.LLTP File Virus Remove and Restore Data - How to, Technology and PC Security Forum | SensorsTechForum.com

.LLTP File Virus Remove and Restore Data

Article created to help you remove the LLTP ransomware infection from your computer and restore files encrypted with the .LLTP file extension.

A ransomware virus, called LLTP ransomware has been reported to cause an immense amount of damage to the computers infected by it. The malware encrypts files on the computers using a combination of AES and RSA encryption ciphers which renders the files to no longer openable. And on top of this, LLTP also archives the files in a .RAR archive that is password-protected. The virus then changes the wallpaper and drops a ReadMe.txt file which has demands on how to pay a hefty ransom fee to get the encrypted files back. In case your computer was infected by the LLTP ransomware infection, we advise you to go through this article and learn how to cope with it.

Threat Summary

NameLLTP Locker
TypeRansomware
Short DescriptionThe ransomware uses 256-bit AES and RSA ciphers to encrypt files with an asymmetric algorithm to generate a decryption key different than the encryption one.
SymptomsThe ransomware will lock all your files with .Venusf extension appended to them and put a ransom note in your PC. The note states that you have to pay Bitcoins for decryption.
Distribution MethodSpam Emails, Email Attachments, Suspicious Sites
Detection Tool See If Your System Has Been Affected by LLTP Locker

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss VenusLocker Ransomware

.LLTP Virus – How Does It Infect

Created by LLTP Locker Team, the cyber-criminals behind this virus may have decided that they will spread it via e-mail spam messages that contain malicious attachments. Usually the e-mails contain deceptive messages in them that aim to trick the user into opening an archive with malicious attachment or click on a URL.

Similar to what appears to be it’s older variant, VenusLocker, the e-mails sent out may pretend that they are containing a receipt, account information or warnings of suspicious activity. In the archives, there may be multiple malicious files that are even legitimate documents which have malicious macros within them. These malicious macros may activate a script which causes the infection. This is why users are advised to take extreme caution and learn how to protect themselves against such e-mails. In order to better protect yourself, please read our related article:

.LLTP Virus – What Does It Do

After infecting users, this possibly re-written VenusLocker variant, begins to drop it’s malicious files on the compromised PC. The files are multiple executable and temp type of files with random names as well as the virus name:

  • LLTP3.5.exe
  • {random name}.tmp
  • LLTP.exe
  • {random name}.doc.exe
  • {random name}.exe.tmp
  • {random name}.exe
  • ReadMe.txt

The ReadMe.txt file is dropped on the desktop of the user profile and it has the same content as the original VenusLocker virus, only with the LTTP brand name on it:

—————————————- LTTP Locker ————————————
Unfortunately, you are hacked.
1. What happened to my files?
Your personal files, including your photos, documents, videos and other important files on this computer, have been encrypted
with RSA-4096, a strong encryption algorithm. RSA algorithm generates a public key and a private key for your computer. The
public key was used to encrypt your files a moment ago. The private key is necessary for you to decrypt and recover your files.
Now, your private key is stored on our secret Internet server. And there is no doubt that no one can recover your files without
your private key.
For further information about RSA algorithm, please refer to https://en.wikipedia.org/wiki/RSA_(cryptosystem)
2. How to decrypt my files?
To decrypt and recover your files, you have to pay 100 US Dollars for the private key and decryption service. Please note that
you have ONLY 72 HOURS to complete your payment. If your peyment do not be completed within time limit, your private key will be
deleted automatically by our server. All your files will be permanently encrypted, and nobody can recover them. Therefore, it is advised that you’d better not waste your time because there is no other way to recover your files except making a payment.
3. How to pay for my private key?
There are three steps to make a payment and recover your files:
1). For the security of transactions, all the payments must be completed via Bitcoin network. Thus, you need to exchange 100 US dollars
(or equivalent local currencies) to Bitcoins, and then send these Bitcoins (about 0.15 BTC) to the following address.
1Dj9YnMiciNgaKuyzKynygu7nB21tvV6QD
2). Send your personal ID to our official email: [email protected]
Your personal ID is cc673bcfcf644d2c1a88893cb0ff8fa7
3). You will receive a decryptor and your private key to recover all your files within one working day.
4. What is Bitcoin?
Bitcoin is an innovative payment network and a new kind of money. It is based on an open-source cryptographic protocol that is independent of any central authority. Bitcoins can be transferred through a computer or a smartphone without an intermediate
financial institution.
5. How to make a payment with Bitcoin?
You can make a payment with Bitcoin based on Bitcoin Wallet or Based on Perfect Money. You can choose the way that is more convenient for you.
About Based on Bitcoin Wallet
1) Create a Bitcoin Wallet. We recommend Blockchain.info (https://blockchain.info/)
2) Buy the necessary amount of Bitcoins. Our recommendations are as follows.
LocalBitcoins.com — the fastest and easiest way to buy and sell Bitcoins.
CoinCafe.com — the simplest and fastest way to buy, sell and use Bitcoins.
BTCDirect.eu — the best for Europe.
CEX.IO — Visa / MasterCard
CoinMama.com — Visa / MasterCard
HowToBuyBitcoins.info — discover quickly how to buy and sell Bitcoins in your local currency.
3) As mentioned above, send about 0.15 BTC (equivalent to 100 USD) to our Bitcoin receiving address.
4) As mentioned above, and then, send us your personal ID via email, you will receive your private key soon.
About Based on Perfect Money
1) Create a Perfect Money account. (https://perfectmoney.is)
2) Visit to PMBitcoin.com. (https://pmbitcoin.com/btc)
Input our Bitcoin receiving an address in the “Bitcoin Wallet” textbox.
input 100 in the “Amount” textbox, the amount of Bitcoin will be calculated automatically.
click “PAY” button; then you can complete your payment with your Perfect Money account and local debit card.
6. If you have any problem, please feel free to contact us via official email.
Best Regards
The LTTP Locker Team

The LTTP Locker virus also changes the wallpaper of the infected computer, to the one used by the other variants:

In addition to this activity, the LTTP Locker ransomware may also cause a deletion of all shadow volume copies and backups on the affected computer. This is performed by using the vssadmin command in quiet mode:

→ vssadmin.exe delete shadows /all /Quiet

The .LTTP Locker Virus Encryption Process

Regarding the encryption of different types of files, this threat takes advantage of multiple different encryption algorithms:

  • The Rivest Shamir-Adleman (RSA) cipher which generates unique public and private keys.
  • The Advanced Encryption Standard.

Both of the encryption algorithms are used by the LTTP Locker ransomware to target the following file types:

.xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, xlsb, .xla, .xlam, .xll, .xlw, .txt, .ini, .php, .html, .css, .py, .c, .cpp, .cc, .h, .cs, .log, .pl, .java, .doc, .dot, .docx, .docm, .dotx, .dotm, .msg, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .class, .jar, .csv, .xml, .dwg, .dxf, .asp, .rtf, .wpd, .docb, .wps .idx, .kwd, .lp2, .ltr, .man, .mbox, .msg, .nfo, .now, .odm, .oft, .pwi, .rng, .rtx, .run, .ssa, .text, .unx, .wbk, .wsh, .7z, .arc, .ari, .arj, .car, .cbr, .cbz, .gz, .gzig, .jgz, .pak, .pcv, .puz, .rev, .sdn, .sen, .sfs, .sfx, .sh, .shar, .bkf, .ade, .adpb, .dic, .cch, .ctt, .dal, .ddc, .ddcx, .dex, .dif, .dii, .itdb, .itl, .kmz, .lcd, .lcf, .mbx, .mdn, .clr, .dbx, .jc, .potm, .ppsm, .prc, .prt, .shw, .std, .ver, .wpl, .xlm, .yps, .1cd, .bck, .html, .bak, .odt, .pst, .log, .mpg, .mpeg, .odb, .wps, .xlk, .mdb, .dxg, .wpd, .wb2, .dbf, .ai, .3fr, .arw, .srf, .sr2, .bay, .shr, .sqx, .tbz2, .tg, .tlz, .vsi, .wad, .war, .xpi, .z02, .z04, .zap, .zipx, .zoo, .ipa, .isu, .jar, .js, .udf, .adr, .ap, .aro, .asa, .ascx, .ashx, .asmx, .odf, .odp, .ods, .pab, .pkb, .pkh, .pot, .potx, .pptm, .psa, .qdf, .qel, .rgn, .rrt, .rsw, .rte, .sdb, .sdc, .sds, .sql, .stt, .tcx, .thmx, .txd, .txf, .upoi, .vmt, .wks, .wmdb, .xl, .xlc, .xlr, .xlsb, .xltx, .ltm, .xlwx, .mcd, .cap, .cc, .cod, .cp, .cpp, .cs, .csi, .dcp, .dcu, .dev, .dob, .dox, .dpk, .dpl, .dpr, .dsk, .dat, .csv, .xml, .spv, .grle, .sv5, .game, .slot, .aaf, .aep, .aepx, .plb, .prel, .prproj, .eat, .ppj, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .svg, .as3, .as, .dsp, .eql, .ex, .f90, .fla, .for, .fpp, .jav, .java, .lbi, .owl, .pl, .plc, .pli, .pm, .res, .rsrc, .so, .swd, .tpu, .tpx, .tu, .tur, .vc, .yab, .aip, .amxx, .ape, .api, .mxp, .oxt, .qpx, .qtr, .xla, .xlam, .xll, .xlv, .xpt, .cfg, .cwf, .dbb, .slt, .bp2, .bp3, .bpl, .asp, .indd, .asr, .qbb, .bml, .cer, .cms, .crt, .dap, .htm, .moz, .svr, .url, .wdgt, .abk, .bic, .big, .blp, .bsp, .cgf, .chk, .col, .cty, .dem, .elf, .ff, .gam, .grf, .h3m, .h4r, .iwd, .ldb, .lgp, .lvl, .map, .md3, .mdl, .nds, .pbp, .ppf, .pwf, .pxp, .sad, .sav, .scm, .scx, .sdt, .spr, .sud, .uax, .umx, .unr, .uop, .usa, .usx, .ut2, .ut3, .utc, .utx, .uvx, .uxx, .vmf, .vtf, .w3g, .asf, .pdf, .xls, .docx, .xlsx, .mp3, .waw, .jpg, .jpeg, .txt, .rtf, .doc, .rar, .zip, .psd, .tif, .wma, .gif, .bmp, .ppt, .pptx, .docm, .xlsm, .pps, .ppsx, .ppd, .eps, .png, .ace, .djvu, .tar, .cdr, .max, .wmv, .avi, .wav, .mp4, .pdd, .php, .aac, .ac3, .amf, .amr, .dwg, .dxf, .accdb, .mod, .tax2013, .tax2014, .oga, .ogg, .pbf, .ra, .raw, .saf, .val, .wave, .wow, .wpk, .3g2, .3gp, .3gp2, .3mm, .amx, .rpt, .avs, .bik, .dir, .divx, .dvx, .evo, .flv, .qtq, .tch, .rts, .rum, .rv, .scn, .srt, .stx, .svi, .swf, .trp, .vdo, .wm, .wmd, .wmmp, .wmx, .wvx, .xvid, .3d, .3d4, .3df8, .pbs, .adi, .ais, .amu, .arr, .bmc, .bmf, .cag, .cam, .dng, .ink, .ini, .jif, .jiff, .jpc, .jpf, .jpw, .mag, .mic, .mip, .msp, .nav, .ncd, .odc, .odi, .opf, .qif, .xwd, .abw, .act, .adt, .aim, .ans, .asc, .ase, .bdp, .bdr, .bib, .boc, .crd, .diz, .dot, .dotm, .dotx, .dvi, .dxe, .mlx, .err, .euc, .faq, .fdr, .fds, .gthr, .w3x, .wtd, .wtf, .ccd, .cd, .cso, .disk, .dmg, .dvd, .fcd, .flp, .img, .isz, .mdf, .mds, .nrg, .nri, .vcd, .vhd, .snp, .crw, .cr2, .dcr, .kdc, .erf, .mef, .mrw, .nef, .nrw, .orf, .raf, .rwl, .rw2, .r3d, .srw, .x3f, .der, .pem, .pfx, .p12, .p7b, .p7c, .jfif, .exif, .docb, .xlt, .xltm, .xlw, .ppam, .sldx, .sldm, .class, .db, .pdb, .ptx, .pef

The LTTP virus is very careful as to which types of files it encrypts. It is programmed to avoid any type of files in folders that may compromise the encryption process or the computer system’s health:

→ “Program Files, Program Files (x86), Windows, Python27, Python34, AliWangWang, Avira, wamp, Avira, 360, ATI, Google, Intel, Internet Explorer, Kaspersky Lab, Microsoft Bing Pinyin, Microsoft Chart Controls, Microsoft Games, Microsoft Office, Microsoft.NET, MicrosoftBAF, MSBuild, QQMailPlugin, Realtek, Skype, Reference Assemblies, Tencent, USB Camera2, WinRAR, Windows Sidebar, Windows Portable Devices, Windows Photo Viewer, Windows NT, Windows Media Player, Windows Mail, NVIDIA Corporation, Adobe, IObit, AVAST Software, CCleaner, AVG, Mozilla Firefox, VirtualDJ, TeamViewer, ICQ, java, Yahoo!”

After the encryption process by LTTP Locker has been completed, the files targeted by it are no longer openable. The virus also adds it’s distinctive .LTTP file extension to the encrypted files, making them look like the following:

In addition to simply encrypting the files, this ransomware infection also performs another menace. It puts all the encrypted files in a .RAR archive which it protects with a password, making decryption even more difficult.

Remove LTTP Locker and Restore .LTTP Encrypted Files

Before beginning any removal process, recommendations are to back up the encrypted files from the compromised computer even though they are encoded, since a decryptor may be available later.

For the effective removal process of LTTP Locker virus, it is advisable to follow the removal instructions below. They are specifically designed to assist with isolating the virus then removing it via several different methods. The best method for removal accoriding to malware researchers is by using an advanced anti-malware software which automatically hunts for the threat, removes all objects and actively protects the system against future intrusions.

There are many variations of this virus and one of them is even called Trump Locker. Unfortunately, there is no decryption for those viruses at this point. However, malware researchers are constantly working on decryption solutions and we will update this article as soon as we see a free solution available. But this does not mean that you have to despair – there is still a way to recover a chunk of your data. We have published some alternative file recovery tools below in step “2. Restore files encrypted by LTTP Locker”. They are not 100% effective but may help you recover part of your files.

Manually delete LLTP Locker from your computer

Note! Substantial notification about the LLTP Locker threat: Manual removal of LLTP Locker requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove LLTP Locker files and objects.
2. Find malicious files created by LLTP Locker on your PC.
3. Fix registry entries created by LLTP Locker on your PC.

Automatically remove LLTP Locker by downloading an advanced anti-malware program

1. Remove LLTP Locker with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by LLTP Locker in the future
3. Restore files encrypted by LLTP Locker
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.