.Loptr File Virus Removal – Restore Files

This article will help you remove the .Loptr File Virus effectively. Follow the ransomware removal instructions provided at the end.

.Loptr File Virus is actually a new Locky ransomware variant that puts that extension to locked files. The new variant gets inside your computer system via spam e-mails with PDF attachments. Opening such an attachment loads a Microsoft Word document with a hidden macro command inside, that if you enable, the malware will infect your PC and encrypt your files. No real changes are present in the ransom note as you can see on the right of this paragraph. Continue to read and see if you can potentially restore your files.

Threat Summary

Name.Loptr File Virus (Locky)
TypeRansomware, Cryptovirus
Short Description.Loptr file virus is a new variant of Locky ransomware. The cryptovirus has changes in its infection method, but not in its ransom note.
SymptomsYour files are encrypted and have the .loptr extension attached to them. You see a ransom note with instructions that states that the encryption which is used is both RSA and AES (with links to Wikipedia information).
Distribution MethodBotnet, Spam Emails with PDF Attachments, MS Document Macro Execution
Detection Tool See If Your System Has Been Affected by .Loptr File Virus (Locky)


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .Loptr File Virus (Locky).
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.Loptr File Virus – Distribution Methods

.Loptr File Virus as a new iteration of Locky ransomware, also has new ways to distribute itself. The most prominent and widespread distribution way is quite complex. Although it requires social engineering to complete the attack, it is still effective. That method starts with the spread of the malware via spam e-mails. Such an e-mail will contain a 58 KB file that seems like a PDF document. You can see examples below:

Image Source: FireEye.com

Upon opening the PDF file, you will find out that there is a Microsoft Word document embedded inside, which looks like the following:

Clicking on “Enable Editing” and then on “Enable Content” will activate a hidden macro command and a PowerShell command, too. The PowerShell command will ping a Command&Control (C2) Server, and that server will download Locky’s malicious executable in an encrypted form so it can try to bypass Antivirus programs.

However, AV vendors have already taken precautions against the latest files that have been detected to be associated with the .Loptr File Virus threat as you can see from the images down here:

Before opening any file from the Internet, always perform a scan with a security program. You should read the ransomware preventing tips in our forum to educate yourself better about methods for fighting such malware threats.

.Loptr File Virus – Technical Information

The .Loptr File Virus is actually the latest variant of Locky ransomware. Dubbed after the extension .loptr that it places to encrypted files, this version of the nefarious cryptovirus has been discovered to spread not only with the help of its old malicious domains, but with many newly-set ones.

The Locky ransomware also makes entries in the Windows Registry to achieve a higher level of persistence. Registry entries of that caliber are typically designed to start the virus automatically with every launch of the Windows Operating System or even repress and tamper with processes.

The message with the ransom payment instructions appears to be unchanged and is stored in two files yet again – one in a .jpg, the other in a .html. Both have identical names that begin with loptr- and end with 4 symbols. You can preview the picture that is placed as your Desktop background below:

The ransom message reads the following:





All of your files are encrypted with RSA-2048 and AES-128 ciphers.

More information about the RSA and AES can be found here:

Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.

To receive your private key follow one of the links:

If all of this addresses are not available, follow these steps:

1. Download and install Tor Browser: https://www.torproject.org/downIoad/download-easy.html
2. After a successful installation, run the browser and wait for initialization.

3. Type in the address bar: g46mbrrzpfszonuk.onion

4. Follow the instructions on the site.

!!! Your personal identification ID: !!!



You can preview the .html version of that note in the picture down here:

How the TOR payment page looks like:

Here is what it says on that payment page:

Locky Decryptor™

We present a special software – Locky Decryptor™ –
which allows to decrypt and return control to all your encrypted files.

How to buy Locky Decryptor™?
You can make a payment with BitCoins, there are many methods to get them.
You should register BitCoin wallet:
Simplest online wallet or Some other methods of creating wallet
Purchasing Bitcoins, although it’s not yet easy to buy bitcoins, it’s getting simpler every day.

Here are our recommendations:
localbitcoins.com (WU) Buy Bitcoins with Western Union.
coincafe.com Recommended for fast, simple service.
Payment Methods: Western Union, Bank of America, Cash by FedEx, Moneygram, Money Order. In NYC: Bitcoin ATM, in person.
localbitcoins.com Service allows you to search for people in your community willing to sell bitcoins to you directly.
cex.io Buy Bitcoins with VISA/MASTERCARD or wire transfer.
btcdirect.eu The best for Europe.
bitquick.co Buy Bitcoins instantly for cash.
howtobuybitcoins.info An international directory of bitcoin exchanges.
cashintocoins.com Bitcoin for cash.
coinjar.com CoinJar allows direct bitcoin purchases on their site.
Send 0.5 BTC to Bitcoin address:

Note: Payment pending up to 30 mins or more for transaction confirmation, please be patient…
Date Amount BTC Transaction ID Confirmations
not found
Refresh the page and download decryptor.
When Bitcoin transactions will receive one confirmation, you will be redirected to the page for downloading the decryptor.

As clearly seen from the Tor payment page, the .Loptr file virus wants you to pay 0.5 Bitcoin, which equals to nearly 926 US dollars at the moment of writing this article. However, you should NOT under any circumstances pay anything to the cybercriminals. Nobody can guarantee that you will get your files restored upon payment, nor that you won’t get your PC infected again in the future. Furthermore, financially supporting cybercriminals could motivate them to keep doing crimes, such as the creation of ransomware viruses (as it has in the past with these malware developers).

.Loptr File Virus – Encryption Process

The .Loptr File Virus is dubbed like that by users, because it appends the .loptr extension to all encrypted files. As malware researchers have confirmed that it is indeed a new variant of the Locky Ransomware, it is most likely seeking to encrypt files with extensions such as its previous iterations, namely:

→.001, .002, .003, .004, .005, .006, .007, .008, .009, .010, .011, .123, .1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .602, .7z, .7zip, .ARC, .CSV, .DOC, .DOT, .MYD, .MYI, .NEF, .PAQ, .PPT, .RTF, .SQLITE3, .SQLITEDB, .XLS, .aac, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .adp, .ads, .aes, .agdl, .ai, .aiff, .ait, .al, .aoi, .apj, .apk, .arw, .asc, .asf, .asm, .asp, .aspx, .asset, .asx, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bat, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend, .bmp, .bpw, .brd, .bsa, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cgm, .cib, .class, .cls, .cmd, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cs, .csh, .csl, .csr, .css, .csv, .d3dbsp, .dac, .das, .dat, .db, .db3, .db_journal, .dbf, .dbx, .dc2, .dch, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .der, .des, .design, .dgc, .dif, .dip, .dit, .djv, .djvu, .dng, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flf, .flv, .flvv, .forge, .fpx, .frm, .fxg, .gif, .gpg, .gray, .grey, .groups, .gry, .gz, .hbk, .hdd, .hpp, .html, .hwp, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lay, .lay6, .lbf, .ldf, .lit, .litemod, .litesql, .log, .ltx, .lua, .m2ts, .m3u, .m4a, .m4p, .m4u, .m4v, .mapimail, .max, .mbx, .md, .mdb, .mdc, .mdf, .mef, .mfw, .mid, .mkv, .mlb, .mml, .mmw, .mny, .moneywell, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mrw, .ms11, .msg, .myd, .n64, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .onetoc2, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .pif, .pl, .plc, .plus_muhd, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .ps, .psafe3, .psd, .pspimage, .pst, .ptx, .pwm, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qcow2, .qed, .r3d, .raf, .rar, .rat, .raw, .rb, .rdb, .re4, .rm, .rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sch, .sd0, .sda, .sdf, .sh, .sldm, .sldx, .slk, .sql, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stm, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tar, .tar.bz2, .tbk, .tex, .tga, .tgz, .thm, .tif, .tiff, .tlg, .txt, .uop, .uot, .upk, .vb, .vbox, .vbs, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .vob, .wab, .wad, .wallet, .wav, .wb2, .wk1, .wks, .wma, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlc, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .ycbcra, .yuv, .zip

The encryption algorithm that is claimed to be used by Locky in all of its ransom notes is RSA-2048 with AES 128-bit ciphers.

The Locky cryptovirus is probably set to delete the Shadow Volume Copies from the Windows Operating System by executing the following command:

→vssadmin.exe delete shadows /all /Quiet

The command eliminates one of the prominent ways for file restoration on your computer system, thus making the encryption process even more viable.

Remove .Loptr File Virus and Restore Your Files

If your computer got infected with the .Loptr File Virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computer systems. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Manually delete .Loptr File Virus (Locky) from your computer

Note! Substantial notification about the .Loptr File Virus (Locky) threat: Manual removal of .Loptr File Virus (Locky) requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove .Loptr File Virus (Locky) files and objects
2. Find malicious files created by .Loptr File Virus (Locky) on your PC

Automatically remove .Loptr File Virus (Locky) by downloading an advanced anti-malware program

1. Remove .Loptr File Virus (Locky) with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by .Loptr File Virus (Locky)
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.