What is Lalo file extension
.Lalo file extension is an identifier that is appended to the name of files that have been encrypted by the Lalo ransomware virus. The Lalo ransomware is a new malware that belongs to the STOP (Djvu) ransomware family. It encrypts the victim’s files, changes the names of the affected files, adding .lalo extension to their name, creates a file called “_readme.txt” with a ransom demand message. After the files are encrypted, their contents become inaccessible. The Lalo authors demand to pay the ransom in exchange for the key and the decryptor necessary for decrypting the files. Fortunately, there is a free Lalo File Decrypt Tool and several other alternative methods that can help the ransomware victims decrypt .lalo files and restore the encrypted files to their original state.
Ransomware is one of the most dangerous types of computer viruses. What is characteristic of these viruses is that they stealthily encrypt files of the victim without giving themselves away. Most often, the victim does not notice the activity of a virus that encrypts files. Only when all the files are encrypted, it becomes clear that the computer was the victim of a ransomware attack. If you encounter such a situation, your computer was infected with the ransomware, and your files are encrypted with the .lalo file extension, know that we created this article for you and other people faced with the same problem. This article contains a guide with important information about Lalo ransomware, how it functions, how to remove the ransomware from a computer. But more importantly, this article contains detailed instructions with information on how to decrypt .lalo files, as well as what other methods exist to restore encrypted files without paying a ransom to criminals.
What is Lalo ransomware
Lalo ransomware is a malware that was created to encrypt files located on the victim’s computer, and then extort money to decrypt them. Lalo virus sneaks into the system without any visible symptoms, which is why users notice that their computer is infected too late, when the files are already encrypted.
Typically, ransomware like Lalo can infect a computer when installing programs downloaded from torrent web-sites as well as when running cracked games, freeware, key generators and other similar software. Upon execution, the virus creates a directory in the Windows system directory, copies itself to this directory, changes some OS settings, and also collects information about the infected computer. After that, Lalo virus tries to connect to its command server. If this succeeds, the virus sends data on the infected computer to the server, and from it receives a key (so-called ‘online key’) necessary for file encryption. If the connection to the command server has not been established, then the virus uses a fixed key (so-called ‘offline key’).
The main difference between an online key and an offline key is that the online key is in the hands of criminals and cannot be determined. The offline key is fixed and can be determined by security researchers. This gives hope that the ransomware victims will be able to decrypt files without paying ransom.
What is Lalo file
Lalo file is a file that has been encrypted by the Lalo ransomware and therefore the contents of this file are locked. Each file that has been affected by the virus is renamed in such a way that the ‘.lalo’ extension is added to its old name on the right. This means the following, if the file was named ‘document.docx’, then after it is encrypted, it will be called ‘document.docx.lalo’. Each file on the victim’s computer becomes the target of the Lalo virus. No matter where the file is located, on the internal drive or network storage, this file will be encrypted. The ransomware only does not encrypt files in the OS system directories, files with the extension .dll, .lnk, .bat, ini, .sys and files named ‘_readme.txt’. Thus, the following types of files can be encrypted:
.p12, .zabw, .wmd, .pak, .cfr, .xlgc, .xmind, .odb, .1st, .asset, .wpl, .bkf, .odc, .x, .doc, .eps, .wmo, .sis, .webp, .2bp, .menu, .sb, .xls, .mdf, .apk, .dxg, .gdb, .docm, .jpeg, .zif, .ai, .xar, .dmp, .bar, .hkx, .wpg, .svg, .x3f, .xmmap, .wri, .iwi, .epk, .yml, .tax, .r3d, .vpp_pc, .big, .m4a, .xwp, .xlsm, .upk, .txt, .ppt, .gho, .xyw, .wpe, .xx, .xlsm, .csv, .xlk, .wb2, .syncdb, .accdb, .y, .x3d, .wdp, .mcmeta, .7z, .srw, .vtf, .wbd, .bay, .indd, .xpm, .m3u, .xdb, .arch00, .wps, .rim, .fos, .jpg, .hkdb, .sid, .pptx, .odp, .lvl, .xlsb, .t13, .wmv, .rar, .crt, .xlsx, .3fr, .zip, .wbz, .rofl, .crw, .wp4, .wsd, .odm, .rwl, .esm, .pef, .jpe, .ntl, .bsa, .xml, .ysp, .x3f, .sie, .cdr, .lbf, .wsc, .pptm, .wot, .avi, .wpw, .rw2, .itm, .zi, .mov, .sum, .mrwref, .wm, .desc, .ibank, .rb, .hvpl, .db0, .png, .sav, .wbmp, .sr2, .zip, .p7b, .pkpass, .snx, .psk, .3ds, .re4, .wn, .dcr, .flv, .blob, .pst, .orf, .raf, .m2, .cr2, .wbm, .layout, .wav, .arw, .hplg, .fsh, .wpt, .itl, .dazip, .wma, .p7c, .wp, .1, .wcf, .wp6, .js, .bik, .mp4, .raw, .mlx, .cer, .xbplate, .py, .litemod, .d3dbsp, .nrw, .srf, .wdb, .wps, .lrf, wallet, .wpd, .mef, .kdc, .bc7, .bkp, .wsh, .vfs0, .pfx, .psd, .dba, .docx, .forge, .sql, .itdb, .mdb, .wmf, .qdf, .das, .ncf, .ff, .z, .kdb, .ptx, .ybk, .wbk, .vdf, .wbc, .xdl, .icxs, .xyp, .odt, .css, .vpk, .ods, .xbdoc, .dng, .der, .xf, .rtf, .wgz, .zdb, .mddata, .wpa, .wmv, .dbf, .fpk, .ztmp, .ltx, .wpd, .xy3
As we said, ‘Lalo file’ is an encrypted file. To decrypt it, you must use the key and the decryptor. This is reported by the authors of Lalo virus, in a message that they leave on the infected computer. This message is in a file called ‘_readme.txt’. The criminals place such a file in every directory where there is at least one encrypted file. An example of the contents of this file is given below.
The contents of this file are a ransom demand message. Criminals report that all files on the computer are encrypted, and only the key and decryptor can decrypt these files and restore access to their contents. Attackers demand a ransom of $980 in exchange for a key and a decryptor. If the victim is ready to pay the ransom quickly, within 72 hours, the size of the ransom is halved to $490. The authors of the virus offer to decrypt one Lalo file for free and thus prove the possibility that the files can be decrypted.
|Type||Crypto malware, File locker, Crypto virus, Filecoder, Ransomware|
|Encrypted files extension||.lalo|
|Ransom amount||$300-$1000 in Bitcoins|
|Detection Names||Ransom.Stop.MP4, Win32/GenKryptik.EILS, Trojan.Malware.300983.susgen, BehavesLike.Win32.Downloader.bc, Trojan-Ransom.Win32.Stop.mh, Trojan:Win32/Mokes.PVD!MTB, Gen:NN.ZexaF.34106.WqW@aa5Av@hG|
|Symptoms||Photos, documents and music won’t open. All of your personal files have a odd file extension appended to the filenames. Files called like ‘_readme.txt’, ‘READ-ME’, ‘_open me’, _DECRYPT YOUR FILES’ or ‘_Your files have been encrypted” in every folder with an encrypted file. You have received instructions for paying the ransom.|
|Distribution methods||Unsolicited emails that are used to deliver malware. Malicious downloads that happen without a user’s knowledge when they visit a compromised web site. Social media, like web-based instant messaging programs. Malvertising campaigns.|
|Removal||Lalo ransomware removal guide|
|Decryption||Lalo File Decrypt Tool|
How to remove Lalo ransomware, Recover, Decrypt .lalo files
Security researchers confirm that files with .lalo extension are encrypted and to decrypt them you need to use a key and special software – decryptor. Fortunately there is a Lalo File Decypt Tool which was created by Emsisoft and named Stop (djvu) decryptor. This tool allows everyone to decrypt .lalo files completely free. Unfortunately, this decryptor is limited in that it can only decrypt files encrypted with an offline key, files encrypted with an online key cannot yet be decrypted. The reason for this is that only the Lalo ransomware creators have the online key and this key cannot be determined or cracked. In addition to using the Lalo File Decypt Tool from Emsisoft, there are several other ways to restore the content of encrypted files.
The instructions below detail how to remove Lalo ransomware virus, decrypt .lalo files, and also how to recover encrypted files if the free Lalo File Decypt Tool could not decrypt them. Read the entire manual carefully. To make it easier for you to follow the instructions, we recommend that you print it or open it on your smartphone.
To remove Lalo ransomware virus & Recover, Decrypt .lalo files, use the following steps:
- How to remove Lalo ransomware
- How to decrypt .lalo files
- How to restore .lalo files
- How to protect your computer from Lalo ransomware
How to remove Lalo ransomware
Of course, if you become a victim of ransomware, the first thing you need to do is perform a full scan of your computer, find and remove Lalo ransomware. If there is no antivirus on your computer, then you need to install it; if there is an antivirus, update it and then perform a full scan. In addition to an antivirus, we strongly recommend that you use free malware removal tools. The utilities below will help you find all the components of the ransomware, and then remove it. Do not use only one utility, at least two, since they use different engines, this will significantly increase the chances that Lalo will be completely removed.
Remove Lalo ransomware with Zemana
Zemana Anti Malware can scan for all kinds of malware, including ransomware, as well as a variety of Trojans, viruses and rootkits. After the detection of the Lalo ransomware virus, you can easily and quickly delete it.
Visit the page linked below to download Zemana Anti-Malware (ZAM) installation package called Zemana.AntiMalware.Setup on your machine. Save it to your Desktop so that you can access the file easily.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Start the setup file after it has been downloaded successfully and then follow the prompts to install this tool on your computer.
During install you can change some settings, but we suggest you don’t make any changes to default settings.
When installation is complete, this malware removal utility will automatically run and update itself. You will see its main window as shown in the following example.
Now click the “Scan” button for checking your computer for the Lalo ransomware, other kinds of potential threats like malware and trojans. A system scan may take anywhere from 5 to 30 minutes, depending on your computer. While the tool is scanning, you may see number of objects and files has already scanned.
Once the scan is finished, Zemana will open a screen which contains a list of malicious software that has been detected. You may remove items (move to Quarantine) by simply click “Next” button.
The Zemana Free will uninstall Lalo ransomware, other malware, worms and trojans and move threats to the program’s quarantine. After the procedure is finished, you can be prompted to reboot your computer to make the change take effect.
Remove Lalo virus with MalwareBytes AntiMalware (MBAM)
We recommend using the MalwareBytes AntiMalware which are completely clean your machine of the ransomware virus. This free utility is an advanced malware removal application made by (c) Malwarebytes lab. This program uses the world’s most popular anti-malware technology. It is able to help you uninstall ransomware, PUPs, malicious software, adware, toolbars, and other security threats from your machine for free.
MalwareBytes can be downloaded from the following link. Save it directly to your Windows Desktop.
Category: Security tools
Update: April 15, 2020
Once the download is done, run it and follow the prompts. Once installed, the MalwareBytes Free will try to update itself and when this process is finished, press the “Scan Now” button . MalwareBytes program will scan through the whole computer for the Lalo ransomware virus and other security threats. This procedure may take some time, so please be patient. In order to delete all items, simply click “Quarantine Selected” button.
The MalwareBytes Free is a free application that you can use to remove all detected folders, files, services, registry entries and so on. To learn more about this malicious software removal tool, we suggest you to read and follow the step-by-step guide or the video guide below.
If the problem with Lalo ransomware virus is still remained
If you have already used some malware removal tools, they found and removed malware, then in order to be 100% sure that the computer no longer has Lalo crypto malware, we recommend using the Kaspersky virus removal tool (KVRT). This tool, as its name suggests, is made by the Kaspersky lab and uses the core of the Kaspersky Antivirus. Unlike the Kaspersky Antivirus, KVRT has a smaller size and, most importantly, it can work together with an already installed anti-virus. This tool has great capabilities and therefore we advise using KVRT in the last turn to be sure that the Lalo crypto virus has been removed.
Download Kaspersky virus removal tool (KVRT) from the following link.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the downloading process is done, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is finished, you’ll see the Kaspersky virus removal tool screen like the one below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button to perform a system scan for the Lalo crypto malware . A scan may take anywhere from 10 to 30 minutes, depending on the number of files on your PC system and the speed of your PC system. During the scan KVRT will search for threats exist on your PC.
As the scanning ends, KVRT will display you the results as displayed below.
Once you’ve selected what you wish to remove from your PC system click on Continue to begin a cleaning procedure.
How to decrypt .lalo files
All files with .lalo extension are encrypted and the only way to access their contents is to decrypt them. To decrypt .lalo files, you need to use a unique key and the Lalo File Decypt Tool. As we said above, Emsisoft company was able to create a decryptor and found a way in some cases to determine the key that was used to encrypt the files. This allows victims of the virus to decrypt .lalo files for free.
To decrypt .lalo files, use free Lalo File Decypt Tool
- Download Lalo File Decypt Tool from the following link.
STOP Djvu decryptor
- Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the decrypt_STOPDjvu.exe file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
Lalo File Decypt Tool is a free software that can decrypt files that were encrypted with an offline key, as Emsisoft found a way to determine this key. Unfortunately, files encrypted with an online key cannot yet be decrypted. The online key is unique to each infected computer, and at the moment there is no way to find this key. Of course, criminals have this key, but we do not think that paying a ransom is a way to decrypt .lalo files. In the case when the files are encrypted with an online key, there is a chance to restore the encrypted files using alternative methods, which are described below.
How to find out which key was used to encrypt files
Below we show two ways to help you determine what type of key was used to encrypt the files. This is very important, since the type of key determines whether it is possible to decrypt .lalo files for free. We recommend using the second method, as it is more accurate.
Find out the type of key using ‘_readme.txt’ file
- Open the ransom demand message (‘_readme.txt’ file).
- Scroll down to the end of the file.
- There you will see a line with the text ‘Your personal ID’.
- Below is a line of characters that starts with ‘0220’ – this is your personal id.
Find out the type of key using ‘PersonalID.txt’ file
- Open disk C.
- Open directory ‘SystemID’.
- Open file named ‘PersonalID.txt’. This file lists ‘Personal ID’s that match the keys that the virus used to encrypt files.
The ‘Personal ID’ is not a key, it is an identifier related to a key that was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, Lalo ransomware virus used an online key. If you could not figure out how to determine which key was used to encrypt files, then we can help. Just write a request here or in the comments below.
Lalo File Decypt Tool : No key for New Variant offline ID
If during decryption of .lalo files the Lalo File Decypt Tool reports No key for New Variant offline ID, then this means the following: your files are encrypted with an ‘offline key’, but the key itself has not yet been found by security researchers, in this case, you need to be patient and wait a while, in addition, you can also use alternative ways for recovering encrypted data. It is impossible to say exactly when the ‘offline key’ will be determined. Sometimes it takes several days, sometimes more. We recommend that you try to decrypt .lalo files from time to time. You can also use alternative ways listed below for recovering encrypted data.
Lalo File Decypt Tool : No key for New Variant online ID
If, when you try to decrypt .lalo files, the Lalo File Decypt Tool reports No key for New Variant online ID, then this means that your files are encrypted with an ‘online key’ and their decryption is impossible, since only the Lalo authors have the key necessary for decryption. In this case, you need to use alternative methods listed below to restore the contents of encrypted files.
How to restore .lalo files
If your files were encrypted with .lalo extension, then there is a chance that you can recover the files without decryption. We recommend using PhotoRec and ShadowExplorer that are designed to find and recover lost and deleted data. Mostly such programs are paid, but these tools can restore your files for free. Each of these tools has helped many times to recover files after ransomware infection in what would seem to be the most hopeless cases. We want to remind you that before you try to recover files, you need to check your computer for ransomware using free malware removal tools. It is very important to find the Lalo virus and completely remove it.
Use shadow copies to recover .lalo files
Modern versions of the Windows OS have one very useful feature. The Windows automatically makes copies of the files you use. These copies are called ‘Shadow Volume Copies’ and are not directly visible to the user. ShadowExplorer will allow you to get easy access to these files, and thus restore the original state of encrypted files. Of course, not everything is so simple, unfortunately very often ransomware deletes these copies, thus preventing the simple recovery of encrypted files. But in some cases, copies of the files remain and allow for quick file recovery. Therefore, our opinion, you need to try this method.
Download ShadowExplorer from the link below.
Category: Security tools
Update: September 15, 2019
After downloading is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed on the image below.
Launch the ShadowExplorer tool and then select the disk (1) and the date (2) that you wish to recover the shadow copy of file(s) encrypted by the Lalo crypto malware as displayed below.
Now navigate to the file or folder that you want to recover. When ready right-click on it and press ‘Export’ button as shown on the screen below.
This video step-by-step guide will demonstrate How to recover encrypted files using Shadow Explorer.
Run PhotoRec to recover .lalo files
There is another very good way to recover .lalo files – use a tool that finds and restores deleted files. We recommend using PhotoRec. This is one of the few programs that allows you to do this for free. The reason that allows you to recover encrypted files using this method is simple – when you or any program, including the ransomware, deletes the file, this file is not deleted, the Windows OS marks it as deleted and hides it. PhotoRec finds such deleted files and restores them. Thus, at the output, you get files in an unencrypted state. The only thing I want to draw your attention to is that the less you used your computer after ransomware infection, the higher your chance of recovering encrypted files.
Download PhotoRec on your Windows Desktop from the link below.
Category: Security tools
Update: March 1, 2018
Once downloading is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will show a screen as shown on the screen below.
Select a drive to recover as displayed on the screen below.
You will see a list of available partitions. Select a partition that holds encrypted personal files as shown on the screen below.
Click File Formats button and select file types to recover. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.
Next, click Browse button to select where recovered photos, documents and music should be written, then click Search.
Count of recovered files is updated in real time. All restored files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is done, click on Quit button. Next, open the directory where restored photos, documents and music are stored. You will see a contents as shown on the screen below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.
This video step-by-step guide will demonstrate How to recover encrypted files using PhotoRec.
How to protect your computer from Lalo ransomware
Most antivirus software already have built-in protection system against the crypto malware. Therefore, if your system does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert. HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Please go to the following link to download the latest version of HitmanPro Alert for Microsoft Windows. Save it on your Windows desktop or in any other place.
Category: Security tools
Update: March 6, 2019
When the downloading process is complete, open the file location. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. Once the tool is opened, you will be displayed a window where you can choose a level of protection, as shown on the image below.
Now press the Install button to activate the protection.
To sum up
This guide was created to help all victims of Lalo ransomware virus. We tried to give answers to the following questions: how to remove Lalo ransomware; how to decrypt .lalo files; how to recover files, if the Lalo File Decypt Tool does not help; what is an online key and what is an offline key. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Lalo related issues, go to here.