Remove LordOfShadow Ransomware – Restore .lordofshadow Files


LordOfShadow ransomware is data locker virus that corrupts essential data restricting the access to it until the owners of the data pay a ransom for the decryption key. The infection can be recognized by the extension .lordofshadow that stands at the end of each encrypted file. Another trait of LorfOfShadow crypto virus is a ransom note written in Portuguese that urges victims to contact crooks at a given Gmail email address of the same name.

This article aims to inform infected users about LordOfShadow ransomware and help with the removal process of the threat. Restore instructions of .lordofshadow files are provided as well.

Threat Summary

Name LordOfShadow
Type Ransomware
Short Description The ransomware encrypts files on your computer and displays a ransom message afterward.
Symptoms The ransomware will encrypt your files and put the extension .lordofshadow to them after it finishes its encryption process.
Distribution Method Spam Emails, Email Attachments, Compromised Web Pages
Detection Tool See If Your System Has Been Affected by malware


Malware Removal Tool

User Experience Join Our Forum to Discuss LordOfShadow.
Data Recovery Tool Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

LordOfShadow Ransomware – Distribution

As hackers are constantly seeking for new lucrative distribution techniques LordOfShadow ransomware may be stalking online users almost everywhere – emails, social media, advertisements, various websites, free software, torrent files, etc.

The malicious executable file that triggers LordOfShadow ransomware infection may be embedded in a word document as a malicious macro script. This method allows the ransomware payload to start once the document is opened on a PC with enabled macros. That’s why it is good to disable macros in the Office pack.

The payload may also be injected into web pages that initiate drive-by download attacks whenever a user opens them. The links of these web pages can be presented in specially crafted spam emails that try to trick users into clicking them and infect their devices with the ransomware.

A preferred technique for ransomware distribution is compromised file attached to an email message with spoofed sender’s name and email address. Beware even if the email seems to be sent from big organizations and services because most of the registered cases of ransomware attacks prove that hackers use this approach commonly.

The so-called bundling is another method that may be used for LordOfShadow ransomware virus distribution. In this case the malicious code is part of the installation setup of a freeware program.

LordOfShadow Ransomware – Overview

Analyses of LordOfShadow ransomware samples affirm that it belongs to the Hidden Tear malware family. The threat appears to be the latest strain of the infamous ransomware that was initially created for educational purposes. It follows the typical data locker ransomware pattern to scan PC drives for files of particular types and then employ its built-in encryption module to corrupt these files.

At first, LordOfShadow drops an executable file that needs to be started somehow by the user. The file can also be designed to start automatically once it penetrates the system. Whenever it starts running on the system, the infections is triggered. Unfortunately, the ransomware is likely to need additional files to complete the attack to its very end. For the purpose, it may connect a server controlled by hackers and download all necessary malicious components. Furthermore, it may be set to gather various system details and transfer them back to the server. This may be yet another chance for hackers to compromise the system by knowing its parameters and weaknesses.

As regards the locations of the malicious files associated with LordOfShadow ransomware, they are probably stored in the folders:

  • %AppData%
  • %Temp%
  • %Roaming%
  • %Common%
  • %System32%

Most of the times the malicious processes are disguised as Windows system processes so they can remain hardly noticeable during and after the attack.

In case of infection it is recommended to check for unwanted modifications of the values in the following registry keys:


LordOfShadow ransomware can use these keys to set its payload start automatically on each system boot up and encrypt all files created before the last shutdown. The same keys are often used by ransomware for the ransom note that should appear on the PC screen at the end of the infection.

The ransom note associated with LordOfShadow crypto virus is written in Portuguese. It is dropped on the infected machine in a file named LEIA_ME.txt and reads the following:

Seus arquivos foram Sequestrados!
Em contato para entre recuperar SEUS arquivos

Hackers do not state what they want in exchange for .lordofshadow files decryption but only urge victims to contact them at the provided email address. Any negotiations with them are better to be restricted.

LordOfShadow Ransomware – File Encryption

The ransomware employs its build-in encryption module to modify the original code of all files set in its target list. Being a Hidden Tear based variant, LordOfShadow is believed to use the strong AES cipher for files encryption. The ransomware can scan the drives for files that have one of the extensions mentioned below:

→.txt, .doc, .docx, .xls, .xlsx, .pdf, .pps, .ppt, .pptx, .odt, .gif, .jpg, .png, .db, .csv, .sql, .mdb.sln.php, .asp, .aspx, .html, .xml, .psd, .frm, .myd, .myi, .dbf, .mp3, .mp4, .avi, .mov, .mpg, .rm, .wmv, .m4a, .mpa, .wav, .sav, .gam, .log, .ged, .msg, .myo, .tax, .ynab, .ifx, .ofx, .qfx, .qif, .qdf, .tax2013, .tax2014, .tax2015, .box, .ncf, .nsf, .ntf, .lwp

Once encrypted the files receive the extension .lordofshadow at the end of their names and become inaccessible.

Remove LordOfShadow Ransomware and Restore .lordofshadow Files

Ransomware is a complex threat and its removal can be challenge even for the tech savvy guys. However, there is no doubt that it should be removed from the infected computer as soon as possible. Otherwise it will continue to compromise the system each time it starts. By following the detailed step-by-step removal guide below LordOfShadow ransomware will be efficiently deleted once you complete all the steps. The .lordofshadow files recovery process comes after the removal process but be advised to make a backup of all corrupted files to an external drive first.

Gergana Ivanova

Gergana Ivanova

Highly motivated writer with 5+ years of experience writing for ransomware, malware, adware, PUPs, and other cybersecurity-related issues. As a writer, I strive to create content that is based on thorough technical research. I find joy in the process of creating articles that are easy to understand, informative, and useful. Follow me on Twitter (@IRGergana) for the latest in the field of computer, mobile, and online security.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share