.LTML Files Ransomware – How to Remove + Restore Files

.LTML Files Ransomware – How to Remove + Restore Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article has been created to explain what is the purpose of the .LTML files virus and how to remove this infection from your PC plus how to try and restore files that have been encrypted by it on your computer.

Coming from the abbreviation Long Term Memory Loss, this ransomware infection aims to use the AES encryption algorithm to encrypt the important files on the computers infected by it and then demand a hefty ransom fee from it’s victim In order for the files to be restored back to their original state. In the event that your computer has been infected by the .LTML ransomware virus, in case it has begun infecting victims, your files are likely to have the .LTML file extension added to them. If this is the case, we recommend that you read the following article to learn how to remove this ransomware infection from your computer and how to restore files that have been encrypted by .LTML ransomware on your PC.

Threat Summary

NameLTML Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on the victim computer via AES encryption algorithm. Developed in Visual Studio 2017
SymptomsOne of the main symptoms is the files encrypted with an added .LTML file suffux to them.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by LTML Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss LTML Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.LTML Files Virus – How Did I Get Infected

In order to become a victim of this ransomware virus, several scenarios may be possible, the most likely of which is to open a malicous e-mail attachment sent to your computer as a result of becoming tricked by a spam e-mail message. Such messages often contain deceitful texts, aiming to convince users that their attachments are important documents from the likes of:

  • Invoices.
  • Receipts.
  • Order confirmation.
  • Other important file.

In addition to this, the e-mails may also pretend to come from large companies as well, such as:

  • FedEx.
  • PayPal.
  • Dropbox.
  • eBay.
  • Amazon.

The attachments themselves are usually executable files or documets for Microsoft Office which could contain malicious macros embedded within them which trigger the infection process. It is always advisable to scan such e-mail attachments prior to actually opening them.

In addition to via e-mail, this ransomware infection may also be spread via other methods, such as:

  • Fake setup of software.
  • Fake software activation program.
  • Key generator (keygen).
  • Crack fix for programs or games.
  • License activators for various programs.

.LTML Ransomware – More Information and Activity

The .LTML ransomware is still in development stage but may have started infecting victims already. The malware may begin the infection process by connecting to a remote host and downloading it’s malicious payload. This payload consists of several module files that help the ransomware virus to escalate it’s privileges and conduct it’s malicious activities while uninterrupted. The files may be under different names, like:

  • A name, imitating a program on your computer.
  • A completely random Alpha-Numerical name that has uppercase and lowercase letters as well.
  • Name of the ransomware virus (LTML).

The files may be located in various different folders in Windows, but the most targeted of those are the following:

  • %AppData%
  • %Roaming%
  • %Local%
  • %Temp%
  • %LocalLow%
  • %Windows%
  • %System32%

In addition to this, the LTML ransomware may also create registry entries in the following Windows registry sub-keys:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

This is likely done with the purpose to make it possible so that the malicious files of the LTML ransomware run automatically on your computer system as soon as Windows is booted up. In addition to those keys, the virus may also add registry entries in the following sub-keys as well in order to escalte several of it’s privileges:

→ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
HKEY_CURRENT_USER\Control Panel\Desktop

Furthermore, the LTML virus may also delete shadow volume copies on the infected compute by running the following administrative commands in Windows Command Prompt without you noticing this:

→ process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”

As soon as the malicious files of this ransomware virus are ran, it begins it’s encryption procedures.

LTML Ransomware – Encryption

In order to encrypt the files on the computers that have been infected by it, the LTML ransomware virus may begin scanning for various types of files that are used very often on the victim’s computer. Such files include:

  • Documents.
  • Videos.
  • Images.
  • Archives.
  • Virtual Drive files.
  • Adobe files.

The virus scans for the file extension of the files, which means that the following file types may be endangered of encryption, if your computer becomes infected by LTML:


In order to encrypt the files on the infected computer, the LTML ransomware virus uses one of the strongest publicly available encryption algorithms out there, known as AES (Advanced Encryption Standard). It generates an automatic file encryption and symmetric decryption keys that are random for each infection. The information then may be sent to the cyber-criminals whose primary purpose is to sell you a decrypter in order to get you to pay a hefty ransom fee in order to get it. The encrypted files may have the .LTML file extension and may appear like the image below:

How to Remove LTML Ransomware and Restore Your Files

In order to remove ransowmare viruses like LTML, it is important to isolate them from being operational. To do this, we recommend to follow the removal instructions down below. They are separated in automatic and manual removal instructions. If you lack the experience in malware removal, reccomendations are to remove LTML ransowmare automatically preferrably by downloading an advanced anti-malware software. Such will ensure that your computer is free from all malware without you having to reinstall your Windows and will protect your computer against infections like LTML in the future too.

If you want to restore files that have been encrypted by the LTML ransomware infections, we strongly advise that you focus on trying out our alternative ransomware recovery methods in step “2.Restore files encrypted by LTML Virus” below. These methods are not 100% guarantee that you will be able to restore all files encrypted by this virus, but they may help you recover at least some of the encoded data.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share