.LOL Files Virus - Remove Ransomware and Restore Files

.LOL Files Virus – Remove Ransomware and Restore Files

This article has been created in order to help you by showing how to remove the .lol ransomware virus from your computer and how to restore .lol encrypted files without having to pay ransom.

New ransomware virus, using the .lol file extension has been detected to roam around the web, infecting users left and right. The malware aims to encrypt the files on the computers infected by it and sets the .lol file extension as a default suffix to the files encrypted by it. In addition to this a message appears on the computers of victims, beginning with “!!!!! Your personal files are now encrypted !!!!!”. In the event that your computer has been infected with the .lol files virus, we recommend that you read the following article to learn how to remove this ransomware and how to restore files that have been encrypted with the .lol extension without having to pay the ransom.

Threat Summary

Name.lol Files Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on your computer and then asks for $700 dollars as a payoff for their decryption.
SymptomsAdds the .lol file extension to the encrypted files and an info.txt ransom note to the encrypted files.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .lol Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .lol Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.lol Files Virus – Distribution

In order to be widely spread, the .lol files ransomware uses multiple different techniques, the main of which is via e-mail spam messages, like the example below displays.

Such messages often contain different types of files embedded in them, like:

  • Malicious executables, disguised as documents.
  • Microsoft word documents (.docm) with malicious macros embedded within them.
  • Adobe .PDF files that lead to the download of the above mention macros documents.
  • Malicious JavaScript (.js) or flash (.wsf, etc.) files that are compresses within .ZIP or .RAR archives.

In addition to via e-mail, the malicious files may also be uploaded online as fake key generators, license activators and other types of files. One infection file, which is associated with the .lol files ransomware has been reported by malware researchers to be the following:

What is interesting is that it may be the same keygen.exe file that is used to infect users with the extremely similar .fake files virus variant:

.lol Files Virus – More Information

After infection, the payload of .lol files ransomware is dropped in one of the following Windows directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

As soon as this is done, the ransomware virus may modify the Windows Registry editor, more specifically attack the following Windows Registry sub-keys by adding values with data in them to make sure it’s malicious executable runs automatically on system boot:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In addition to this, the malware may also modify the Windows backups and recovery settings, more specifically delete your volume shadow copies via running the following WCP commands as an administrator:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

After doing so, the .lol files virus may begin the file encryption operation, resulting in the following ransom note to appear afterwards:

Text from image:

If you see this message it means you have 24 hours to send 0.1 BTC to the following address or your files will be encrypted forever

All files with the following extensions have been encrypted: .jpg .png .gif .tif. .avi .mp4 .xls .xlsx .doc .docx .pptx .pdf .txt .csv
Time Remaining:

.lol Files Virus – Encryption

For encryption, the .lol ransomware virus targets the following file types on your computer system:

→ .jpg .png .gif .tif. .avi .mp4 .xls .xlsx .doc .docx .pptx .pdf .txt .csv

The virus is very careful not to encrypt files that are important for the functioning of Windows, so that you can still use your computer to pay the ransom.

After the encryption has completed, the files no longer look the same:

Futhermore, a unique key is generated which is the only direct method to recover the encrypted files and this key is available only to the crooks, but trusting them with your payment is strongly inadvisable.

Remove .lol Files Ransomware and Restore Encrypted Data

In order to remove this ransomware infections, we recommend following our removal instructions down below. They are specifically designed to help you delete all the related files plus other objects to .lol files virus either manually and automatically. Researchers recommend using the automatic approach for removal and downloading a removal tool for the .lol files virus which will scan for and delete all the objects professionally and secure your computer against future ransomware infections, without you having to reinstall your Windows OS.

If you want to recover files that have been encrypted by the .lol ransomware threat, recommendations are to try and use the file recovery methods below in step “2. Restore files, encrypted by .lol Ransomware”.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share