Lyli ransomware (Virus Removal Instructions) - Decryption Methods Included

Lyli virus Removal Guide

What is Lyli ransomware?

Lyli ransomware – cryptovirus that encodes data with a purpose for money demands

Lyli ransomware Lyli ransomware is the virus that makes significant damage to performance when additional programs get added and other features disabled. Lyli ransomware – a virus that makes images, documents, databases unopenable, so the ransom demanding message scares people into paying. This threat comes from a Djvu virus family, so files that get encrypted cannot get recovered in most of the cases. The intruder manages to infect machine silently when the pirated software piece gets downloaded or from a malicious macro virus dropped as an email attachment.[1] That happens quickly, so users only spot the infection when those files get directly damaged and some functions disabled. Encrypted data can be differentiated from other files because .lyli extensions are placed at the end of the original name and appendix that indicates the file type.

There are little to no possibilities to get these files restored, but paying Lyli ransomware virus creators is not one of them. Ransom amount can seem to be low when criminals offer a discount to $490 in Bitcoin cryptocurrency for the first 72 hours. However, those claims in the _readme.txt file are false and created to encourage victims into paying. Make sure to react to this infection as soon as possible and try to clear the virus quickly to avoid additional system damage. As for encrypted files, you have the best option – data backups, or additional methods listed below the removal guide.

Unfortunately, decryption tools are no longer in use, unless your machine got affected by a less advanced version. In such cases, you can try to run your files through Emsisosfts' decryption tool, and check of files marked with .lyli virus appendix were locked using online or offline methods. That fact determines if decryption is possible even.

Name Lyli ransomware
Family STOP/Djvu virus
File appendix .lyli extension gets added at the end of every file encrypted by the virus. It goes after the original name and file type appendix
Issues The intruder creates problems with the performance because it triggers changes in various parts of the device, including system folders and registry or even security features and tools. This threat can disable AV tools and affect the machine further. This infection involves direct money demanding messages and contact with criminals
Distribution Pirated files, licensed versions of programs, game cheats, or software cracks can be distributed via torrent pages and pirating services, so the malicious code for ransomware can get dropped on the machine automatically
Ransom note _readme.txt is a particular file that delivers a message from criminals, so money can be demanded. The statement about test decryption, and the only option for the data recovery is not truthful. The discount and other offers only fake the legitimacy, so victims decide to pay up
Contact information,
File recovery options

This is the newer version of the Djvu virus, so the decryption tool that was useful before cannot be used right now. Additional functions that got too advanced disabled other tools, but Emsisoft's decryption tool can possibly work in some cases. Media-repair tool can also solve some issues with files in formats like mp3 or WAV. Otherwise, the best solution is data backups and file replacement once the machine is virus-free

Elimination To remove Lyli ransomware, you should rely on tools like anti-malware or security programs. You need to ensure that infection is no longer active when you recover your files
System repair There are issues that ransomware infection triggers once on the system. Run a proper repair tool or system optimizer, so affected files, damaged functions, or programs can get repaired. Try to check for these problems with FortectIntego

Lyli ransomware virus distributes the infection via malicious files. This is an illegal action, so you could report the incident as a crime. However, such investigations take time, and you wouldn't be able to get rid of the virus yourself, so the machine is useless until the responsible person is found. You can report the issue for the No More Ransom project.

We could not stress this enough – Paying Is NOT AN OPTION. You can receive more dangerous files, malware and lead to worst issues than the initial infection. Even when the ransom note with a message from criminals state that paying can be helpful, you shouldn't consider this procedure at all. Removing the Lyli virus is a better option.

File recovery after the money transfer is probably not possible, so the decryption tool is only a claim that should give people hope. Lyli ransomware aims to encourage victims, so the ransom is paid, but there is no evidence that the Djvu ransomware family, including .copa, .kolz, .npph, has recovered files for victims.[2] Ignore the ransom message and move on to eliminating the cryptovirus.


Don't worry, you can return all your files!

All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.

What guarantees you have?

You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.

You can get and look video overview decrypt tool:

Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.

Please note that you'll never restore your data without payment.

Check your e-mail “Spam” or “Junk” folder if you don't get answer more than 6 hours.

To get this software you need write on our e-mail:

Reserve e-mail address to contact us:

Your personal ID:

Even though it can be scary enough to encourage you to pay the ransom, this Lyli ransomware message should be ignored entirely. Make sure to react to the infection as soon as you can, so the virus might be removed properly from your device. When the virus has more time on the system. Due to some changes, the process of virus termination can get even more difficult. But you need to delete the intruder fully before restoring any files.

Lyli ransomware virusLyli ransomware - the cryptovirus that locks commonly used files to demand the payment for alleged decryption.

File recovery after Lyli file virus infection

It is unfortunate, but even the automatic Lyli ransomware removal process with SpyHunter 5Combo Cleaner or Malwarebytes, other anti-malware/ ransomware removal tools cannot ensure the file recovery for you. Most antivirus tools can detect and eliminate this virus, so it can't continue to encrypt files. But file repair is a completely separate process.

To decrypt files affected by later versions that employ online keys, you need a particular tool that can process this unique ID and get the code back to the original. Each victim needs to get a separate tool or the decryption key. Developers claim to have one, but it is less likely, so you should remove Lyli ransomware instead and try to repair those affected files in other ways.

Of course, it is sad because there are fewer options when online IDs get used instead of offline ones, but when you want to use the machine as normal, you have no options. First of all, do not trust those people behind the Lyli files virus or this whole ransomware family. This variant is already a 254th on the list.

Rely on proper tools, expert[3] recommendations, or official decryption/ data recovery programs released online. Then you can be sure that the procedure is not creating other issues on the computer. Running the AV detection tool gives you results with all the malicious programs. Then you need to remove all the intruders, including the Lyli ransomware, and continue with PC repair and data recovery.

Once the malicious program is eliminated, run FortectIntego to find and recover the virus damage. Of you skip any of these steps, you might risk getting a second round of encryption performed or have a difficult time when most of the system features get damaged and disabled. Double-check for any traces of the Lyli virus before you connect to your cloud data backup or enter the USB drive with file copies.

Lyli files virusLyli ransomware virus is the infection that aims to get money from victims directly.

Create a secure place for newly recovered files by eliminating Lyli file virus completely

You need to consider this Lyli ransomware virus a serious malware program, so you take every step of the way seriously. This is the cryptovirus that directly can lead to data and money losses. React to the infection as soon as possible and make sure to double-check before adding important files on the computer.

When you decide to remove Lyli ransomware from your device, get a professional security tool that has an AV detection engine or other features. We recommend SpyHunter 5Combo Cleaner or Malwarebytes for this. Then run a full system scan and check for any malicious programs on the affected device.

Once the list of intruders gets to your screen, analyze it and move on with the proper Lyli ransomware removal. Allow the program to do its job and terminate the infection completely. Run a repeated scan with the AV program and then try to repair virus damage using FortectIntego. Once all of these steps get done, you can go for data recovery. We have a few options down below for that.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Lyli virus. Follow these steps

Manual removal using Safe Mode

Try to reboot your PC in Safe Mode with Networking and then remove Lyli ransomware using proper anti-malware tools

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Lyli using System Restore

Rely on System Restore feature and create the place safe for data recovery

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Lyli. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Lyli removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Lyli from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Lyli, you can use several methods to restore them:

Data Recovery Pro – tool for the file restoring

You can try to restore affected files with the program and recover after Lyli ransomware encryption or even restore accidentally deleted files

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Lyli ransomware;
  • Restore them.

Windows Previous Versions feature for individual file recovery

Encoded files can be restored with Windows Previous Versions when you enable System Restore for the Lyli ransomware removal beforehand

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer – feature helping with encoded files

When Lyli ransomware virus leaves those Shadow Volume Copies untouched, you can rely on this tool and restore encrypted files

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

The possibility to decrypt files after LYLI virus infection

This Djvu decrypter can work for some of the files affected by Lyli ransomware

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Lyli and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.


Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 


About the author
Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions