What is Lukitos Ransomware? And how does it execute its attack?

Lukitos ransomware is one of the latest variant of the formidable Locky ransomware. Lukitos in Finnish means Locky so it’s pretty obvious that this is yet another spawn of the infamous ransomware infection. Its developers were spotted spreading the infections via malicious spam emails. After its infiltration, Lukitos scans all the drive in the computer looking for files to encrypt. Once it’s done, it starts to encrypt them using the RSA 2048 and AES 128 encryption algorithms just like with the Locky ransomware. During the encryption, it appends each file with the .lukitos extension and then creates new files, namely; lukitos.bmp and lukitos.htm which both informs users regarding the expensive way of recovering their files by purchasing the Locky Decryptor. The context below is the full message from both the bmp and html files:
“!!! IMPORTANT INFORMATION !!!!
All of your files are encrypted with RSA-2048 and AES-128 ciphers. More information about the RSA and AES can be found here: hxxp://en.wikipedia.org/wiki/RSAicryptosysteml hxxp://en.wikipedia.org/wiki/Advanced_Encryption_Standard
Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server. To receive your private key follow one of the links:
If all of this addresses are not available, follow these steps: 1. Download and install Tor Browser: hxxps://www.torproject.org/download/download-easy.html 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: g46mbrrzpfszonuk.onion/D56F3331E80D9E17 4. Follow the instructions on the site.
!!! Your personal identification ID: GPZ9PTR3BIEU8HAJ !!!”
On its attack, all the targeted files are locked with strong ciphers making it hard to decrypt the files. Lukitos then replaces the computer’s desktop wallpaper with the lukitos.bmp file which contains the message above. While the htm file includes the victim’s ID number and notes that the only way to recover the files is by purchasing the Locky Decryptor for 0.49 Bitcoins which is approximately around $2000, that’s amounting to two iPhone X right? Just wow. Security experts do not recommend you to purchase this insane amount no matter what for you might only end up with $2000 out of your pocket minus your files. We all know that these crooks can’t be trusted. We don’t even recommend users to pay a small amount of ransom, how much more a $2000 amount? So no, there are other ways to recover your files such as backups or making use of the Shadow Volume copies of your files. But before the file recovery, you must terminate Lukitos ransomware from your computer first and then that’s when you can try out the recovery options which will also be discussed together with the removal.

How does Lukitos ransomware spread its malicious infection?

Rommel Jove, a malware security expert stated that the developers of Locky ransowmare remains to be somewhat faithful to the old but gold way of distributing ransomware infection which is through spam emails. Malicious spam emails spreading Lukitos makes use of ZIP or RAR attachments with JS file. As soon as these files are executed, the malware executable file used to launch Lukitos is dropped into the system. Lukitos’ email usually contain two subject lines such as the following:

• <No subject>
• Emailing – CSI-034183_MB_S_7727518b6bab2

The email’s content usually consists of a message asking users to politely open the attached document due to a particular date. Users should be careful in opening emails from unknown senders no matter how seemingly urgent it looks for cyber crooks have gotten better in spreading their malicious payload using emails.
 
Terminate Lukitos ransomware by following the set of removal instructions below as well as the recovery option for the encrypted files.
Step 1: Open Windows Task Manager by pressing Ctrl + Shift + Esc at the same time.

Step 2: Go to the Processes tab and look for Lukitos’ processes and then kill them.

Step 3: Open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.

Step 4: Look for Lukitos ransomware or any suspicious program and then Uninstall.

Step 5: Hold down Windows + E keys simultaneously to open File Explorer.
Step 6: Navigate to the following locations below and look for Lukitos ransomware’s malicious components such as Lukitos.bmp and Lukitos.htm and delete all of them.

• %TEMP%
• %APPDATA%
• %USERPROFILE%\Downloads
• %USERPROFILE%\Desktop

 
The next step below is not recommended for you if you don’t know how to navigate the Registry Editor. Making registry changes can highly impact your computer. So it is highly advised to use PC Cleaner Pro instead to get rid of the entries that Lukitos ransomware created. So if you are not familiar with the Windows Registry skip to Step 12 onwards.

However, if you are well-versed in making registry adjustments, then you can proceed to step 7.
Step 7: Open the Registry Editor, to do so, tap Win + R and type in regedit and then press enter and then go to the following path:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Step 8: Look for suspicious registry entries created by Lukitos and delete them.
Step 9: Close the Registry Editor.
Step 10: Empty the Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Lukitos hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.

Follow the continued advanced steps below to ensure the removal of the Lukitos ransomware:
Perform a full system scan using SpyRemover Pro.

1. Turn on your computer. If it’s already on, you have to reboot
2. After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.

3. To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
4. Windows will now load the Safe Mode with Networking.
5. Press and hold both R key and Windows key.

7. If done correctly, the Windows Run Box will show up.
8. Type in Apollolocker http://www.fixmypcfree.com/install/spyremoverpro

A single space must be in between Apollolocker and http. Click OK. 

8. A dialog box will be displayed by Internet Apollolocker. Click Run to begin downloading SpyRemover Pro. Installation will start automatically once download is done.

10. Click OK to launch the program.
11. Run SpyRemover Pro and perform a full system scan.

11. After all the infections are identified, click REMOVE ALL.

12. Register the program to protect your computer from future threats.