Today cyber security researchers has received reports of yet another ransomware called ‘Lokas file virus‘ that similar to the preexisting malicious programs of this family (Cezor, Besub).
Lokas file virus is designed to encrypt user files, which will lead to their dysfunction, for the elimination of which the user will have to pay money to the scammers. This method involves the use of AES-RSA technology, which makes it impossible to unlock the affected data by the user on his own without obtaining a special code key, which is the only way to decrypt encrypted data. It can be obtained only in the case of payment of the required amount of cyber frauds funds, which is $980.
The full text of Lokas ransom note:
ATTENTION!
Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-WbgTMF1Jmw
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.
Lokas file virus getting into the user’s computer, blocks various files and data such as documents, tables, photos and video materials, archives and other important data. The files that will be encrypted include the following file extensions:
.litemod, .yal, wallet, .z3d, .zip, .1st, .hplg, .iwi, .zdb, .slm, .m2, .wn, .mef, .db0, .arch00, .lvl, .iwd, .map, .odb, .mddata, .mrwref, .arw, .sql, .mov, .vcf, .kf, .xls, .cr2, .w3x, .odm, .re4, .gdb, .wma, .avi, .cfr, .zw, .xlsm, .odc, .wire, .pef, .wmo, .wp4, .bay, .wp7, .p7c, .ntl, .srw, .3ds, .hkdb, .xdl, .z, .zdc, .sidd, .pdf, .xy3, .pptx, .wps, .wpt, .crt, .ysp, .m3u, .big, .itdb, .dng, .fsh, .upk, .bkp, .x3d, .wpa, .t13, .rofl, .css, .pkpass, .forge, .xxx, .wm, .pfx, .ff, .xlsx, .vtf, .wpd, .sis, .sr2, .csv, .0, .sav, .js, .rtf, .rim, .jpg, .bik, .qic, .ltx, .das, .wbd, .xld, .wpl, .vdf, .rgss3a, .itm, .docm, .bc7, .yml, .xll, .ai, .erf, .mlx, .sum, .dbf, .zif, .psk, .indd, .webp, .dwg, .cdr, .doc, .png, .wpd, .odp, .dba, .ibank, .bkf, .wp6, .bsa, .crw, .srf, .wp5, .ods, .odt, .wpb, .eps, .jpe, .dxg, .wb2, .hvpl, .epk, .wdp, .raf, .py, .wp, .orf, .ptx, .psd, .t12, .wbz, .syncdb, .rw2, .wps, .icxs, .tax, .rb, .vpk, .esm, .wri, .flv, .apk, .mdf, .xdb, .dcr, .layout, .zabw, .xyp, .xf, .x, .mp4, .webdoc, .dmp, .y, .pak, .pem, .xx, .dazip, .wgz, .sie, .gho, .ppt, .asset, .wbmp, .xmind, .bc6, .lrf, .wsd, .txt, .wot, .xlk, .wma, .wbc, .docx, .xbdoc, .accdb, .raw, .xlsb, .pptm, .xml, .vfs0, .7z, .pst, .lbf, .jpeg, .xwp, .3dm, .ybk, .xmmap, .menu, .wdb, .p7b, .mdb, .xlsm, .svg, .wcf, .xpm, .wbm, .wmv, .wpe, .1, .wmv, .d3dbsp, .wsc, .p12, .bar, .tor, .x3f, .qdf, .nrw, .xbplate, .wbk, .cas, .wpw, .vpp_pc, .wsh, .wmd
All these files after the attack by the virus program become blocked and the user can not open them, as a result of infection, they get the extension of the .Lokas, and the user understands that the only way to unlock them and make them work again is to pay cybercriminals a ransom of $980. Sometimes they reduce the size of the requested amount to $490, but in this case, the user must transfer the money to the scammers within 72 hours to obtain a code that will help unlock files affected by the Lokas ransomware using a complex digital algorithm.
Threat Summary
Name | Lokas |
Type | Crypto virus, Ransomware, File locker, Filecoder, Crypto malware |
Encrypted files extension | .lokas |
Ransom note | _readme.txt |
Ransom amount | $980, $490 in Bitcoins |
Detection Names | KNOWN AS |
Symptoms | Encrypted files. Files are encrypted with a .lokas file extension. Files named like ‘_readme.txt’, or ‘_readme” in every folder with an encrypted file. |
Distribution methods | Spam or phishing emails that are designed to get people to open an attachment or click on a link. Drive-by downloading (when a user unknowingly visits an infected web-page and then malware is installed without the user’s knowledge). Social media posts (they can be used to trick users to download malicious software with a built-in ransomware downloader or click a suspicious link). Flash Drive and other removable media. |
Removal | Lokas ransomware removal guide |
Decryption | Lokas files decryption steps |
It is worth noting that the users themselves are more to blame for the fact that the activities of Internet scams, including the developers of the Lokas file virus, began to spread more and more over time. The most common user error that leads to infection of the computer is their irresponsible attitude to computer security, which is expressed in the rash opening of emails sent from questionable addresses, as well as clicking on unknown and unsafe links. Also, the reason why the software can be exposed to a malicious virus program is the absence of an antivirus program on the computer that could protect it from being infected with this kind of viruses.
Quick links
- How to remove Lokas ransomware
- How to decrypt .lokas files
- How to restore .lokas files
- How to protect your system from Lokas crypto virus?
- Finish words
How to remove Lokas ransomware
Using a malware removal utility to search for and delete crypto malware hiding on your personal computer is probably the simplest way to remove the Lokas ransomware virus. We recommends the Zemana Anti-Malware program for MS Windows computers. MalwareBytes Free and KVRT are other anti malware tools for MS Windows that offers a free malicious software removal.
How to remove Lokas with Zemana
Zemana is one of the best in its class, it can search for and remove a huge number of different security threats, including ransomware, trojans, adware, worms, spyware and malicious software that masqueraded as legitimate system applications. Also Zemana Anti-Malware includes another tool called FRST – is a helpful program for manual removal of files and parts of the Windows registry created by crypto virus.
Download Zemana Free by clicking on the link below.
164106 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When downloading is complete, start it and follow the prompts. Once installed, the Zemana Free will try to update itself and when this task is finished, press the “Scan” button for scanning your machine for the Lokas ransomware virus, other malware, worms and trojans.
This task may take quite a while, so please be patient. In order to remove all items, simply press “Next” button.
The Zemana will begin to delete Lokas crypto virus, other malicious software, worms and trojans.
How to remove Lokas with MalwareBytes Free
Manual Lokas ransomware virus removal requires some computer skills. Some files and registry entries that created by the crypto malware may be not fully removed. We suggest that use the MalwareBytes Anti-Malware that are completely clean your system of ransomware virus. Moreover, this free application will help you to delete malicious software, PUPs, adware software and toolbars that your personal computer can be infected too.
Please go to the following link to download the latest version of MalwareBytes Free for MS Windows. Save it directly to your MS Windows Desktop.
326460 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once the downloading process is done, close all software and windows on your machine. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup similar to the one below.
When the installation starts, you’ll see the “Setup wizard” which will help you setup Malwarebytes on your computer.
Once installation is finished, you’ll see window as on the image below.
Now press the “Scan Now” button . MalwareBytes program will scan through the whole machine for the Lokas ransomware virus, other kinds of potential threats like malware and trojans. This task may take some time, so please be patient. While the tool is scanning, you can see how many objects and files has already scanned.
After finished, it will show the Scan Results. Next, you need to click “Quarantine Selected” button.
The Malwarebytes will now delete Lokas crypto virus and other security threats and move items to the program’s quarantine. When that process is complete, you may be prompted to reboot your system.
The following video explains step-by-step guide on how to delete browser hijacker, adware and other malware with MalwareBytes.
Remove Lokas file virus with KVRT
KVRT is a free removal utility that can be downloaded and use to remove ransomware viruses, adware, malicious software, potentially unwanted applications, worms and other threats from your PC system. You can use this tool to search for threats even if you have an antivirus or any other security program.
Download Kaspersky virus removal tool (KVRT) by clicking on the link below. Save it on your Microsoft Windows desktop.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When downloading is done, double-click on the KVRT icon. Once initialization procedure is complete, you will see the KVRT screen like the one below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button for scanning your PC system for the Lokas file virus. This task can take some time, so please be patient. While the KVRT is scanning, you can see how many objects it has identified either as being malicious software.
When Kaspersky virus removal tool completes the scan, Kaspersky virus removal tool will create a list of unwanted software and crypto virus as on the image below.
Make sure all threats have ‘checkmark’ and press on Continue to start a cleaning procedure.
How to decrypt .lokas files
With some variants of Lokas ransomware, it is possible to decrypt encrypted files using free tools.
Michael Gillespie (@) released the Lokas decryption tool named STOPDecrypter. It can decrypt files if they were encrypted by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.
STOPDecrypter is a program that can be used for Lokas files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .lokas files using this free tool.
- Installing the STOPDecrypter is simple. First you will need to download STOPDecrypter on your Windows Desktop from the following link.
download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip - After the downloading process is done, close all applications and windows on your machine. Open a file location. Right-click on the icon that’s named STOPDecrypter.zip.
- Further, select ‘Extract all’ and follow the prompts.
- Once the extraction process is finished, run STOPDecrypter. Select Directory and press Decrypt button.
If STOPDecrypter does not help you to decrypt .lokas files, in some cases, you have a chance to recover your files, which were encrypted by ransomware. This is possible due to the use of the tools named ShadowExplorer and PhotoRec. An example of recovering encrypted files is given below.
How to restore .lokas files
In some cases, you can recover files encrypted by Lokas crypto virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted photos, documents and music.
Recover .lokas encrypted files using Shadow Explorer
An alternative is to recover .lokas documents, photos and music from their Shadow Copies. The Shadow Volume Copies are copies of files and folders that MS Windows 10 (8, 7 and Vista) automatically saved as part of system protection. This feature is fantastic at rescuing documents, photos and music that were encrypted by Lokas crypto virus. The guidance below will give you all the details.
Please go to the following link to download the latest version of ShadowExplorer for Windows. Save it on your MS Windows desktop.
438805 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown below.
Double click ShadowExplorerPortable to run it. You will see the a window like below.
In top left corner, choose a Drive where encrypted personal files are stored and a latest restore point as shown on the screen below (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export as displayed below.
Restore .lokas files with PhotoRec
Before a file is encrypted, the Lokas crypto malware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your documents, photos and music using file recover programs like PhotoRec.
Download PhotoRec on your system from the following link.
When the downloading process is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will show a screen as displayed in the following example.
Select a drive to recover as displayed in the following example.
You will see a list of available partitions. Select a partition that holds encrypted files like below.
Press File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is done, click OK button.
Next, press Browse button to select where recovered documents, photos and music should be written, then click Search.
Count of recovered files is updated in real time. All recovered personal files are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the restore is finished, click on Quit button. Next, open the directory where restored documents, photos and music are stored. You will see a contents as shown in the figure below.
All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your system from Lokas crypto virus?
Most antivirus apps already have built-in protection system against the crypto virus. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Run HitmanPro.Alert to protect your system from Lokas ransomware
HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Visit the page linked below to download the latest version of HitmanPro.Alert for MS Windows. Save it on your Microsoft Windows desktop.
After the download is done, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. When the utility is started, you will be displayed a window where you can select a level of protection, like below.
Now click the Install button to activate the protection.
Finish words
Now your system should be free of the Lokas crypto malware. Delete Kaspersky virus removal tool and MalwareBytes Free. We recommend that you keep Zemana Anti Malware (to periodically scan your machine for new malware). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to remove Lokas ransomware from your computer, then ask for help here.