• Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools

MyAntiSpyware

Menu
  • Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools

.Lokf file extension. Remove Lokf virus. Restore, Decrypt .lokf files.

Myantispyware team November 8, 2019    

What is .Lokf file

.Lokf file extension is an extension that is associated with a new variant of dangerous ransomware called STOP (djvu). Variant ‘Lokf’ (v0181) was released this week, a few days after the previous version, called Mosk. It encrypts data on victim’s computer and appends filenames with .Lokf extension. All encrypted files become useless, their contents cannot be read without decryption. The criminals who created the ransomware demand a ransom in exchange for a key and a decryptor. Fortunately, a free decryptor was created that can decrypt files in some cases. Scroll through this article below to learn more about how to decrypt .lokf files.

.lokf file virus

Screenshot of files encrypted by Lokf virus (‘.lokf’ file extension)

Lokf virus encrypts files using a strong encryption algorithm. The virus uses a long key to encrypt files. This key is unique for each victim, therefore it excludes the possibility of using the same key to decrypt files on different computers. In some cases, when the virus cannot establish a connection to the command server (C&C), it uses the so-called offline key. This key is the same for all victims.

What is offline key

Lokf does not encrypt absolutely all files, as it will cause the computer to stop working. Therefore, the virus skips and does not encrypt Windows system files as well as files with the name ‘_readme.txt’. All other contents of the victim’s computer will be encrypted. It makes no difference where the files are located, on a hard drive or cloud storage. If at the time of the ransomware attack the device is connected to the computer and there are files on it, then they will be encrypted. For example, the following file types can be encrypted:

.dazip, .iwd, .yml, .srf, .zif, .wbd, .wbm, .wpb, .wri, .sis, .xmmap, .docm, .m3u, .rofl, .xwp, .wps, .crw, .bkp, .vtf, .eps, .dxg, .icxs, .t13, .qic, .zip, .svg, .wcf, .hplg, .pdd, .syncdb, .flv, .r3d, .wdb, .xlk, .wpe, .cdr, .kf, .z, .wp4, wallet, .rwl, .x3d, .wire, .z3d, .pptx, .webp, .mrwref, .wpl, .wmd, .wb2, .wmv, .xll, .wsc, .pdf, .ltx, .js, .upk, .rim, .vfs0, .wmf, .wma, .bc6, .mdb, .litemod, .lrf, .xpm, .zdb, .ff, .das, .y, .rb, .wp7, .xlsx, .odt, .dcr, .p7b, .bar, .gho, .der, .mef, .vpk, .xlgc, .forge, .kdc, .mov, .png, .fos, .xyw, .cas, .epk, .wp5, .ybk, .xls, .sid, .0, .xls, .pptm, .bsa, .dwg, .pak, .m2, .xml, .wpd, .ai, .xxx, .wpa, .sie, .dng, .qdf, .1st, .dmp, .wotreplay, .itm, .zi, .sav, .wgz, .wp, .tor, .rar, .zw, .x3f, .wps, .apk, .csv, .xdl, .xlsm, .gdb, .itdb, .wmo, .mp4, .psd, .desc, .xlsb, .hvpl, .jpg, .hkdb, .sum, .x, .mcmeta, .1, .raf, .xbdoc, .vpp_pc, .fsh, .pef, .arw, .p7c, .ibank, .jpe, .dba, .odp, .psk, .wbk, .vcf, .xf, .bkf, .xdb, .t12, .xlsm, .sidd, .wbz, .erf, .wm, .wdp, .py, .map, .yal, .wsh, .docx, .wsd, .doc, .w3x, .webdoc, .ptx, .bc7, .bik, .orf, .pst, .xlsx, .d3dbsp, .re4, .sb, .raw, .cer, .3fr, .fpk, .slm, .big, .db0, .odc, .wpg, .avi, .ztmp, .kdb, .sr2, .wp6, .wot, .pkpass, .wma, .vdf, .iwi, .txt, .nrw, .snx, .xld, .xmind, .sql, .xar, .zdc, .wmv, .css, .zabw, .indd, .pfx, .blob, .xyp, .xy3, .tax, .mdf, .cfr, .ppt, .xbplate, .esm, .wbc, .wpt, .srw, .mdbackup, .lbf, .dbf, .rtf, .xx, .accdb, .2bp, .itl, .ntl, .wav, .ncf, .mpqge

When the encryption is completed, all documents, pictures, databases and other files will be completely blocked. All encrypted files have a new .lokf extension, which clearly indicates that they were affected by the ransomware. If the file previously had the name ‘picture.jpeg’, now, after encryption, it has the name ‘picture.jpeg.lokf’. In each directory where the files were encrypted, the virus places a file named ‘_readme.txt’.

Lokf ransom note

Screenshot of the contents of ‘_readme.txt’ file (Lokf ransom note).

The information in this file is a message from Lokf authors, in which they inform the victim that the files were encrypted and the only way to decrypt them is to buy a key and a decryptor. Criminals demand a ransom of $490, if the victim does not transfer the money within 72 hours, the amount of the ransom will increase by two to 980. To confirm that decryption of the victim’s files is possible, the attackers behind Lokf virus offer to decrypt one file for free. An important condition is that this file should not contain important information and should be small in size. For communication with criminals, this message also contains a pair of addresses.

Threat Summary

Name Lokf
Type Ransomware, Crypto virus, File locker, Filecoder, Crypto malware
Encrypted files extension .lokf
Ransom note _readme.txt
Contact restoredatahelp@firemail.cc, gorentos@bitmessage.ch
Ransom amount $490,$980 in Bitcoins
Detection Names Trojan:Win32/Kryptik, FileRepMalware, TR/Crypt.Agent, Malware/Win32.NemtyRansom, Trojan.Encoder, Trojan-Ransom.Crypted, UDS:DangerousObject.Multi.Generic
Symptoms Files encrypted with .lokf extension. Your file directories contain a ‘ransom note’ file that is usually a _readme.txt file.
Distribution ways Adware, Setup files, Phishing Emails, Drive-by downloads, Adware, Torrents, Misleading websites.
Removal Lokf virus removal guide
Decryption Free Lokf Decryptor

 

The message of criminals that the files cannot be decrypted is, for the most part, true. Encrypted files cannot be decrypted without a decryptor. Fortunately, Emsisoft has developed a free decryptor. This utility can help everyone decrypt files and thus unlock their contents. Unfortunately, this decryptor is suitable only for those victims whose files are encrypted with an offline key. In other cases, this decryptor will skip files without decrypting them. In this situation, we recommend using alternative methods of data recovery.

If you became a victim of Lokf virus and your files were encrypted, we recommend using the following action plan, which will allow you to remove the ransomware and decrypt (restore) the encrypted files. Read this entire manual, then bookmark it, print it, or open it on your smartphone. So it will be more convenient for you to carry out all the necessary actions.

  1. Remove Lokf ransomware virus
  2. Decrypt .lokf files
  3. Restore .lokf files

Remove Lokf ransomware virus

The first step that you must perform is to scan your computer, find and remove Lokf ransomware virus. Do not try to immediately start decrypting files, skipping the first step, you risk losing all your files. To identify all components of Lokf virus, we recommend using free malware removal tools. Some of them, with brief instructions, are given below. If you have an antivirus, then perform a full scan using it, then use the programs offered below. Each of these programs can locate and remove various malware, including ransomware, but these tools cannot recover and decrypt files. To decrypt .lokf files, you need to complete this step, and then go to step 2.




Remove Lokf with Zemana Anti-Malware

Zemana Anti-Malware (ZAM) highly recommended, because it can scan for security threats such Lokf crypto virus, other malware and trojans that most ‘classic’ antivirus apps fail to pick up on. Moreover, if you have any Lokf removal problems which cannot be fixed by this tool automatically, then Zemana provides 24X7 online assistance from the highly experienced support staff.
 

Zemana Anti-Malware delete Lokf ransomware virus, other kinds of potential threats like malicious software and trojans

  • Download Zemana from the link below.
    Zemana AntiMalware
    Zemana AntiMalware
    165041 downloads
    Author: Zemana Ltd
    Category: Security tools
    Update: July 16, 2019
  • Close all apps and windows on your computer. Run the downloaded file named Zemana.AntiMalware.Setup.
  • Click Next and follow the prompts.
  • Once install is complete, press the “Scan” button to perform a system scan for Lokf virus and other security threats.
  • Review the scan results and then press “Next” to remove the ransomware.

Remove Lokf with MalwareBytes

If you are having issues with the Lokf virus removal, then download MalwareBytes AntiMalware (MBAM). It is free for home use, and identifies and removes various malware that attacks your PC. MalwareBytes Free can remove ransomware, adware, spyware, PUPs, trojans, worms and other malware.
 

MalwareBytes Anti-Malware (MBAM) for MS Windows find Lokf ransomware and other security threats

  • Download MalwareBytes Anti-Malware by clicking on the link below.
    Malwarebytes Anti-malware
    Malwarebytes Anti-malware
    327268 downloads
    Author: Malwarebytes
    Category: Security tools
    Update: April 15, 2020
  • Close all programs. Double-click the install file called mb3-setup.
  • Follow the prompts and don’t make any changes to default settings.
  • Once setup is finished successfully, click Finish button. MalwareBytes will automatically start.
  • Click the “Scan Now” button to perform a system scan for Lokf crypto malware.
  • When the scanning is finished, MalwareBytes Anti-Malware will prepare a list of malware. Click “Quarantine Selected” button.

We recommend you look at the following video, which completely explains the process of using the MalwareBytes to remove malicious software.

Remove Lokf ransomware using Kaspersky virus removal tool

If MalwareBytes anti-malware or Zemana anti-malware cannot delete Lokf, then we suggests to use Kaspersky virus removal tool (KVRT). It is a free removal tool for ransomware, adware, trojans, worms, PUPs and other malware.
 

Kaspersky virus removal tool scan report

  • Download Kaspersky virus removal tool (KVRT) by clicking on the link below.
    Kaspersky virus removal tool
    Kaspersky virus removal tool
    129295 downloads
    Author: Kaspersky® lab
    Category: Security tools
    Update: March 5, 2018
  • Run the downloaded file.
  • Click Start scan button to perform a system scan for Lokf crypto virus.
  • Review the report and then click on Continue.

How to decrypt .lokf files

Files with the extension .lokf are files that have been encrypted by the ransomware. The only way to decrypt them is to have a key and a decryptor. There is no guarantee that even after paying the ransom, the criminals will allow the victim to recover their files. Fortunately, Emsisoft created a decryptor that can use every victim of the virus to decrypt .lokf files.

STOP Djvu decryptor

STOP Djvu decryptor

To decrypt .lokf files, follow the easy steps below:

  • Go to the following link to download STOP Djvu decryptor.
    STOP Djvu decryptor
  • Scroll down to ‘New Djvu ransomware’ section.
  • Click the download link and save the ‘decrypt_STOPDjvu.exe’ file to your desktop.
  • Run decrypt_STOPDjvu.exe, read the license terms and instructions.
  • On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
  • Click the ‘Decrypt’ button.

Today, this decryptor only decrypts files encrypted with offline key. Files that are encrypted with an online key will be skipped, their decryption is impossible (at least for today). If in your case the decryptor skips files, then you do not need to despair right away. Since Lokf vaiant appeared recently, researchers may not yet have found the offline key. Therefore, the decryptor, at first, can skip files, even encrypted with the offline key. Remember, even if the decryptor cannot help you, there is always the opportunity to restore files using alternative methods.

How to find out which key was used to encrypt files

Every victim of Lokf needs to know which key the virus used to encrypt files. It is easy to determine with what key the virus encrypted files, below we will describe two methods.

lokf personal id

Personal ID is highlighted here

Method 1.

  • Open the ransom note (‘_readme.txt’ file).
  • Scroll down to the end of the file.
  • There you will see a line with the text ‘Your personal ID’.
  • Below is a line of characters that starts with ‘0181’ – this is your personal id.

Method 2.

  • Open disk C.
  • Open directory ‘SystemID’.
  • Open file named PersonalID.txt. This file lists ‘Personal ID’s that match the keys that the virus used to encrypt files.

If your Personal ID ends with ‘t1’, then your files are encrypted using an offline key. If your Personal ID does not end with ‘t1’, then Lokf used an online key. Even in this case, it is possible to restore the content of encrypted files. We will talk about this in the next section of this article.

If you determine that your files are encrypted with an offline key, but the decryptor does not decrypt them, then you just need to wait a while. Try decrypting your files every day. There is no need to update the decryptor, as it downloads keys automatically.

How to restore .lokf files

Fortunately, there are some alternative ways to recover encrypted files. Each of them does not suggest the use of a decryptor and a key, so these methods will suit all victims regardless of which key Lokf virus used to encrypt files. In addition, the use of these methods will not affect in any way the decryption of files using a free decoder. The only thing is that before you proceed with file recovery, be sure to check your computer for malware, you need to be 100% sure that the ransomware has been completely removed.




Run ShadowExplorer to recover .lokf files

A free utility named ShadowExplorer is a simple solution to use the ‘Previous Versions’ feature of Microsoft Windows 10 (8, 7 , Vista). You can recover your files encrypted by Lokf crypto virus from Shadow Copies for free.

Download ShadowExplorer on your Windows Desktop by clicking on the link below.

ShadowExplorer
ShadowExplorer
439670 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019

Once downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder like the one below.

ShadowExplorer folder

Double click ShadowExplorerPortable to start it. You will see the a window as displayed in the following example.

ShadowExplorer

In top left corner, select a Drive where encrypted photos, documents and music are stored and a latest restore point as displayed on the image below (1 – drive, 2 – restore point).

ShadowExplorer

On right panel look for a file that you want to restore, right click to it and select Export as displayed on the image below.

ShadowExplorer recover file

Restore .lokf files with PhotoRec

The last chance to restore encrypted files to their original state is using data recovery tools. We recommend a free tool called PhotoRec. It has all the necessary functions to restore the contents of encrypted files. It helped many victims recover data when it seemed like there was no more hope.

Download PhotoRec on your MS Windows Desktop from the link below.

PhotoRec
PhotoRec
221321 downloads
Author: CGSecurity
Category: Security tools
Update: March 1, 2018

After the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the screen below.

testdisk photorec folder

Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll show a screen as on the image below.

PhotoRec for windows

Choose a drive to recover like below.

photorec select drive

You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music like below.

photorec select partition

Click File Formats button and specify file types to recover. You can to enable or disable the restore of certain file types. When this is done, click OK button.

PhotoRec file formats

Next, click Browse button to choose where restored photos, documents and music should be written, then press Search.

photorec

Count of recovered files is updated in real time. All restored documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.

When the restore is finished, press on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as on the image below.

PhotoRec - result of recovery

All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your restored files by extension and/or date/time.

Finish words

This article was created to help all victims of Lokf virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .lokf files; how to recover files, if the decryptor does not help; what is an online key and what is an offline key. We hope that the information presented in this article has helped you. If you have questions, then write to us, leaving a comment below. If you need more help with Lokf related issues, go to here.

 

Virus

 Previous Post

How to remove Y2meta.com pop-up ads (Virus removal guide)

Next Post 

How to remove Sauwoaptain.com pop-ups (Virus removal guide)

Author: Myantispyware team

Myantispyware is an information security website created in 2004. Our content is written in collaboration with Cyber Security specialists, IT experts, under the direction of Patrik Holder and Valeri Tchmych, founders of Myantispyware.com.

17 Comments

  1. Smruti Ranjan Bihari
    ― November 8, 2019 - 7:02 am  Reply

    Hello sir, i am not able to decrypt the .lokf file please give me a better solution.

    1. Myantispyware team
      ― November 8, 2019 - 10:36 pm  Reply

      Unfortunately, there is no better solution. At the moment there is only one free decryptor and it can decrypt files encrypted with offline key. Alternative methods are using Shadow copies and data recovery programs.

  2. shev
    ― November 8, 2019 - 11:17 pm  Reply

    Hello sir, i am not able to decrypt the .lokf file
    i can do what
    thanks

  3. Murad Hossain
    ― November 9, 2019 - 4:20 am  Reply

    I need help. Suddenly, all my files were renamed, they now have the extension ‘.lokf’. I also found a file that says that my files were encrypted. Google search does not find any free decryptor. Can you tell me if there is a way to decrypt .lokf files?

  4. Freya Konssmithgen
    ― November 9, 2019 - 8:36 am  Reply

    The better solution is restore your windows.

  5. Mohamed Elsayed
    ― November 9, 2019 - 8:51 am  Reply

    Hello sir,
    My Filew were encrypted with .lokf online key … is there any hope to unlock these files with a decryptor

  6. Andrei
    ― November 9, 2019 - 2:44 pm  Reply

    Hello.
    I have followed the steps using PhotoRec tool, after scanning process, it has created a file with the name Recup_dir.1 as it was mentioned in the article, but witch has only a few dll files. However, I cannot access it.
    Is there something else I should try?

  7. Myantispyware team
    ― November 10, 2019 - 8:57 am  Reply

    Mohamed Elsayed, hope always remains. But you probably have to wait a long time.

  8. Myantispyware team
    ― November 10, 2019 - 9:01 am  Reply

    Andrei, at the step where you need to choose the ‘file formats’, have you selected all or specific file types?

  9. Billy Vincent
    ― November 10, 2019 - 10:02 am  Reply

    0181jYgs9f6sXcQBAGFsugQm8E2RNxtBhvV5rmQXZZWyCOoypV66

    This is my Personal ID
    Please, someone help me…
    Getting frustated right now…please someone help
    HARD CRY

  10. Luka
    ― November 12, 2019 - 5:11 pm  Reply

    Can you contact STOP djvu decryptor and ask them when will they make option for recovery of offline keys? And where can I report this .lokf malwer? To police, some expert or what? I don’t understand part with police.

  11. Luka
    ― November 12, 2019 - 5:12 pm  Reply

    Oh sorry, that part with police is on another site, nevermind about that. But still, my question about stop djvu decryptor team remains…

  12. Luka
    ― November 12, 2019 - 5:18 pm  Reply

    And yes, before ecrypting part, can check which keys are offline and which are online? And how to find disk C, and/or ransome note?

  13. Luka
    ― November 13, 2019 - 2:39 am  Reply

    How to enter disc C/ransom note? And can I check that before decrypting? Or I must exactly by your order?

  14. Myantispyware team
    ― November 13, 2019 - 9:24 pm  Reply

    To date, the offline key is still not found. Therefore, if the files are encrypted with the offline key, you just have to wait.

  15. Myantispyware team
    ― November 13, 2019 - 9:25 pm  Reply

    Billy, ‘0181jYgs9f6sXcQBAGFsugQm8E2RNxtBhvV5rmQXZZWyCOoypV66’ id means the files were encrypted with an online key.

  16. NoRN
    ― December 15, 2019 - 9:34 am  Reply

    con PhotoRec recuperé parte de los archivos, gracias y estaré revisando para poder ver si termino de recuperar todo lo demás, gracias por el artículo y muy bien explicado

Leave a Reply to Smruti Ranjan Bihari Cancel reply

New Guides

Split Max AC Reviews, Scam or Legit, Uncovering the Truth!
Nusayin Cooling Ace Review: Scam or Legit? What You Need to Know
Imwing Cooling Ace Reviews, Scam or Legit, Uncovering the Truth!
How to remove Amencest.co.in pop-up ads
scam alert
Don’t Get Tricked by GEROLAX.com: The Bitcoin Promo Code Scam

Follow Us

Search

Useful Guides

Smart Captcha Virus redirect
What is a Virus that Redirects Web Pages? A Comprehensive Guide
How to remove pop-up ads [Chrome, Firefox, IE, Opera, Edge]
Tech Support Scam
Remove Tech Support Scam pop-up virus [Microsoft & Apple Scam]
Managed by your organization chrome virus
Chrome Managed by your organization malware removal guide
Best free malware removal tools
Best Free Malware Removal Tools 2025

Recent Guides

y2meta.com
How to remove Y2meta.com pop-up ads (Virus removal guide)
Rialseerunmud.pro
How to remove Rialseerunmud.pro pop-ups (Virus removal guide)
mvideo.pro
How to remove Mvideo.pro pop-ups (Virus removal guide)
cnewvi.com
How to remove Cnewvi.com pop-ups (Virus removal guide)
Shireamentsp.info
How to remove Shireamentsp.info pop-ups (Virus removal guide)

Myantispyware.com

Myantispyware has been a trusted source for computer security and technology advice since 2004. Our mission is to provide reliable tech guidance and expert, practical solutions to help you stay safe online and protect your digital life.

Social Links

Pages

About Us
Contact Us
Privacy Policy

Copyright © 2004 - 2024 MASW - Myantispyware.com.