Remove Lortok Ransomware and Freely Decrypt .Crime Encrypted Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove Lortok Ransomware and Freely Decrypt .Crime Encrypted Files

password-brute-force-stforumRansomware, meant for Russian speaking users, named Lortok has been reported to encrypt the files on the devices it infects by using an AES-256 cipher. When the files are encrypted, they are modified, and the .crime file extension is added to them. In addition to that, Lortok ransomware adds a ransom note written entirely in Russian and in it, the crooks behind the virus demand only 5 dollars to decrypt the files. Either way, there is a decrypter released for Lortok ransomware, and we suggest to read this article on how to remove it and decrypt your files for free.

Threat Summary

NameLortok
TypeRansomware
Short DescriptionUses a strong AES-256 cipher to encode user files. Demands 5 dollars as a ransom money.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a .txt file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Lortok

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Lortok Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Lortok Ransomware – Infection Mechanisms

In order to infect users successfully, Lortok may use a so-called process obfuscation mechanisms. They conceal the malicious file from any security software which may prevent the encryption process.

To spread its malicious .exe files successfully, Lortok may use spam bots to either send out spam messages or comment on different sites. The content may be malicious URLs or archives which contain the malicious executables. So far it is a mystery on what content has been used to deceive users, but it is strongly believed that the deception is more than one. For example, malicious URLs may be spread via recipients that resemble the following:

  • PayPal.
  • eBay.
  • Amazon.
  • BestBuy.
  • A reputable bank.

Lortok Ransomware Viewed In Detail

After successful infection the ransomware drops the two following files on the victim`s computer:

  • C:\Users\Administrator\AppData\Roaming\installdir\help.exe
  • C:\Users\Administrator\AppData\Roaming\update_{Ransom alpha-numerical code}.exe

N.B. The cyber-criminals may change the names and location of the files for different infections.

After creating the malicious files, Lortok encrypts the user’s files. It may look for the following file types:

“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG” Source:fileinfo.com

After modifying the files, Lortok may add two file extensions to the encrypted files – .crime and an extension with random number, for example:

  • New Text Document.txt.crime
  • New Text Document.txt.55sd3f3

After encrypting the files, Lortok adds a ransom note written entirely in Russian:

“Здравствуйте, все ваши файлы зашифрованы, свяжитесь с нами для их восстановления.
СТОИМОСТЬ РАСШИФРОВКИ ФАЙЛОВ 5$
Для этого выполните следующие действия:
1) Загрузите ‘Tor Browser for Windows’, скачать можно тут https://www.torproject.org/download/download-easy.html.en
2) Установите и запустите ‘Tor Browser’
3) Перейдите по ссылке ‘хппт://3qo5aqjlesrudfm3.onion/?id=…’ в ‘Tor Browser’ – (ВНИМАНИЕ, САЙТ ДОСТУПЕН ТОЛЬКО ЧЕРЕЗ ‘Tor Browser’)
4) Следуйте инструкциям на сайте
————————————————————–
Для авторизации на сайте используйте:
ID: 55sd3f3
HashID: 4pbf28d2s
————————————————————–
1) Внимание, ‘переустановка/откат’ windows не поможет восстановить файлы но может окончательно их повредить и тогда даже мы не сможем их восстановить.
2) Антивирусы nod32, drweb, kaspersky и т.д вам не помогут расшифровать файлы, даже если вы купите у них лицензию на 10 лет, они вам все равно не восстановят файлы.
3) Для шифрования файлов используется AES который был создан в 1998г, за 17 лет никто на планете земля не смог взломать алгоритм шифрования, даже АНБ.
4) Ключ других пользователей вам не подойдет, так как у каждого пользователя уникальный ключ, поэтому не ждите что кто-то оплатит и выложит ключ для расшифровки файлов.
————————————————————–
Коротко о шифрование ‘AES256’ на примере ‘Winrar’, каждый файл помешается в архив ‘Winrar’, на архив ‘Winrar’ ставится пароль из 256 символов:
1) Открыть архив можно только введя пароль
2) Удалив ‘Winrar’ файл остается в архиве и открыть его нельзя.
3) Даже если перенести архив на другой windows, он все еще будет требовать пароль для открытия.
4) Если вы ‘переустановите/откатите’ windows, архив ‘Winrar’ останется архивом и для его открытия все еще потребуется ‘Winrar’ и пароль из 256 символов.
————————————————————–
Вы можете ждать пока кто-то через лет 60 взломает алгоритм шифрования AES256 и через 60 лет восстановить файлы или же оплатить ключ и восстановить файлы за пару часов, выбор за вами!
https://ru.wikipedia.org/wiki/Advanced_Encryption_Standard”
English Translation:
Hello, all your files are encrypted, please contact us to restore them.
The cost of decrypting files is $ 5
To do this, follow these steps:
1) Download the ‘Tor Browser for Windows’, you can download it here https://www.torproject.org/download/download-easy.html.en
2) Install and run ‘Tor Browser’
3) Click on the link ‘http //3qo5aqjlesrudfm3.onion/ Id = …’ in the ‘Tor Browser’ – (ATTENTION, the site is available only through the ‘Tor Browser’)
4) Follow the instructions on the website
————————————————– ————
To login to the site using:
ID: 55sd3f3
HashID: 4pbf28d2s
————————————————– ————
1) Attention, ‘Overwrite / rollback’ of windows does not help to restore files but can ultimately damage them, and even then we will not be able to restore them.
2) Antivirus nod32, drweb, kaspersky, etc. will not help you decrypt the files, even if you buy them a license for 10 years, they will still not restore files.
3) To encrypt files using AES which was established in 1998, for 17 years, no one on Earth could not crack the encryption algorithm, even the NSA.
4) The key to other users you will not work, since each user a unique key, so do not expect that someone will pay and will lay the key to decrypt the files.
————————————————– ————
About encryption ‘AES256’ see on ‘Winrar’ example, each file was placed in the file ‘Winrar’, to archive ‘Winrar’ enter password of 256 characters:
1) You can open the file only by typing your password
2) Delete ‘Winrar’ file is archived and can not open it.
3) Even if you move the file to another Windows, it will still require a password to open.
4) If you ‘reinstall / revert’ windows, the archive ‘Winrar’ will archive and to open still need ‘Winrar’ and password of 256 characters.
————————————————– ————
You can wait until someone through 60 years will crack AES256 encryption algorithm, and after 60 years to restore the files, or to pay for the key and restore files in a couple of hours, the choice is yours!
https://ru.wikipedia.org/wiki/Advanced_Encryption_Standard”

Remove Lortok Ransomware and Decrypt Your Files for Free

To remove Lortok, please follow the instructions for removal which are prepared in a methodological order for you after this paragraph. For maximum effectiveness for the removal of Lortok from your computer, we strongly advise you to download an advanced anti-malware tool which will delete any malicious files belonging Lortok on your computer.

To decrypt your files, please follow carefully step 3 of those instructions – “Restore files encrypted by Lortok.” They contain a web link for Kaspersky’s “Rakhni decryptor” that will help you decrypt your files instead of paying 5$ for the cyber-criminals.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.