Read this article to learn how to remove and restore files encrypted by the latest version of Locky ransomware, using the file extension .lukitus and renaming your files after encryption.
A brand new version of Locky ransomware was detected by malware researchers, going by the file extension .lukitus, which means “Locky” in Finland. The virus has begun to be widespread heavily by different methods so users are advised to beware. After infecting your computer it immediately encrypts your files, changes your wallpaper and drops a ransom note file that aims to get you to purchase a so called, Locky Decryptor to recover your encrypted files. If you are one of the victims of this ransomware, we strongly suggest that you read this article to learn how to remove the .lukitus file infection and how to restore files encrypted by this ransomware.
|Main Activity||New version of Locky Ransomware. Infects the computer after which encrypts important documents and holds them hostage until a ransom is paid.|
|Signs of Presence||Files are encrypted with the .lukitus file extension.|
|Spread||Via malicious e-mail spam and set of infection tools.|
|File Recovery||Download Data Recovery Software, to see how many files encrypted by Locky ransomware you will be able to recover.|
Detailed Analysis of .lukitus File Virus
.lukitus is a new variant of the ransomware virus called Locky. Once your system has been compromised and infiltrated, .lukitus File Virus encrypts stored data using RSA-2048 and AES-128 cryptography. While the encryption is in action, .Diablo6 renames files using “[32_random_letters_and_digits].lukitus” pattern. For example, “sample.jpg” would be renamed to something like “D56F3331-E90D-9E17-2CF727B6-002116C2113F.lukitus”.
Following from this, both files created by .lukitus contain identical messages informing the victim of the encryption and essentially encouraging them to visit the .Diablo6 website. Due to .Diablo6 utilizing RSA and AES encryption algorithms, two unique keys are generated during the encryption which is being stored on a remote server. Hence, victims are told to pay a ransom in Bitcoin in exchange for the decryption. Detailed payment instructions are elicited on the .lukitus virus’s website. It is advisory never to trust cyber criminals, hence why when a payment is received, such criminals often ignore the victim afterwards and leave them empty-handed without a decryption key. It is therefore essential to consider that submitting a payment does not guarantee that your files will be restored. On the contrary, you will most likely be scammed. We strongly advise our readers to ignore all encouragements to pay up the ransom. As of yet and unfortunately, there are no tools that are capable of decrypting any files compromised by .lukitus file virus. If you have been affected by the .lukitus, the only thing you can do is to restore files/system from a backup.
There are other ransomware-type viruses to which the .lukitus is virtually identical to, such as Nemesis, GlobeImposter, Purge, BTCWare, Aleta etc. As with .lukitus, afore mentioned malware also encrypts victim’s files and initiates ransom demands. Therefore, there are only two major differences between ransom-type viruses:
- The Size of the ransom asked for.
- The type of encryption algorithm used.
Researchers state that most of these viruses use algorithms that generate unique decryption keys. It is therefore extremely hard to attempt to decrypt them manually without the assistance of a developer per se, and it is most likely impossible.
How Does the .lukitus Locky Ransomware Spread?
How to Remove Locky Decryptor Ransomware and Restore .lukitus Files
For the full instructions on how to remove Locky .lukitus ransomware and restore your files, check the steps below.
The bottom line is that .diablo6 Locky ransomware’s creators were back after a significant drop of ransomware infections by this virus. Their new virus adds a unique “.lukitus” file extension to the encrypted files which are no longer openable. The virus is believed to use an advanced AES+RSA encryption algorithm to scramble the code of the files and to have many added evasive techniques to it.
Not only this, but the ransomware is also believed to ask higher ransom payment in the cryptocurrency BitCoin from it’s victims. In case you have been infected by this .lukitus Locky variant of Locky ransomware, it is strongly advisable to immediately remove this virus. Since manual removal may not do the job for you, unless you have an extensive experience in this virus, we advise you to delete it automatically using an advanced anti-malware tool that will do it without further damaging the encrypted files.
Unfortunately at present times there is no decryption that will help you, because of the fact that the virus is new. However, you may want to attempt uploading your files to ID ransomware and wait for researchers to come up with a free decryptor sooner or later. You may also want to try data recovery software, but DO NOT delete the encrypted files or reinstall Windows because you may need them if a free decryptor is released by malware researchers.
Booting in Safe Mode
1) Hold Windows Key and R
2) A run Window will appear, in it type “msconfig” and hit Enter
3) After the Window appears go to the Boot tab and select Safe Boot
Cut out Locky in Task Manager
1) Press CTRL+ESC+SHIFT at the same time.
2) Locate the “Processes” tab.
3) Locate the malicious process of Locky, and end it’s task by right-clicking on it and clicking on “End Process”
Eliminate Locky‘s Malicious Registries
For most Windows variants:
1) Hold Windows Button and R.
2) In the “Run” box type “Regedit” and hit “Enter”.
3) Hold CTRL+F keys and type Locky or the file name of the malicious executable of the virus which is usually located in %AppData%, %Temp%, %Local%, %Roaming% or %SystemDrive%.
4) After having located malicious registry objects, some of which are usually in the Run and RunOnce subkeys delete them ermanently and restart your computer. Here is how to find and delete keys for different versions.
For Windows 7: Open the Start Menu and in the search type and type regedit –> Open it. –> Hold CTRL + F buttons –> Type Locky Virus in the search field.
Win 8/10 users: Start Button –> Choose Run –> type regedit –> Hit Enter -> Press CTRL + F buttons. Type Locky in the search field.
Automatic Removal of Locky
Recover files encrypted by the Locky Ransomware.
Method 1: Using Shadow Explorer. In case you have enabled File history on your Windows Machine one thing you can do is to use Shadow Explorer to get your files back. Unfortunately some ransomware viruses may delete those shadow volume copies with an administrative command to prevent you from doing just that.
Method 2: If you try to decrypt your files using third-party decryption tools. There are many antivirus providers who have decrypted multiple ransomware viruses the last couple of years and posted decryptors for them. Chances are if your ransomware virus uses the same encryption code used by a decryptable virus, you may get the files back. However, this is also not a guarantee, so you might want to try this method with copies of the original encrypted files, because if a third-party program tampers with their encrypted structure, they may be damaged permanently. Here are the vendors to look for:
Method 3: Using Data Recovery tools. This method is suggested by multiple experts in the field. It can be used to scan your hard drive’s sectors and hence scramble the encrypted files anew as if they were deleted. Most ransomware viruses usually delete a file and create an encrypted copy to prevent such programs for restoring the files, but not all are this sophisticated. So you may have a chance of restoring some of your files with this method. Here are several data recovery programs which you can try and restore at least some of your files: