Lukitus ransomware virus. How to remove? (Uninstall guide)

removal by Jake Doevan - - | Type: Ransomware
12

Lukitus ransomware rampages worldwide as its developers successfully distribute the virus via malicious spam

The picture of Lukitus ransomware virus

Lukitus is a new variant of Locky virus that has been spotted spreading via malicious spam emails on August 2017. This ransomware-type program uses RSA-2048 and AES-128 ciphers to encrypt files and mark them with .lukitus file extension. Then it installs two new files – lukitus.bmp and lukitus.htm that inform about the only expensive data recovery option – necessity to purchase Locky decryptor.

Lukitus virus not only encrypts files but renames them, as well. Just like a few weeks ago emerged Diablo6 version,[1] the recent cyber threat follows the same scheme to change filenames. The name of the corrupted file includes numbers of victim’s ID and random characters:

[first 8 characters of ID]-[next 4 characters of ID]-[next 4 characters of ID]-[4 characters]-[12 characters].lukitus

When targeted data is locked with a strong cipher, Lukitus ransomware replaces computer’s desktop picture with lukitus.bmp file. The new wallpaper includes short but threatening message from the cyber criminals. They learn about data encryption and are urged to check lukitus.htm for more information about data recovery.

The HTM file includes victim’s ID number and notes that the only way to decrypt files – to purchase Locky Decryptor for 0.49 Bitcoins. However, it’s a huge sum of money that equals to about $2.000. We do not recommend paying it because it may lead to money loss only.

Just like other Locky’s variants, Lukitus uses the same ransom note template and payment website. That proves that cyber criminals standing behind this malicious program are consistent with their work.

Unfortunately, Lukitus removal won’t help to recover corrupted files. Neither Locky nor its variants are decryptable. However, elimination of the crypto-malware is necessary because this malicious program makes critical system changes and might put your data or privacy at risk.

Therefore, as soon as you learn about the attack, you have to obtain reputable security software and remove Lukitus from the PC. For this task, we suggest using Reimage or Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus.

Malicious spam campaign hits victims with a new ransomware variant

According to the malware researcher Rommel Joven, developers of Locky remains faithful to the traditional ransomware distribution method – malicious spam emails. Malspam campaign that spreads Lukitus includes ZIP or RAR attachments with JS file. As soon as a user opens such dangerous archive, malware executable is dropped to the system.

Emails that bring this crypto-malware have two subject lines:

  • < No Subject >
  • Emailing – CSI-034183_MB_S_7727518b6bab2

The content of the message politely asks to open the attached document due to a particular date. However, we want to point out that if you do not expect to receive any files or documents, you should never open unknown emails.

The name “Lukitus” means “Locky” in Finnish. However, it does not say that this variant aims at computer users in Finland[2] only. The malicious emails are written in English and can be delivered to any inbox all over the world.

Before opening any received files or the links in the email, you should:

  • double-check the information about the sender;
  • scan attachments with security tools in order to make sure that they are not infected;
  • look up for grammar or spelling mistakes that might reveal cyber criminals.

For ransomware protection,[3] you should also keep all the programs installed on your PC updated, avoid clicking suspicious content or visit high-risk sites and install professional antivirus. Of course, data backups are the must!

September 2017 update: Lukitus ransomware uses a set of different themes for spam emails 

Locky's authors are now using the old Dropbox-themed phishing emails to deliver the latest Lukitus ransomware variant. Security experts have discovered a brand new spam campaign that rapidly distributed deceptive messages to over 23 million potential victims in just 24 hours. It is believed to be one of the largest malicious spam campaigns seen in second half of 2017.

Facts about the latest Lukitus distribution campaigns:

  • Criminals are rapidly distributing the latest Locky variant to victims via email. Typically, they are Dropbox-themed and suggest verifying email via a provided phishing link.
  • Clicking the provided link redirects the victim to legitimate web pages or hosting accounts that have been compromised by criminals. Usually, the link will contain a dropbox.html at the end of it.
  • The dropbox.html file opens a phishing website that looks like a legitimate DropBox page. However, at the same time a VBS file downloads and launches Lukitus virus on victim's system. 
  • At the same time, criminals are also using a quite simple malspam technique and sending double-zipped VBS files or JS files. Once launched, these files download Lukitus from particular domains.
  • Virus' authors are using the following subject lines in this malspam campaign: “Please print,” “pictures,” “images,” “scans,” “documents” or “photos.” The message body contains a basic message inviting to view the content of the attached file – “Download it here.”
  • Criminals are also using FreeFax-themed spam as well as deceptive voice messages to lure unsuspecting victims into compromised websites ending with .fax.html. These emails usually contain “FreeFax From:[random digits]” or “Voice Message from [random digits] in subject line and suggest clicking a provided link to download fax or listen to the voice message.
  • Once redirected to a compromised website, the user receives a suggestion to open a .js file which might be named in such format: Fax_Message_[random digits].js or similar. Opening the file instantly installs Lukitus on the system.
  • The latest Lukitus spam campaign distributes Micorosft Store-themed spam. Fraudsters are using “Microsoft Store E-invoice for your order #[random digits]” in the subject line and suggest downloading the Invoice by clicking on an attached link. Just like we previously explained, the link leads to a compromised site containing a malicious MS_INV_[random digits].7z file which was previously uploaded by virus' developers.

It is clear that Locky virus' developers are working hard to distribute the Lukitus ransomware version as widely as possible. Therefore, you have to stay vigilant ant not allow this ransomware to outwit you.

Remove Lukitus ransomware virus and recover your files

Lukitus removal must be performed using reputable security software. Automatic elimination assures that all malicious files and processes are stopped and deleted without damaging the system. Ransomware viruses are complicated, so attempts to uninstall malicious components manually may end up with irreparable system damage.

If you are looking for a tool to remove Lukitus from the PC, we suggest choosing one of these programs: Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware. However, malware might prevent from installing or accessing security tools. So, you may need to reboot the computer to Safe Mode with Networking as shown below.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Lukitus ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Lukitus ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.

Manual Lukitus virus Removal Guide:

Remove Lukitus using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

If you cannot run security software to remove Lukitus ransomware virus from the PC, follow these steps to disable the virus first:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Lukitus

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Lukitus removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Lukitus using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Lukitus. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Lukitus removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Lukitus from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Lukitus, you can use several methods to restore them:

Data Recovery Pro – alternative way to restore corrupted files

This tool might be useful after ransomware attack. We cannot promise that it can recover all files with .lukitus extension. However, you might be able to restore some of them with the help of this software.

Windows Previous Versions feature

If System Restore has been enabled before ransomware attack, this method might help to copy individual files saved before ransomware infiltration:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Take advantage of ShadowExplorer

If you are lucky enough and this variant of Locky did not delete Shadow Volume Copies, this tool can help to restore corrupted files:

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Lukitus decryptor is not available.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Lukitus and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

More information about the author

References

Removal guides in other languages