Computer security professionals discovered a new variant of the Locky ransomware which called Lukitus virus. It renames files and appends the Lukitus extension to encrypted file names. This article will provide you with all the things you need to know about ransomware infection, how to remove Lukitus ransomware virus from your computer and how to decrypt .Lukitus or restore all encrypted documents, photos and music for free.
The Lukitus is a ransomware virus, which made to encrypt the personal photos, documents and music found on infected PC using a hybrid AES + RSA encryption mode, appending Lukitus extension to all encrypted personal files. Once the encryption process is done, it will open a ransom demanding message offering decrypt all users personal files if a payment is made.
Table of contents
- What is Lukitus virus
- How to decrypt .Lukitus files
- How to remove Lukitus ransomware virus
- Recovering files encrypted by Lukitus ransomware infection
- How to prevent your PC from becoming infected by Lukitus virus?
- How does your PC get infected with Lukitus ransomware
- To sum up
The ransomnote encourages victim to contact Lukitus’s makers in order to decrypt all documents, photos and music. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins). We do not recommend paying a ransom, as there is no guarantee that you will be able to decrypt your files. Especially since you have a chance to restore your photos, documents and music for free using free utilities like ShadowExplorer and PhotoRec.
We recommend you to get rid of Lukitus ransomware virus ASAP, until the presence of the ransomware infection has not led to even worse consequences. You need to follow the guidance below that will help you to completely remove Lukitus virus from your personal computer as well as recover encrypted personal files, using only few free utilities.
What is Lukitus
Lukitus is a new variant of Locky crypto virus (malicious software that encrypt personal files and demand a ransom). It affects all current versions of MS Windows OS such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This virus uses RSA-2048 key (AES 256-bit encryption method) to eliminate the possibility of brute force a key that will allow to decrypt encrypted personal files.
When the virus infects a computer, it uses system directories to store own files. To run automatically whenever you turn on your system, Lukitus ransomware infection creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.
Immediately after the launch, the ransomware virus scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware infection uses the file name extension, as a method to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.xlsm, .wot, .p7c, .jpe, .xx, .xbdoc, .bc6, .epk, .mlx, .rim, .xbplate, .mdbackup, .kf, .y, .litemod, .xlsb, .sie, .wp6, .rofl, .xld, .wp, .wdp, .rwl, .wmo, .r3d, .dmp, .pptx, .indd, .mov, .nrw, .flv, .x3f, .ntl, .mdf, .wdb, .odm, .1, .xll, .pdf, .pem, .ods, .menu, .arch00, .yml, .x3f, .sum, .ws, .qdf, .lvl, .wb2, .xar, .xlsx, .vfs0, .wpa, .wpt, .d3dbsp, .pdd, .wbmp, .mddata, .xpm, .bsa, .wsd, .xxx, .wsc, .raf, .wgz, .wsh, .docm, .crt, .xml, .3fr, .wav, .bay, .eps, .kdb, .xdl, .itm, .zi, .tor, .pfx, .ff, .cr2, .crw, .wcf, .pptm, .lbf, .7z, .jpeg, .wp4, .3dm, .sql, .mdb, .doc, .itdb, .rar, .sidn, .wpb, .arw, .vpp_pc, .dng, .accdb, .ptx, .wma, .hvpl, .csv, .srf, .asset, .wotreplay, .wire, .py, .lrf, .bkf, .bkp, .3ds, .xls, .pak, .p7b, .wp7, .xwp, .wpd, .re4, .xyp, .odt, .pkpass, .bc7, .pst, .xy3, .bar, .raw, .wbm, .sav, .mcmeta, wallet, .t13, .psk, .webdoc, .wbc, .rtf, .p12, .gho, .odp, .xf, .dazip, .t12, .wps, .js, .ncf, .vtf, .zip, .xlgc, .wbz, .icxs, .esm, .apk, .das, .tax, .vdf, .cdr, .snx, .layout, .xmmap, .svg, .m4a, .iwd, .xlsx, .wmv, .kdc, .2bp, .iwi, .w3x, .wri, .orf, .dbf, .mpqge, .wp5, .wmf, .hplg, .wbk, .xlsm, .xmind, .desc, .xyw, .z, .webp, .fsh, .rw2, .hkdb, .yal, .sid, .avi, .cer, .sis, .dba, .odc, .zip, .fos, .rb, .xdb, .mp4, .bik, .zdb, .x3d, .ai, .xlk, .sr2, .wpe, .mrwref, .zw, .m2
Once a file is encrypted, its extension replaced to Lukitus. Next, the ransomware creates a file named “lukitus.htm”. This file contain guide on how to decrypt all encrypted files. An example of the guidance is:
IMPORTANT INFORMATION !!!!
All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
To receive your private key follow one of the links:
If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: hxxps://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar:
4. Follow the instructions on the site.
!!! Your personal identification ID: !!!
The Lukitus ransomware actively uses scare tactics by giving the victim a brief description of the encryption algorithm and showing a ransom demanding message on the desktop. It is trying to force the user of the infected computer, do not hesitate to pay a ransom, in an attempt to restore their photos, documents and music.
How to decrypt .Lukitus files
Currently there is no available way to decrypt Lukitus files, but you have a chance to recover encrypted files for free. The virus repeatedly tells the victim that uses RSA-2048 key (AES 256-bit encryption method). What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a method because of the big length of the key. Therefore, unfortunately, the only payment to the creators of the Lukitus virus entire amount requested – the only way to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the makers of the Lukitus virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware.
How to remove Lukitus ransomware virus
There are not many good free anti malware applications with high detection ratio. The effectiveness of malicious software removal utilities depends on various factors, mostly on how often their virus/malware signatures DB are updated in order to effectively detect modern malicious software, ad-supported software, ransomware infections and other potentially unwanted software. We recommend to use several programs, not just one. These programs which listed below will help you get rid of all components of the Lukitus ransomware from your disk and Windows registry.
Remove Lukitus ransomware virus with Zemana Anti-malware
We suggest using the Zemana Anti-malware. You may download and install Zemana Anti-malware to detect and remove Lukitus ransomware virus from your PC. When installed and updated, the malware remover will automatically scan and detect all threats exist on the PC.
Download Zemana antimalware from the link below.
Author: Zemana Ltd
Category: Security tools
Update: April 20, 2017
After the download is finished, start it and follow the prompts. Once installed, the Zemana anti malware will try to update itself and when this procedure is finished, click the “Scan” button to begin scanning your computer for the Lukitus ransomware and other trojans and malicious software.
A system scan can take anywhere from 5 to 30 minutes, depending on your computer. While the tool is checking, you may see how many objects it has identified as being infected by malicious software. Review the scan results and then click “Next” button.
The Zemana anti-malware will start removing all detected folders, files, services and registry entries.
Delete Lukitus virus with Malwarebytes
You can get rid of Lukitus ransomware automatically with a help of Malwarebytes Free. We recommend this free malicious software removal tool because it can easily delete ransomware infections, ad supported software, potentially unwanted programs and toolbars with all their components such as files, folders and registry entries.
Download Malwarebytes Free on your MS Windows Desktop from the link below.
Category: Security tools
Update: November 9, 2017
When the download is done, close all windows on your PC system. Further, open the file named mb3-setup. If the “User Account Control” dialog box pops up like below, click the “Yes” button.
It will display the “Setup wizard” which will help you install Malwarebytes on the PC system. Follow the prompts and do not make any changes to default settings.
Once installation is finished successfully, click Finish button. Then Malwarebytes will automatically start and you can see its main window like below.
Next, click the “Scan Now” button to perform a system scan with this utility for the Lukitus ransomware . Depending on your PC system, the scan may take anywhere from a few minutes to close to an hour. While the utility is checking, you can see how many objects it has identified either as being malicious software.
Once finished, it will show a list of all threats found by this utility. When you’re ready, click “Quarantine Selected” button.
The Malwarebytes will start removing Lukitus ransomware infection and other security threats. Once disinfection is finished, you can be prompted to restart your computer. We recommend you look at the following video, which completely explains the procedure of using the Malwarebytes to remove virus, ‘ad supported’ software and other malware.
Remove Lukitus ransomware virus with KVRT
The KVRT tool is free and easy to use. It can scan and remove ransomware like Lukitus, malicious software, potentially unwanted programs and ad-supported software in Google Chrome, Internet Explorer, FF and MS Edge internet browsers and thereby return their default settings (homepage, new tab and default search engine). KVRT is powerful enough to find and get rid of malicious registry entries and files that are hidden on the PC.
Download Kaspersky virus removal tool (KVRT) by clicking on the following link and save it directly to your Microsoft Windows Desktop.
Author: Kaspersky® lab
Category: Security tools
Update: November 3, 2015
After downloading is finished, double-click on the KVRT icon. Once initialization process is finished, you’ll see the KVRT screen as shown below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button for checking your computer for the Lukitus virus and other known infections. A scan can take anywhere from 10 to 30 minutes, depending on the count of files on your computer and the speed of your system. When a threat is detected, the count of the security threats will change accordingly. Wait until the the checking is finished.
When the system scan is done, you will be displayed the list of all detected items on your PC as shown in the figure below.
Review the scan results and then press on Continue to start a cleaning procedure.
Restoring files encrypted with Lukitus ransomware
In some cases, you can recover files encrypted by Lukitus ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted documents, photos and music.
Use shadow copies to recover .Lukitus files
If automated backup (System Restore) is enabled, then you can use it to recover all encrypted files to previous versions.
Download ShadowExplorer on your personal computer by clicking on the following link. This utility is available for Windows Vista, Windows 7, Windows 8 and Windows 10.
Category: Security tools
Update: February 12, 2016
When the download is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and choose Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed in the following example.
Start ShadowExplorerPortable. You will see the a window as displayed on the image below.
From the first drop down list you can choose a drive that contains encrypted files, from the second drop down list you can choose the date that you wish to restore from. 1 – drive, 2 – restore point, as displayed on the screen below.
Righ-click entire folder or any one encrypted file and select Export, as shown below.
It will open a dialog box which asking whether you would like to restore a file or the contents of the folder to.
Restore .Lukitus files with PhotoRec
Before a file is encrypted, the Lukitus ransomware infection makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file restore applications such as PhotoRec.
Download PhotoRec by clicking on the link below and save it to your Desktop.
Category: Security tools
Update: March 23, 2016
Once the download is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown in the figure below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will open a screen as on the image below.
Select a drive to recover as on the image below.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music as displayed in the following example.
Press File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is done, press OK button.
Next, press Browse button to select where restored personal files should be written, then press Search.
Count of restored files is updated in real time. All recovered documents, photos and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is finished, click on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as displayed below.
All recovered photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to prevent your computer from becoming infected by Lukitus ransomware?
Most antivirus software already have built-in protection system against the ransomware infection. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, run the CryptoPrevent.
Run CryptoPrevent to protect your system from Lukitus ransomware virus
Download CryptoPrevent on your MS Windows Desktop from the following link.
Run it and follow the setup wizard. Once the installation is finished, you will be shown a window where you can select a level of protection, as displayed on the screen below.
Now press the Apply button to activate the protection.
How does your computer get infected with Lukitus ransomware
The Lukitus ransomware is distributed through the use of spam emails. Below is an email that is infected with a virus like Lukitus ransomware.
Once this attachment has been opened, this ransomware will be started automatically as you do not even notice that. The Lukitus ransomware virus will start the encryption procedure. When this process is complete, it’ll display the usual ransom demanding message like above on lukitus.htm.
To sum up
After completing the tutorial above, your computer should be clean from Lukitus ransomware and other malware. Your PC will no longer encrypt your documents, photos and music. Unfortunately, if the few simple steps does not help you, then you have caught a new variant of virus, and then the best way – ask for help.
- Download HijackThis from the link below and save it to your Desktop.
Category: Security tools
Update: November 7, 2015
- Double-click on the HijackThis icon. Next click “Do a system scan only” button.
- Once the scan get completed, the scan button will read “Save log”, click it. Save this log to your desktop.
- Create a Myantispyware account here. Once you’ve registered, check your e-mail for a confirmation link, and confirm your account. After that, login.
- Copy and paste the contents of the HijackThis log into your post. If you are posting for the first time, please start a new thread by using the “New Topic” button in the Spyware Removal forum. When posting your HJT log, try to give us some details about your problems, so we can try to help you more accurately.
- Wait for one of our trained “Security Team” or Site Administrator to provide you with knowledgeable assistance tailored to your problem with the Lukitus ransomware infection.