Locky would proceed with the encryption. The encryption process changes the structure of the victim’s files so that it is impossible to open them. The encryption algorithm most likely used is AES+RSA. It uses the following hosts to which the virus connects to infect your computer, reported by Derrick Farmer (@Ring0x0):
- hxxp://binarycousins.com/y872ff2f?
- hxxp://aedelavenir.com/y872ff2f?
- hxxp://campusvoltaire.com/y872ff2f?
- hxxp://beansviolins.com/y872ff2f?
- hxxp://aisp74.asso.fr/y872ff2f?
- hxxp://tasgetiren.com/y872ff2f?
- 91.234.35.106/checkupdate
- 31.202.130.9/checkupdate
- 193.106.166.105
Bear In mind that these hosts may not be actual ones since they might be hidden behind VPN tunnels or proxies.
The latest variant of this virus relies on C2 servers (Command and Control) to control the virus and many hosts linked to those servers for spreading the virus. In addition to this, the payload of the virus features two formats – HTML type of file and JavaScript downloader malware. Not only this, but the files also have two extensions that make them more evasive. The file extensions .hta for the HTML type of file and .wsf for the Java Downloader are being used. They are also concealed under a unique .zip type of files that may conceal the infection files from any spam filters or e-mail protection software.
Not only this, but the payload of the files also have the name Receipt which has random numbers and letters and aims to resemble an actual receipt from a product or service that has been purchased. This clever technique to motivate victims in order to pay the ransom is a very cunning one, because anyone will get curious especially if they do not realize they have actually paid for something.
But the virus may not only be replicated via e-mail. It may also be posted on comments and other unique websites that allow users to post web links. Such web links may themselves be legitimate to avoid detection, but they may also contain a malicious script that may cause an infection by redirecting the user from the “legitimate” web link to a malicious one.
As soon as the Locky virus slithers onto your computer, it may cause a restart and begin encrypting files on Windows Boot Up and then displays it’s ransom note which when opened, looks like the following:
To encrypt the files the .diablo6 version of Locky ransomware scans for those type of files that you may mostly use, such as:
- Your videos.
- Audio files.
- The pictures.
- All of the Microsoft Office documents.
- Adobe Reader, Photoshop and other files associated with often used type of programs.
When Locky has finished encrypting the files of the infected computer, the next step is to add the .diablo6 file extension, making it distinctive. Files encrypted by the .diablo6 virus also become irrecoverable primarily because of the fact that their structure code is changed. This is achievable by a unique encryption algorithm, which researchers believe to be RSA or AES encryption, or even both used together.
How to Remove Locky Decryptor Ransomware and Restore .diablo6 Files
For the full instructions on how to remove Locky .diablo6 ransomware and restore your files, check the steps below.
The bottom line is that .diablo6 Locky ransomware’s creators were back after a significant drop of ransomware infections by this virus. Their new virus adds a unique “.diablo6” file extension to the encrypted files which are no longer openable. The virus is believed to use an advanced AES+RSA encryption algorithm to scramble the code of the files and to have many added evasive techniques to it.
Not only this, but the ransomware is also believed to ask higher ransom payment, most likely in cryptocurrency like BitCoin from it’s victims. In case you have been infected by this .diablo6 Locky variant of Locky ransomware, it is strongly advisable to immediately remove this virus. Since manual removal may not do the job for you, unless you have an extensive experience in this virus, we advise you to delete it automatically using an advanced anti-malware tool that will do it without further damaging the encrypted files.
Unfortunately at present times there is no decryption that will help you, because of the fact that the virus is new. However, you may want to attempt uploading your files to ID ransomware and wait for researchers to come up with a free decryptor sooner or later. You may also want to try data recovery software, but DO NOT delete the encrypted files or reinstall Windows because you may need them if a free decryptor is released by malware researchers.
Booting in Safe Mode
For Windows:
1) Hold Windows Key and R
2) A run Window will appear, in it type “msconfig” and hit Enter
3) After the Window appears go to the Boot tab and select Safe Boot
Cut out Locky Ransomware in Task Manager
1) Press CTRL+ESC+SHIFT at the same time.
2) Locate the “Processes” tab.
3) Locate the malicious process of Locky Ransomware, and end it’s task by right-clicking on it and clicking on “End Process”
Eliminate Locky Ransomware‘s Malicious Registries
For most Windows variants:
1) Hold Windows Button and R.
2) In the “Run” box type “Regedit” and hit “Enter”.
3) Hold CTRL+F keys and type Locky Ransomware or the file name of the malicious executable of the virus which is usually located in %AppData%, %Temp%, %Local%, %Roaming% or %SystemDrive%.
4) After having located malicious registry objects, some of which are usually in the Run and RunOnce subkeys delete them ermanently and restart your computer. Here is how to find and delete keys for different versions.
For Windows 7: Open the Start Menu and in the search type and type regedit > Open it. > Hold CTRL + F buttons > Type Locky Ransomware Virus in the search field.
Win 8/10 users: Start Button > Choose Run > type regedit > Hit Enter -> Press CTRL + F buttons. Type Locky Ransomware in the search field.
Automatic Removal of Locky Ransomware
Recover files encrypted by the Locky Ransomware Ransomware.
Method 1: Using Shadow Explorer. In case you have enabled File history on your Windows Machine one thing you can do is to use Shadow Explorer to get your files back. Unfortunately some ransomware viruses may delete those shadow volume copies with an administrative command to prevent you from doing just that.
Method 2: If you try to decrypt your files using third-party decryption tools. There are many antivirus providers who have decrypted multiple ransomware viruses the last couple of years and posted decryptors for them. Chances are if your ransomware virus uses the same encryption code used by a decryptable virus, you may get the files back. However, this is also not a guarantee, so you might want to try this method with copies of the original encrypted files, because if a third-party program tampers with their encrypted structure, they may be damaged permanently. Here are the vendors to look for:
- Kaspersky.
- Emsisoft.
- TrendMicro.
Method 3: Using Data Recovery tools. This method is suggested by multiple experts in the field. It can be used to scan your hard drives sectors and hence scramble the encrypted files anew as if they were deleted. Most ransomware viruses usually delete a file and create an encrypted copy to prevent such programs for restoring the files, but not all are this sophisticated. So you may have a chance of restoring some of your files with this method. Here are several data recovery programs which you can try and restore at least some of your files: