Locker ransomware is a virus that infects PCs and locks the users files, preventing access to data and files located on the PC until a ransom or fines are paid. Locker demands a payment of $150 via Perfect Money or is a QIWI Visa Virtual Card number to unlock files.  This particular variant affects Windows including Windows XP, Windows Vista, Windows 7, and Windows 8.

Locker ransomware is a copycat of another very nasty ransomware that has infected over 250,000 computer systems named CryptoLocker. The name is derived from the window that opens on the infected device and has been dubbed the “Locker” ransomware by Lawrence Abrams of Bleeping Computer.


Although the Locker ransomware is simple, it can pack a devastating blow to one's computer. It is encrypted with AES and if you don't know the code (which nearly impossible to break) you can be subjected to a $300 ransom to retrieve your files. Not only is this inconvenient it is extortion at the technological level. Recent breakthroughs on stifling the CryptoLocker ransomware have been marginal at best. These minor advancements mean that there are still variants of the Locker ransomware floating about the web. And, many experts believe that security awareness training and ramped up security are the only viable options to stop the virus in its tracks

How It Works

Much like the other ransomware variants, Locker will scour its victim's device in search of file extensions to encrypt. After encrypting the files, leaving AES encryption, Locker will then open a window that contains the ransom and details about the infections. Talk about a nasty bug. This window explains what occurred to the file system and provides payment information and demands an initial ransom of .1 bitcoins.

Locker Ransomware Message Example

As stated above Locker can affect all versions of Windows; this includes Windows XP, Windows 7, and Windows 8.  Additionally, the Trojan Downloader that produces Locker is then installed as a Windows service with a random file name. It can often reside in :C:\Windows\SysWOW64 directory of the affected file system. Furthermore, another service is installed in the following directory: C:\ProgramData\Steg\ with a file name of Steg.exe.  When executed, this service creates a folder under C:\ProgramData\ named Tor. After the creation of the Tor folder, another service was installed, titled “LDR”.  Its associated executable resides within C:\ProgramData\rkcl\ as ldr.exe. That is a running total of four services.  

This service, whose name can be interpreted as “LOADER”, then installed and launched an executable within the same directory (C:\ProgramData\rkcl), saved as  This program is the primary executable responsible for Locker’s ransomware activities.

Update: Free Locker Decryptor

There is now a Locker unlocker that will allow you to decrypt your files for free.

Is Your Network Vulnerable To Ransomware Attacks?

Find out now with KnowBe4's Ransomware Simulator "RanSim", get your results in minutes.
Get RanSim!

« Back To Ransomware Knowledgebase


Get the latest about social engineering

Subscribe to CyberheistNews