.luces Files Virus (STOP Ransomware) - How to Remove

.luces Files Virus (STOP Ransomware) – How to Remove

remove luces files virus stop ransomware sensorstechforum removal guide

In this article, you will find out how to remove .luces files virus from an infected system as well as alternative data recovery ways.

As identified by security researchers the so-called .luces files virus is a version of STOP ransomware. In case it infects your computer, it will restrict your access to valuable files. You could recognize these files by the extension .luces appended to their names. In addition, the threat will present you a ransom message in an attempt to convince you to contact hackers for more details on ransom payment.

Threat Summary

Name.luces Files Virus
TypeRansomware, Cryptovirus
Short DescriptionCreated to encrypt valuable user files and then ask victims to pay ransom for a decryption tool.
SymptomsImportant files are locked and renamed with .luces extension. A ransom note file demands victims to pay hefty ransom to restore their files.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by .luces Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .luces Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.luces Files Virus – Distribution

The distribution of .luces files virus is likely to happen with the help of commonly used techniques such as malspam, corrupted freeware installers, software cracks, infected web pages, fake software update notifications and other.

It is believed that the most preferred method of distribution is malspam. Since it is a well-known fact that almost every online user has an email address where he receives a large number of emails on a daily basis, hackers often attempt to deliver their ransomware by the use of spam email campaigns.

The ransomware payload is usually disguised as an important document, shopping offer, or payment notification. The corrupted file is often attached to emails that pose as representatives of popular businesses, frequently used services, and governmental institutions. As you might guess by loading such a file on your device you automatically infect it with the malicious code embedded in the code of this file.

Another way for hackers to disguise their ransomware activator is by injecting it into the code of any web page and set this page to trigger an automatic download whenever loaded in a web browser. URLs to infected pages could be again presented in emails that attempt to deliver the malicious code on your device, tied to online advertisements, shared in forum communities or displayed on social media channels.

.luces Files Virus (STOP Ransomware) – Overview

Analyses of this STOP ransomware strain reveal that the malicious executable files Padonok.exe and load1903.exe have been utilized in recent attack campaigns. Once one of these files is started on a target machine, it becomes able to disrupt system security by altering some of its essential settings.

Along with this payload file, .luces ransomware establishes a few more malicious files that support the attack. For the purpose, the threat could be either set to connect a remote server and download them or create them directly on the system. As their locations, .luces files virus may choose some of the following folders:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

When all needed files are established on the device the ransomware starts executing them in a predefined order which enables it to pass through several attack stages. During the attack, it could automatically obtain administrative rights and this way gains the permission to misuse system resources for malicious purposes.

Affected could be the Windows Registry as well. Since it stores important low-level system settings and apps’ permissions, crooks often configure their ransomware viruses to access this database. So in order to misuse some registry functionalities, .luces STOP ransomware could add malicious values under certain registry sub-keys. It is very likely that it will attempt to exploit RUN and RUNONCE keys as they could help it to automatically load malicious files on each system start.

Furthermore, by corrupting the RUNONCE registry key, .luces ransomware could accomplish the final attack stage. For it the threat needs to load a previously dropped ransom note file on the screen. Similar to its predecessors (.promorad2, .pulsar1, .promorad, etc.) .luces could present the following message:

———————————————- ALL YOUR FILES ARE ENCRYPTED ———————————————–

Don’t worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees do we give to you?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information
Don’t try to use third-party decrypt tools because it will destroy your files.
Discount 50% available if you contact us first 72 hours.
To get this software you need write on our e-mail:
Reserve e-mail address to contact us:
Your personal ID:
[redacted 43 alphanumeric chars]

This message aims to blackmail you into transferring hackers a ransom fee in exchange for a data decryption tool. Even though, the message does not specify the amount of the ransom, it is likely to vary from $50 to a few hundred dollars.

Beware that a successful ransom payment does not guarantee the recovery of .luces files. On one hand, hackers could send you a broken decryptor. On the other hand, they could skip answering you at all.

.luces Files Virus – Encryption Process

The main goal of .luces files virus is to encrypt files stored on your infected machine. To make you more prone to pay a ransom fee, the ransomware targets only files that are used very often. Such files are:

  • Documents.
  • Videos.
  • Images.
  • Archives.
  • Virtual Drive files.
  • Audio files.
  • Other files, belonging to often-used programs.

The encryption process transforms the original code of target files and renders them inaccessible. It is realized with the help of one or two encryption ciphers. As a result, the files are renamed with the extension .luces

Remove .luces Files Virus (STOP Ransomware) and Attempt to Restore Data

The so-called .luces files virus is a threat with highly complex code designed to corrupt both system settings and valuable data. So the only way to use your infected system in a secure manner again is to remove all malicious files and objects created by the ransomware. For the purpose, you could use our removal guide that reveals how to clean and secure your system step by step. In addition, in the guide, you will find several alternative data recovery approaches that may be helpful in attempting to restore .luces files. We remind you to back up all encrypted files to an external drive before the recovery process.

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for four years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share