Computer security experts discovered a new variant of ransomware which called .Lolita ransomware. It appends the .Lolita extension to encrypted file names. This post will provide you a brief summary of information related to this new ransomware virus and how to restore all encrypted personal files for free.
“.Lolita file extension ransomware” – ransom note
Immediately after the launch, the .Lolita ransomware virus scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware uses the file name extension, as a method to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.vpp_pc, .xar, .1, .pptx, .wri, .bc6, .raw, .ysp, .wpg, .mddata, .wma, .rofl, .wmd, .qdf, .wmv, .wp6, .epk, .psd, .wsc, .wot, .pfx, .docm, .rgss3a, .zi, .iwd, .csv, .m2, .sql, .dng, .bik, .t13, .raf, .webdoc, .xbdoc, .yml, .cer, .wbmp, .wmf, .mdbackup, .xml, .sb, .css, .sum, .p7c, .mp4, .db0, .slm, .1st, .doc, .xls, .esm, .jpeg, .gdb, .arch00, .3fr, .xdb, .zip, .wpe, .js, .dbf, .mrwref, .dcr, .blob, .ntl, .vtf, .fos, .bsa, .dazip, .dwg, .wbc, .indd, .svg, .wdp, .py, .png, .zabw, .big, .docx, .ppt, .r3d, .apk, .xls, .cfr, .bar, .zdb, .kf, .wmv, .pst, .cas, .wpw, .xy3, .pdd, .yal, .srf, .wire, .txt, .xlk, .vcf, .kdb, .wma, .y, .odb, .wpd, .pak, .ptx, .odm, wallet, .pdf, .menu, .cdr, .der, .wpl, .mpqge, .x3f, .sav, .wb2, .odp, .d3dbsp, .wp7, .sie, .avi, .0, .wpd, .wbd, .crw, .mef, .p7b, .p12, .rb, .lrf, .dmp, .pkpass, .xlsx, .bkf, .asset, .sis, .srw, .crt, .lvl, .ods, .wp5, .x, .psk, .iwi, .wps, .snx, .flv, .odt, .hkx, .lbf, .xyp, .jpe, .xxx, .fpk, .ff, .pem, .rim, .itl, .bc7, .z, .hkdb, .ibank, .xlsm, .7z, .rtf, .nrw, .mlx, .wbz, .rwl, .dba, .m3u, .3dm, .xmind, .vdf, .vpk, .wps, .vfs0, .wpt, .x3d, .itm, .syncdb, .fsh, .w3x, .xyw, .bay, .zdc, .eps, .sidn, .mcmeta, .xbplate, .erf, .xld, .ws, .z3d, .arw, .wcf, .icxs, .layout, .wpb, .forge, .accdb, .t12, .xlgc, .wsh, .ybk, .odc, .hvpl, .ztmp, .webp, .wbm, .wotreplay, .wmo, .wn
When encrypting a file it will append the .Lolita extension to every encrypted file name to identify that the file has been encrypted. For example, a file named sample.doc would be encrypted and renamed to sample.doc.Lolita. Once the procedure is finished, it will drop a file named ‘How to restore files.TXT’ with ransom demanding message. It includes instructions on how to purchase a private key to decrypt all documents, photos and music. An example of the ransom instructions is:
Your files are now encrypted!
Your personal identifier:
–
All your files have been encrypted due to a security problem with your PC.
Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address: lolitahelp@cock.li
If you don’t get a reply or if the email dies, then contact us using this e-mail: lolitahelp@protonmail.com
Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 5Mb (non archived), and files should not contain
valuable information (databases, backups, large excel sheets, etc.).
How to obtain Bitcoins?
* The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click
‘Buy bitcoins’, and select the seller by payment method and price:
hxxps://localbitcoins.com/buy_bitcoins
* Also you can find other places to buy Bitcoins and beginners guide here:
hxxps://www.coindesk.com/information/how-can-i-buy-bitcoins
Attention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price
(they add their fee to our) or you can become a victim of a scam.
Unfortunately, there is no solution for victim’s to decrypt personal files for free. In the guidance below, I have outlined few methods that you can use to remove .Lolita ransomware virus from your computer and restore .Lolita files from a shadow volume copies or using file recover applications.
Table of contents
- How to decrypt .Lolita files
- How to remove .Lolita ransomware
- How to restore .Lolita files
- How to protect your PC from .Lolita ransomware
How to decrypt .Lolita files
Currently there is no available way to decrypt .Lolita files, but you have a chance to restore encrypted files for free. The ransomware virus uses very strong hybrid encryption with a large key. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a solution because of the big length of the key. Therefore, unfortunately, the only payment to the authors of the .Lolita ransomware virus entire amount requested – the only method to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the developers of the .Lolita ransomware virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new virus.
How to remove .Lolita ransomware
There are not many good free antimalware programs with high detection ratio. The effectiveness of malicious software removal utilities depends on various factors, mostly on how often their virus/malware signatures DB are updated in order to effectively detect modern viruses, adware, ransomwares and other malware. We suggest to run several applications, not just one. These programs that listed below will allow you get rid of all components of the .Lolita ransomware virus from your disk and Windows registry.
Automatically get rid of .Lolita ransomware with Zemana Anti-malware
We suggest using the Zemana Anti-malware. You can download and install Zemana Anti-malware to look for and delete .Lolita ransomware from your system. When installed and updated, the malware remover will automatically scan and detect all threats exist on the computer.
Click the following link to download Zemana. Save it on your Desktop.
164979 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When the downloading process is complete, close all applications and windows on your machine. Open a directory in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup as displayed in the figure below.
When the installation starts, you will see the “Setup wizard” which will help you install Zemana Anti-Malware on your system.
Once setup is complete, you will see window like below.
Now press the “Scan” button to start checking your computer for the .Lolita ransomware virus and other malicious software and potentially unwanted apps. This procedure may take some time, so please be patient. When a threat is detected, the number of the security threats will change accordingly.
After finished, Zemana will prepare a list of malware. Next, you need to press “Next” button.
The Zemana will delete .Lolita ransomware virus and other kinds of potential threats like malicious software and potentially unwanted apps and move threats to the program’s quarantine.
Run MalwareBytes to remove .Lolita ransomware virus
You can remove .Lolita ransomware automatically through the use of MalwareBytes Free. We recommend this free malware removal tool because it can easily remove ransomware virus, ad-supported software, malicious software and other undesired apps with all their components such as files, folders and registry entries.
Visit the page linked below to download the latest version of MalwareBytes AntiMalware for MS Windows. Save it to your Desktop.
327223 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
After the downloading process is done, close all software and windows on your computer. Double-click the install file named mb3-setup. If the “User Account Control” prompt pops up as on the image below, click the “Yes” button.
It will open the “Setup wizard” that will help you setup MalwareBytes Free on your computer. Follow the prompts and don’t make any changes to default settings.
Once installation is finished successfully, press Finish button. MalwareBytes Anti Malware (MBAM) will automatically start and you can see its main screen as shown on the image below.
Now press the “Scan Now” button for scanning your PC system for the .Lolita ransomware and other malware. While the MalwareBytes Anti-Malware (MBAM) application is checking, you can see how many objects it has identified as threat.
After the system scan is finished, MalwareBytes will show a list of detected threats. Review the results once the utility has finished the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click “Quarantine Selected” button. The MalwareBytes Free will remove .Lolita ransomware virus and other kinds of potential threats and move items to the program’s quarantine. After the cleaning procedure is finished, you may be prompted to reboot the machine.
We suggest you look at the following video, which completely explains the process of using the MalwareBytes AntiMalware to remove ad supported software, browser hijacker infection and other malicious software.
Scan and clean your computer of ransomware with KVRT
If MalwareBytes antimalware or Zemana anti malware cannot remove this ransomware, then we suggests to run the KVRT. KVRT is a free removal tool for viruses, adware, ransomware and other malicious software.
Download Kaspersky virus removal tool (KVRT) by clicking on the following link.
129279 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the downloading process is complete, double-click on the KVRT icon. Once initialization process is finished, you will see the Kaspersky virus removal tool screen as shown in the following example.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan for the .Lolita ransomware and other known infections. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your personal computer and the speed of your machine. During the scan Kaspersky virus removal tool will detect threats present on your machine.
Once the scan get completed, Kaspersky virus removal tool will show you the results as displayed below.
Next, you need to press on Continue to start a cleaning task.
How to restore .Lolita files
In some cases, you can restore files encrypted by .Lolita ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted documents, photos and music.
Use shadow copies to recover .Lolita files
In order to restore .Lolita photos, documents and music encrypted by the .Lolita ransomware from Shadow Volume Copies you can run a utility called ShadowExplorer. We suggest to use this method as it is easier to find and recover the previous versions of the encrypted files you need in an easy-to-use interface.
Visit the following page to download ShadowExplorer. Save it to your Desktop.
439622 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After the download is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown in the figure below.
Double click ShadowExplorerPortable to start it. You will see the a window like below.
In top left corner, select a Drive where encrypted photos, documents and music are stored and a latest restore point as displayed in the figure below (1 – drive, 2 – restore point).
On right panel look for a file that you wish to recover, right click to it and select Export as shown in the figure below.
Restore .Lolita files with PhotoRec
Before a file is encrypted, the .Lolita ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your personal files using file restore apps such as PhotoRec.
Download PhotoRec on your computer from the following link.
Once the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the image below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will display a screen as displayed in the figure below.
Select a drive to recover as displayed on the screen below.
You will see a list of available partitions. Choose a partition that holds encrypted documents, photos and music as shown in the figure below.
Click File Formats button and choose file types to restore. You can to enable or disable the recovery of certain file types. When this is finished, press OK button.
Next, click Browse button to choose where recovered photos, documents and music should be written, then click Search.
Count of restored files is updated in real time. All restored files are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the restore is done, click on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as displayed in the figure below.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your PC from .Lolita ransomware
Most antivirus programs already have built-in protection system against the virus. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, run the CryptoPrevent.
Run CryptoPrevent to protect your PC from .Lolita ransomware virus
Download CryptoPrevent on your computer from the following link.
www.foolishit.com/download/cryptoprevent/
Run it and follow the setup wizard. Once the installation is finished, you’ll be shown a window where you can choose a level of protection, as on the image below.
Now click the Apply button to activate the protection.
Finish words
After completing the steps shown above, your PC should be clean from .Lolita ransomware virus and other malware. Your computer will no longer encrypt your documents, photos and music. Unfortunately, if the few simple steps does not help you, then you have caught a new variant of virus, and then the best way – ask for help here.
