Lssr ransomware (virus) - Bonus: Decryption Steps

What is Lssr ransomware?

Lssr ransomware is a virus designed to lock videos, music, and other files on your computer and hold them hostage until a ransom is paid

This is the threat that connects to the machine to find files for possible encryption

Lssr ransomware – a computer infection that encrypts all personal files with the help of a mixed encryption algorithm. Then it can mark files with the .lssr extension, restricting access to them. Malware then drops a ransom note _readme.txt, which claims that the only way to securely return data is by paying a ransom – it should be delivered using bitcoin digital currency. The ransom amount starts at $980, but criminals offer the discount to make people more eager to pay. However, experts^[1] do not recommend considering the payment. Even when the amount is less than a few hundred. If you transfer money but files remain locked, you lose money and data.

This virus derives from a well-known Djvu ransomware family, which was first spotted many years back and since then released multiple variants, including Piiq, Pooe, Leex. In this article, we will provide alternative methods for .lssr file recovery and safe ways of deleting the infection from a Windows computer. It is crucial to clear the infection before you try to restore affected pieces, so the system cannot be affected again. If files get encrypted once again, that data gets permanently damaged.

If you have been infected by one of the Djvu/STOP ransomware variants, it is possible that your computer's encryption can be decrypted offline using a program like Emsisoft decryptor. However, it must also be mentioned that this will not work for everyone – only if data was locked via an offline ID when the malicious software couldn't connect to the remote server and use the online ID creation method.

Otherwise, if you are infected by an earlier version of the same virus, your only option is to pay the ransom. A better way to avoid being infected with Lssr ransomware is by downloading apps from trusted sources and not from third-party app stores or links placed in random email messages.

Malicious files can be hidden and the virus active but unnoticed until the ransom note is presented

Furthermore, it's always a good idea to have a reliable anti-malware tool installed on your computer. The ransom message that appears in the _readme.txt file states that all of the user's details were stored on servers controlled by criminals, and all they need from them is just one thing: money. It then encourages users to send Bitcoin payments as soon as possible. In most cases, the amount you are expected to pay varies, but this family hasn't changed the ransom amount, contact information, and the name of the ransom note for years now.

The ransom note file reads:

ATTENTION!

Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-fhnNOAYC8Z
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don't get answer more than 6 hours.

To get this software you need write on our e-mail:
manager@mailtemp.ch

Reserve e-mail address to contact us:
helpmanager@airmail.cc

Your personal ID:

If you think your files were locked with an offline ID and can't be recovered now, try again later. You also need to upload a set of documents – one encrypted and another that's healthy before the company sends it back. This test decryption is one of the many methods used to fake the legitimacy of the decryptor tool that criminals promote.

If you got your files encrypted using this threat, you have the option to wait until the decryption creators have more time on their hands for creating the tool capable of recovering these types of threats. When the encryption is done locally without any online key-sharing service involved in the process, the possibility of decryption is bigger. When offline IDs are user, the option is very unlikely since there needs to be somebody that paid asked ransom and got their encrypted data recovered.

Using file-sharing sites in order to download software can also be risky – even if it's from well-known and legitimate developers. Sometimes malicious files may be attached as part of the installer without any knowledge of the developer itself, so even installing a necessary application may put your devices at risk. This is one of the common methods used to spread threats like the Lssr file virus.

Clear the system and repair needed computer functions

You can restore your files after the infection. It can be done using versions from a different device that is not infected yet. If your computer had any USB, it different drives connected. They most likely got infected and files on them – encrypted. Unfortunately, it is too easy to decrypt or restore any of those files. You need a proper decryption tool. There are some options for this threat family, but solutions are still limited.

Nevertheless, there cannot be any decryption or file recovery using data repair software or backups until the malware is present. The system requires proper cleaning with software like SpyHunter 5Combo Cleaner or Malwarebytes, so the detection^[2] engines can indicate malicious files and terminate them.

Then another important step is file recovery in system folders. It can be crucial in virus removal and file repair functions since Lssr might disable some applications and alter settings to further control the infected machine. Once you do these things, you will be able to calm down and relax while being sure that no harm was done to your devices. Only then can data recovery be considered.

The virus is focused on ransom demands can be removed with AV tools

Once a computer is infected with malware, its system is changed to operate differently. For example, an infection can alter the Windows registry database, damage vital bootup and other sections, delete or corrupt DLL files, etc. Once a system file is damaged by malware, antivirus software cannot do anything about it, leaving it just the way it is. Consequently, users might experience performance, stability, and usability issues, to the point where a full Windows reinstallation is required.

Therefore, we highly recommend using a one-of-a-kind, patented technology of FortectIntego repair. Not only can it fix virus damage after the infection, but it is also capable of removing malware that has already broken into the system thanks to several engines used by the program. Besides, the application can also fix various Windows-related issues that are not caused by malware infections, such as Blue Screen errors, freezes, registry errors, damaged DLLs, etc.

• Download the application by clicking on the link above
• Click on the ReimageRepair.exe
  
  
• If User Account Control (UAC) shows up, select Yes
• Press Install and wait till the program finishes the installation process
• The analysis of your machine will begin immediately
• Once complete, check the results – they will be listed in the Summary
• You can now click on each of the issues and fix them manually
• If you see many problems that you find difficult to fix, we recommend you automatically purchase the license and fix them.

By employing FortectIntego, you would not have to worry about future computer issues, as most of them could be fixed quickly by performing a full system scan at any time. Most importantly, you could avoid the tedious process of Windows reinstallation in case things go very wrong due to one reason or another.

If you have infected your computer with one of the Djvu variants, you should try using Emsisoft decryptor for Djvu/STOP. It is important to mention that this tool will not work for everyone – it only works if data was locked with an offline ID due to malware failing to communicate with its remote servers.

In most cases, these newer versions, like Lssr virus, rely on an online key forming technique. Hence, each victim of the threat receives unique identification and needs to get the particularly matching decryption key, so files can be restored properly. It is not that possible without paying, so any victim of the advanced version faces data losses when backups are not updated, and other options fail to help.

Even if your case meets this condition, somebody from the victims has to pay criminals, retrieve an offline key, and then share it with security researchers at Emsisoft. As a result, you might not be able to restore the encrypted files immediately. Thus, if the decryptor says your data was locked with an offline ID but cannot be recovered currently, you should try later. You also need to upload a set of files – one encrypted and a healthy one to the company's servers before you proceed.

• Download the app from the official Emsisoft website.
• After pressing the Download button, a small pop-up at the bottom, titled decrypt_STOPDjvu.exe should show up – click it.
  
• If User Account Control (UAC) message shows up, press Yes.
• Agree to License Terms by pressing Yes.
  
  
• After Disclaimer shows up, press OK.
• The tool should automatically populate the affected folders, although you can also do it by pressing Add folder at the bottom.
  
• Press Decrypt.
  
  

From here, there are three available outcomes:

1. “Decrypted!” will be shown under files that were decrypted successfully – they are now usable again.
2. “Error: Unable to decrypt a file with ID:” means that the keys for this version of the virus have not yet been retrieved, so you should try later.
3. “This ID appears to be an online ID; decryption is impossible” – you are unable to decrypt files with this tool.

The latest variants of the Lssr file virus are impossible to decode thanks to an offline ID vs. online ID encryption process, which allows for recovery of files from previous versions but not this one because it's more advanced and encoding data is done with a different set of keys that have no easy way to be recovered by external means like keyloggers or backups. You can store files related to threats and wait for the additional decryption option, but such things take time.

The Lssr virus is another type of malware that targets not only the OS itself but also uses brute force attacks to try to infect other devices like smartphones (through Bluetooth), smartwatches, and other connected IoT-like devices because it can share information with your Android smartphone or Apple watch.^[3]

The infection rate for this particular variant was pretty high when first released, which means that there are probably thousands of users. This malware also attempts to connect to a server via a command-and-control server as it sets about looking for specific file types on your system. It can steal some valuable data and later on target victims or blackmail them.