Locked_X is a file-encrypting ransomware variant that holds victims' documents, photos, and other personal files hostage in exchange for cryptocurrency payment. Like most modern ransomware, it combines strong encryption with intimidation tactics to pressure victims into paying quickly. What distinguishes Locked_X from earlier ransomware families is its use of multiple encryption layers and the distinctive ".locked_x" file extension it appends to encrypted files, making infected documents immediately recognizable but completely inaccessible.

locked_xransomware-removal cybersecurity illustration
Photo by Markus Winkler on Pexels

This threat typically arrives through phishing emails with malicious attachments or compromised software downloads. Once executed, it works quickly—encrypting files across local and network drives within minutes. Victims find a ransom note demanding payment, usually in Bitcoin, with threats of permanent data loss if they don't comply within a specified timeframe. The encryption is typically strong enough that recovery without the decryption key is effectively impossible with current technology.

Think You're Infected Right Now? If you suspect Locked_X is actively running on your machine, immediately disconnect from your network (unplug ethernet, disable WiFi) to prevent it from spreading to other computers or network drives. Power down the machine and call us at (770) 667-9487 before attempting removal yourself—improper handling can result in permanent data loss or spread the infection to backup drives.

Threat Profile

Attribute Details
Malware Family File-encrypting ransomware
Common Aliases Locked_X, LockedX Ransomware, .locked_x virus
Targeted Platforms Windows 7/8/10/11 (primarily); some variants target network shares accessible from infected machines
Discovery Period Mid-to-late 2010s (exact date varies by variant)
Primary Distribution Phishing emails, malicious email attachments (fake invoices, shipping notices), exploit kits, compromised software installers
Encryption Method Hybrid encryption typical for this ransomware class (RSA + AES or similar asymmetric/symmetric combination)
File Extension .locked_x appended to original filename (e.g., document.pdf becomes document.pdf.locked_x)
Ransom Note Filename Varies by variant; commonly "HOW_TO_DECRYPT.txt", "README.txt", or similar placed in affected folders
Payment Method Bitcoin or other cryptocurrency; ransom amounts typically range from $300-$1500 for individual victims
Persistence Mechanism Registry Run keys, scheduled tasks; designed for single-execution impact rather than long-term persistence
Network Behavior Contacts command-and-control servers for encryption key exchange; may scan local network for additional targets
Removal Difficulty Moderate (removing the malware itself); file recovery without decryption key is effectively impossible

How It Spreads

Locked_X predominantly spreads through social engineering attacks that exploit human trust rather than technical vulnerabilities. The most common delivery mechanism is phishing emails designed to look like legitimate business correspondence—fake shipping notifications from FedEx or UPS, overdue invoice warnings, or urgent messages claiming to be from financial institutions. These emails contain either malicious attachments (often disguised as PDF files or Word documents with macros) or links to compromised websites that trigger drive-by downloads.

Once a user opens the infected attachment or clicks the malicious link, the ransomware executable downloads and launches silently in the background. Some variants arrive as part of a multi-stage infection chain, where an initial loader downloads the main ransomware payload from a remote server. This approach helps the malware evade detection, since the initial file that bypasses email filters may be relatively small and not immediately recognizable as malicious.

The infection can also spread through network shares if the compromised account has permissions to access other systems. Once Locked_X begins execution, it may enumerate network drives and encrypt files on those locations as well, effectively multiplying the damage across an entire small business network from a single infected endpoint.

  • Phishing email attachments — weaponized documents with macros, fake PDFs containing embedded executables, or ZIP files with disguised .exe files
  • Malicious download links — emails or compromised websites directing users to fake software updates or document viewers
  • Software bundling — pirated software, key generators, or "cracked" applications that include the ransomware as a hidden payload
  • Exploit kits — automated attack tools on compromised websites that exploit browser or plugin vulnerabilities to silently install malware
  • Remote Desktop Protocol (RDP) attacks — brute-force attacks against weak or default passwords on internet-exposed RDP services
  • Infected USB drives — less common but still viable; autorun-enabled malware on physical media passed between users

What It Does On Your Machine

The moment Locked_X executes, it begins a rapid, methodical attack on your files. The malware first establishes communication with its command-and-control server to receive the encryption keys that will be used to lock your files. This happens quickly—often within seconds—and once those keys are retrieved, the encryption process begins immediately. The ransomware typically targets document types that are valuable to users: Microsoft Office files, PDFs, images, databases, archives, and other personal data while deliberately avoiding system files necessary to keep Windows running (so you can still boot the machine and see their ransom demand).

As files are encrypted, Locked_X appends the .locked_x extension to each filename, creating a visual marker of the damage. A document named "2024_Taxes.xlsx" becomes "2024_Taxes.xlsx.locked_x" and is completely unreadable by any normal application. The encryption itself is strong—typically a hybrid approach using a symmetric algorithm like AES to quickly encrypt file contents, with the AES key then encrypted using an asymmetric algorithm like RSA. The private RSA key needed for decryption is held exclusively by the attackers, making unauthorized decryption effectively impossible without extraordinary computational resources.

Once encryption completes, the ransomware drops a ransom note in every affected folder. This text file contains instructions for payment, typically directing victims to a Tor-based payment portal where they can purchase the decryption key with Bitcoin. The note usually includes threats about time limits (claiming the decryption key will be destroyed after X days) and warnings against using recovery tools or antivirus software, which the attackers claim will make files unrecoverable. These threats are psychological tactics designed to create panic and prompt immediate payment.

Typical Locked_X Artifacts on Infected Systems
Executable location (varies): %APPDATA%\{random-guid}\svchost.exe %TEMP%\{8-character-random}.exe %LOCALAPPDATA%\{random-folder}\updater.exe Ransom note files: C:\Users\[username]\Desktop\HOW_TO_DECRYPT.txt C:\Users\[username]\Documents\README.txt (Copies placed in every folder containing encrypted files) Registry persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run // Often cleaned by the malware after encryption completes Encrypted file pattern: *.locked_x // Original filename preserved with added extension Shadow copy deletion command (frequently executed): vssadmin.exe Delete Shadows /All /Quiet // Prevents Volume Shadow Copy recovery

Locked_X variants often include additional destructive behaviors designed to prevent recovery. Many execute Windows commands to delete Volume Shadow Copies (Windows' built-in backup system), removing the most accessible route to file recovery without paying. Some variants also modify the Windows boot configuration or system recovery options to make restoration more difficult. The goal is to leave victims with only one apparent option: payment. However, paying the ransom carries no guarantee—many victims never receive working decryption tools, even after payment, and paying funds future criminal operations.

Manual Removal — Step by Step

01

Isolate the Infected System Immediately

Disconnect the computer from all networks—unplug the ethernet cable and disable WiFi through the physical switch or Windows settings. This prevents the ransomware from encrypting files on network drives or spreading to other computers. If the encryption is still in progress (you see files actively being renamed with .locked_x extensions), power down the machine immediately using the physical power button. Speed matters here; every minute of operation means more lost files.

02

Boot Into Safe Mode with Networking

Restart the computer and repeatedly tap F8 during startup (or Shift+F8 on some systems) to access the Advanced Boot Options menu. Select "Safe Mode with Networking." This loads Windows with minimal drivers and prevents most malware from auto-starting, giving you a cleaner environment for removal. On Windows 10/11, you may need to use the Settings recovery menu or boot from installation media if normal startup is disrupted.

03

Identify and Terminate Malicious Processes

Open Task Manager (Ctrl+Shift+Esc) and look for suspicious processes with random names running from %APPDATA%, %TEMP%, or %LOCALAPPDATA%. Right-click suspicious processes and select "Open file location" to verify the path. If it matches common Locked_X locations, right-click again and choose "End Task." Be cautious—terminating the wrong system process can cause instability. Take notes on the process name and file path for the next step.

04

Remove Persistence Mechanisms

Press Win+R, type "regedit," and navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and the HKEY_LOCAL_MACHINE equivalent. Look for entries with random names pointing to the suspicious executable paths you identified. Right-click and delete these entries. Next, open Task Scheduler (taskschd.msc), review the task list for recently created scheduled tasks with random names, and delete any that reference the malware executable.

05

Delete the Malware Files

Navigate to the folder locations where the malicious executables were running (typically %APPDATA%\{random-guid}\ or similar). Delete the entire folder. Check %TEMP% for recent executable files and delete those as well. If Windows prevents deletion claiming the file is in use, reboot into Safe Mode again and retry. The goal is to remove the ransomware executable itself, though this does nothing to decrypt your files.

06

Run a Comprehensive Antimalware Scan

Download and install Malwarebytes (or a similar reputable anti-malware tool) while still in Safe Mode with Networking. Update the definitions and run a full system scan. This catches remnants, associated files, or secondary infections that manual removal might miss. Quarantine everything the scanner identifies. Follow up with a scan using your primary antivirus software as well—two independent scanning engines increase the likelihood of complete removal.

07

Attempt File Recovery (Limited Success Expected)

Check for Windows Volume Shadow Copies using Shadow Explorer or the Windows "Previous Versions" feature (right-click a folder, select Properties > Previous Versions). If Locked_X hasn't deleted these backups, you may recover some files from restore points. For files without shadows, specialized file recovery software sometimes retrieves unencrypted temporary copies if the original wasn't securely wiped. Set realistic expectations—recovery without the decryption key is usually unsuccessful for most files.

08

Change All Passwords From a Clean Device

Because ransomware infections sometimes arrive bundled with info-stealing trojans, assume your saved passwords are compromised. Using a different, uninfected computer or smartphone, change passwords for email accounts, banking, online shopping, and any work-related systems you access from the infected machine. Enable two-factor authentication wherever possible to add an extra security layer even if passwords are exposed.

09

Restore From Backups if Available

If you have recent backups on an external drive or cloud service that wasn't connected during the infection, this is your best path to recovery. Before connecting backup media, ensure the malware is completely removed (confirmed by multiple clean scans). Restore files selectively rather than doing a full system image restore, which might reintroduce the infection if the backup was taken after infection but before encryption.

10

Verify System Stability and Monitor

Reboot into normal Windows mode and observe system behavior for several days. Run additional scans periodically. Watch for suspicious network activity, unexpected CPU usage, or new unknown processes. If everything remains clean after a week of normal use, the infection is likely fully removed. The encrypted files will remain locked unless you had successful backup restoration or shadow copy recovery.

Prevention

  1. Maintain offline backups following the 3-2-1 rule: Keep three copies of important data, on two different media types, with one copy stored offsite or offline. Disconnect external backup drives after completing backups—a connected drive is vulnerable to ransomware encryption.
  2. Enable Windows Volume Shadow Copies and regular restore points: Configure System Protection to create automatic restore points. While ransomware often tries to delete these, having them active provides an additional recovery option if you catch the infection early enough.
  3. Train yourself and employees to recognize phishing: Be immediately suspicious of unsolicited emails with attachments, especially those creating urgency ("Overdue invoice," "Failed delivery," "Suspended account"). Verify unexpected attachments by contacting the supposed sender through a separately-looked-up phone number or known-good email address.
  4. Disable macros in Office documents by default: Configure Microsoft Office to disable all macros from untrusted sources. Legitimate business documents rarely require macros, and malicious documents frequently rely on tricking users into enabling them.
  5. Keep Windows and all software updated: Enable automatic updates for Windows, browsers, Adobe products, Java, and other common software. Many ransomware infections exploit known vulnerabilities that have available patches—staying current eliminates these attack vectors.
  6. Use reputable antivirus with real-time protection: Install and maintain commercial-grade antivirus software (not just Windows Defender, though it's improved). Ensure real-time scanning is active and definitions update automatically. Behavioral detection features can catch ransomware based on suspicious file activity patterns.
  7. Implement the principle of least privilege: Don't use administrator accounts for daily work. Run as a standard user; ransomware can only encrypt files accessible to the infected user account, limiting damage when not running with elevated privileges.
  8. Secure Remote Desktop Protocol access: If you use RDP, never expose it directly to the internet without a VPN. Use strong, unique passwords, enable Network Level Authentication, and implement account lockout policies after failed login attempts. Consider disabling RDP entirely if you don't actively use it.
Our 90-Day Warranty: When Computer Repair Roswell removes ransomware from your system, we stand behind our work. If the same infection returns within 90 days due to incomplete removal (not a new infection from risky behavior), we'll fix it again at no charge. We also provide specific guidance for your situation—backup strategies, security software recommendations, and practical steps to prevent reinfection tailored to how you actually use your computer.

Bring It In

Ransomware removal requires careful handling to avoid permanent data loss or incomplete cleaning that allows reinfection. If you're dealing with Locked_X or any file-encrypting malware, professional assistance dramatically improves your chances of recovery—or at minimum, ensures the infection is completely eradicated before you restore from backups. We have specialized tools and experience with ransomware families that go beyond consumer antivirus capabilities, and we can advise honestly about whether decryption is possible in your specific case or if restoration from backups is your best path forward.

Computer Repair Roswell is located in Roswell, Georgia, and we handle ransomware cases regularly for both residential and small-business clients. We'll assess the damage, remove the infection completely, attempt recovery from shadow copies and temporary files, and help you implement backup strategies to prevent this nightmare scenario from recurring. Call us at (770) 667-9487 or stop by the shop—we'll give you straight answers about what's recoverable and what isn't, and we'll get your system clean and protected against future attacks.