How to decrypt .lock files from ransomeware on Windows

I don't think you will see those files again, unless you have a back up.

You can view the transaction history of the Bitcoin address you were asked to pay to here. As you can see, there are 303 transactions in total and many of them are for 1 BTC.

That implies that the same Bitcoin address have been given to multiple victims. This in turn means that it is impossible for the perpetrators to know who has paid, and what encryption key should be sent. (Hence the odd request for a screenshot, I presume.)

So either they are incompetent in their handling of the ransom, or much more likely, they are not restoring any files, instead just milking victims on more and more money. And if they are not restoring any files, why even bother to encrypt them when you can just overwrite them with random garbage?

So those files are probably gone, no matter if you pay or not.

Edit: There are some good points in comments. Potentially the screenshots could be used as proof of payments, although a flawed one. And even if payment does not lead to decryption the files might still be encrypted.

But even with this taken into account, unless a remedy for this specific version of ransomeware pops up, you are very unlikely to be able to restore your files. Nkals answer has a great link to a repository of such remedies.

Edit 2: This Troy Hunt blogpost follows a similar line of reasoning about extortion and Bitcoins.

Edit 3: The recent WannaCry outbreak has made me reconsider this answer. Apparently WannaCry uses three hardcoded bitcoin wallets, but people still seem to have gotten their files decrytpted. So I think the base assumption of this answer is wrong.


First line of defense: BACKUPS. Restore the files from there. When available, this has a 100% chance of success.

Otherwise: hope that the ransomware did not disable/work around the Windows Shadow Copy service and that it was active to begin with. Choose one of the files, right click, Properties, "Previous Versions". Is there a previous version from before the attack?

If not: hope that the original files were just deleted without overwrite, and that they were not deleted the easiest way, one at a time; or that if it happened, the Windows space allocation strategy left the original space unused as long as possible, rather than allocating each new encrypted file to the deleted original file of the previous round; which means that you need the disk to be more than 50% free to begin with. Run a file undelete utility (e.g. Piriform's Recuva).

Sometimes, the files you're interested in might have had previous versions deleted before the ransomware attack. These deleted versions, while not current, could be valuable, and not being able to see them (they were deleted), the ransomware shouldn't have encrypted them.

Otherwise: the only recourse is the "good faith" of the attackers. Sadly, you already verified it doesn't work, which also bodes ill for the other possibilities. It is in the scammers' interest to deliver, to reassure their other victims and also sometimes to be able to slip you a second infection and milk you again a month hence. If they didn't, chances are that they can't (1).

Lastly, the remotest of hopes: keep the encrypted disk somewhere safe and reinstall on a new disk. Assuming the attackers were in good faith and the data is really encrypted and recoverable, instead of just replaced with random noise or unrecoverable (2), it might happen that in a week, a month, or some years, either the command-and-control server will be taken down and the keys recovered, or an error will surface in the encryption strategy and someone will write a recovery tool (it has happened, for three ransomware families out of... unfortunately, several). Some data might be recoverable then.

UPDATE 2016/12: (Some) CryptoLocker 3 decryption possible.

(1) it is not so easy to write a ransomware - or to do so "correctly"; an easier approach is to modify an existing one so that it sports their bitcoin account and disposable email, instead of those of the original authors. Of course they don't have all the infrastructure required to really receive the encryption keys and give them back to paying victims - they're only running a quick money scheme. They milk their victims for what they can, without ever being able to actually give them back their files.

(2) e.g. because they did use the system's encryption routines, but they mismanaged the keys or they lost them in transmission. Or because, see previous note, this is not their ransomware at all.


Europol has a web page with a contact form that you can use to check if a solution is available to your friend's problem.

https://www.nomoreransom.org/