Severity scale:  

Remove Lukitus ransomware / virus (Virus Removal Instructions) - Sep 2020 update

removal by Jake Doevan - - | Type: Ransomware

Lukitus ransomware rampages worldwide as its developers successfully distribute the virus via malicious spam

The picture of Lukitus ransomware virus

Lukitus is a new variant of Locky virus that has been spotted spreading via malicious spam emails on August 2017. This ransomware-type program uses RSA-2048 and AES-128 ciphers to encrypt files and mark them with .lukitus file extension. Then it installs two new files – lukitus.bmp and lukitus.htm that inform about the only expensive data recovery option – necessity to purchase Locky decryptor.

Questions about Lukitus ransomware virus

Lukitus virus not only encrypts files but renames them, as well. Just like a few weeks ago emerged Diablo6 version,[1] the recent cyber threat follows the same scheme to change filenames. The name of the corrupted file includes numbers of victim’s ID and random characters:

[first 8 characters of ID]-[next 4 characters of ID]-[next 4 characters of ID]-[4 characters]-[12 characters].lukitus

When targeted data is locked with a strong cipher, Lukitus ransomware replaces computer’s desktop picture with lukitus.bmp file. The new wallpaper includes short but threatening message from the cyber criminals. They learn about data encryption and are urged to check lukitus.htm for more information about data recovery.

The HTM file includes victim’s ID number and notes that the only way to decrypt files – to purchase Locky Decryptor for 0.49 Bitcoins. However, it’s a huge sum of money that equals to about $2.000. We do not recommend paying it because it may lead to money loss only.

Just like other Locky’s variants, Lukitus uses the same ransom note template and payment website. That proves that cyber criminals standing behind this malicious program are consistent with their work.

Unfortunately, Lukitus removal won’t help to recover corrupted files. Neither Locky nor its variants are decryptable. However, elimination of the crypto-malware is necessary because this malicious program makes critical system changes and might put your data or privacy at risk.

Therefore, as soon as you learn about the attack, you have to obtain reputable security software and remove Lukitus from the PC. For this task, we suggest using Reimage Reimage Cleaner Intego or SpyHunter 5Combo Cleaner.

The example of Lukitus ransomware virusLukitus is a new variant of Locky ransomware.

Malicious spam campaign hits victims with a new ransomware variant

According to the malware researcher Rommel Joven, developers of Locky remains faithful to the traditional ransomware distribution method – malicious spam emails. Malspam campaign that spreads Lukitus includes ZIP or RAR attachments with JS file. As soon as a user opens such dangerous archive, malware executable is dropped to the system.

Emails that bring this crypto-malware have two subject lines:

  • < No Subject >
  • Emailing – CSI-034183_MB_S_7727518b6bab2

The content of the message politely asks to open the attached document due to a particular date. However, we want to point out that if you do not expect to receive any files or documents, you should never open unknown emails.

The name “Lukitus” means “Locky” in Finnish. However, it does not say that this variant aims at computer users in Finland[2] only. The malicious emails are written in English and can be delivered to any inbox all over the world.

Before opening any received files or the links in the email, you should:

  • double-check the information about the sender;
  • scan attachments with security tools in order to make sure that they are not infected;
  • look up for grammar or spelling mistakes that might reveal cyber criminals.

For ransomware protection,[3] you should also keep all the programs installed on your PC updated, avoid clicking suspicious content or visit high-risk sites and install professional antivirus. Of course, data backups are the must!

September 2017 update: Lukitus ransomware uses a set of different themes for spam emails 

Locky's authors are now using the old Dropbox-themed phishing emails to deliver the latest Lukitus ransomware variant. Security experts have discovered a brand new spam campaign that rapidly distributed deceptive messages to over 23 million potential victims in just 24 hours. It is believed to be one of the largest malicious spam campaigns seen in second half of 2017.

Facts about the latest Lukitus distribution campaigns:

  • Criminals are rapidly distributing the latest Locky variant to victims via email. Typically, they are Dropbox-themed and suggest verifying email via a provided phishing link.
  • Clicking the provided link redirects the victim to legitimate web pages or hosting accounts that have been compromised by criminals. Usually, the link will contain a dropbox.html at the end of it.
  • The dropbox.html file opens a phishing website that looks like a legitimate DropBox page. However, at the same time a VBS file downloads and launches Lukitus virus on victim's system. 
  • At the same time, criminals are also using a quite simple malspam technique and sending double-zipped VBS files or JS files. Once launched, these files download Lukitus from particular domains.
  • Virus' authors are using the following subject lines in this malspam campaign: “Please print,” “pictures,” “images,” “scans,” “documents” or “photos.” The message body contains a basic message inviting to view the content of the attached file – “Download it here.”
  • Criminals are also using FreeFax-themed spam as well as deceptive voice messages to lure unsuspecting victims into compromised websites ending with .fax.html. These emails usually contain “FreeFax From:[random digits]” or “Voice Message from [random digits] in subject line and suggest clicking a provided link to download fax or listen to the voice message.
  • Once redirected to a compromised website, the user receives a suggestion to open a .js file which might be named in such format: Fax_Message_[random digits].js or similar. Opening the file instantly installs Lukitus on the system.
  • The latest Lukitus spam campaign distributes Micorosft Store-themed spam. Fraudsters are using “Microsoft Store E-invoice for your order #[random digits]” in the subject line and suggest downloading the Invoice by clicking on an attached link. Just like we previously explained, the link leads to a compromised site containing a malicious MS_INV_[random digits].7z file which was previously uploaded by virus' developers.

It is clear that Locky virus' developers are working hard to distribute the Lukitus ransomware version as widely as possible. Therefore, you have to stay vigilant ant not allow this ransomware to outwit you.

Remove Lukitus ransomware virus and recover your files

Lukitus removal must be performed using reputable security software. Automatic elimination assures that all malicious files and processes are stopped and deleted without damaging the system. Ransomware viruses are complicated, so attempts to uninstall malicious components manually may end up with irreparable system damage.

If you are looking for a tool to remove Lukitus from the PC, we suggest choosing one of these programs: Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes. However, malware might prevent from installing or accessing security tools. So, you may need to reboot the computer to Safe Mode with Networking as shown below.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove Lukitus virus, follow these steps:

Remove Lukitus using Safe Mode with Networking

If you cannot run security software to remove Lukitus ransomware virus from the PC, follow these steps to disable the virus first:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Lukitus

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Lukitus removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Lukitus using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Lukitus. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that Lukitus removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Lukitus from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Lukitus, you can use several methods to restore them:

Data Recovery Pro – alternative way to restore corrupted files

This tool might be useful after ransomware attack. We cannot promise that it can recover all files with .lukitus extension. However, you might be able to restore some of them with the help of this software.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Lukitus ransomware;
  • Restore them.

Windows Previous Versions feature

If System Restore has been enabled before ransomware attack, this method might help to copy individual files saved before ransomware infiltration:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Take advantage of ShadowExplorer

If you are lucky enough and this variant of Locky did not delete Shadow Volume Copies, this tool can help to restore corrupted files:

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Lukitus decryptor is not available.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Lukitus and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

Removal guides in other languages

Your opinion regarding Lukitus ransomware virus