My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

Free Dr.Web utility restores files encrypted by Android.Locker.2.origin ransomware

September 24, 2014

Russian anti-virus company Doctor Web has released a free Dr.Web utility that decrypts files corrupted by Android.Locker.2.originransomware. Once an Android handheld is infected, the malicious program encrypts photos, documents, videos and other information stored on the SD card, locks the device's screen and demands a ransom to restore it to normal operation. To counter this threat, users of Dr.Web comprehensive protection software for Android can now request the utility from Doctor Web's technical support.

Discovered in May, the extortionist Android.Locker.2.origin poses extreme danger to user data. On an infected mobile device, the extortionist searches the available memory cards for files with the following extensions: .jpeg, .jpg, .png, .bmp, .gif, .pdf, .doc, .docx, .txt, .avi, .mkv, and .3gp. It encrypts the files and adds the extension .enc to the filenames. Then the mobile device's screen is locked, and a message is displayed that accuses the user of distributing adult content and demands a ransom to unlock the device. To enhance the effect, the extortionist can also add a photo of the user, made with the handheld's front camera, to the ransom demand message.


After thoroughly examining the ransomware, Doctor Web designed a special utility that will most likely decrypt files corrupted by the malicious application, making it unnecessary for users to pay a ransom.

The utility scans the available SD card for encrypted files and attempts to restore one of them as a test. If successful, the program starts restoring all the corrupted files it has found. Backups of all the corrupted files are placed in the directory DrWebTemp before the utility attempts to decrypt them. All the recovered files are restored to their original location and the extension .enc is removed from their filenames. To avoid permanent data loss after the utility finishes its work, the directory DrWebTemp, which contains copies of the encrypted files, is not removed.


If your handheld has been compromised by Android.Locker.2.origin, follow these steps:

  • Do not try to restore the encrypted data on your own;
  • Contact Doctor Web's technical support. When filing a request, select ‘Cure request’ (this service is available free of charge);
  • Attach a file encrypted by the ransomware to your request;
  • Wait for a response from a virus analyst.

Please note that the decryption service is only available to users who have purchased commercial licenses for Doctor Web anti-viruses. To get the utility, you have to be an owner of a commercial Dr.Web for Android, Dr.Web Security Space or Dr.Web Anti-virus license which includes technical support.

To ensure that your mobile device is continually protected from Android.Locker.2.origin and other Android threats, purchase Dr.Web for Android with advanced security features.

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments